Hi, maybe I have find the problem, I read into another post that if ossec find the xml tag <disable> in active response conf it not analyze the tag's content (yes or not) and deactivate all the active response, so I deleted the <disable> tag in my conf and now active response works.
Hope help you Ciano On 30 Apr, 14:09, mathias1104 <[email protected]> wrote: > This is really a pity. > Are we the only ones? I think there are a lot of server/agent > installations with active responses. > What could be the reason? > OS is openSuse 10.3 64Bit except one agent wich is opensuse 10.2 > 32Bit. > Ossec Vers. 2.0 > > If there is no solution, I think I'm forced to go back to a local (non > server/agent) installation on each server. > > Mathias > > On Apr 22, 9:21 am, cianop <[email protected]> wrote: > > > I tried all the options, all, server, local but doesn't work. > > > L > > > On 21 Apr, 19:09, "Larry Rider Bou" <[email protected]> wrote: > > > > Hello, > > > > As I said previously on this thread, try the following change > > > because it worked for me. > > > > Change in your ossec configuration file the following line: > > > > <location>local</location> > > > > With: > > > > <location>all</location> > > > > And tell us if it works. > > > > Un saludo, > > > Larry A. Rider > > > > -----Mensaje original----- > > > De: [email protected] [mailto:[email protected]] En > > > nombre de cianop > > > Enviado el: martes, 21 de abril de 2009 14:26 > > > Para: ossec-list > > > Asunto: [ossec-list] Re: active-responsedoesn't work > > > > I'm sorry but I have no idea, I tried all that you have tried, but it > > > didn't work. Maybe could be a Operating system problem or linked to > > > the c library or c compiler. But this is out of my knowledge, and > > > should be the ossec team to answer, if they want... o better if we > > > pay... It should be very nice to know witch version of linux kernel, > > > gcc, libstdc... are better and works. > > > > Luciano > > > > On 16 Apr, 13:59, mathias1104 <[email protected]> wrote: > > > > > Hi, > > > > I've a problem that look similar. > > > > One Server, 4 Agents. > > > > Everthing works fine, only avtive responses don't work. > > > > Also if I try > > > > agent_control -u 004 -b 1.2.3.4 -f host-deny600 > > > > it works, but if I simulate a brute force attack on the same agent, I > > > > received a message with level 10- so far, so good, but activeresponse > > > > don't work. > > > > So the communication between agent and server seems ok, but the server > > > > don't initiate the activeresponse. > > > > Any idea, whats wrong? > > > > > <command> > > > > <name>host-deny</name> > > > > <executable>host-deny.sh</executable> > > > > <expect>srcip</expect> > > > > <timeout_allowed>yes</timeout_allowed> > > > > </command> > > > > > <active-response> > > > > <disabled>no</disabled> > > > > <!-- Thisresponseis going to execute the host-deny > > > > - command for every event that fires a rule with > > > > - level (severity) >= 6. > > > > - The IP is going to be blocked for 600 seconds. > > > > --> > > > > <command>host-deny</command> > > > > <location>local</location> > > > > <level>6</level> > > > > <timeout>600</timeout> > > > > </active-response> > > > > > On Mar 31, 4:09 pm, "Larry Rider Bou" <[email protected]> wrote: > > > > > > Hello, > > > > > > I posted a bug that was not solved with same problem. > > > > > > If instead of: > > > > > > > > <active-response> > > > > > > > <!-- Thisresponseis going to execute the host-deny > > > > > > > - command for every event that fires a rule with > > > > > > > - level (severity) >= 6. > > > > > > > - The IP is going to be blocked for 600 seconds. > > > > > > > --> > > > > > > > <command>host-deny</command> > > > > > > > <location>local</location> --> Does not work. > > > > > > > <level>6</level> > > > > > > > <timeout>600</timeout> > > > > > > > </active-response> > > > > > > You write : (Change local for all) it will work. (It does for > > > > > me) > > > > > > > > <active-response> > > > > > > > <!-- Thisresponseis going to execute the host-deny > > > > > > > - command for every event that fires a rule with > > > > > > > - level (severity) >= 6. > > > > > > > - The IP is going to be blocked for 600 seconds. > > > > > > > --> > > > > > > > <command>host-deny</command> > > > > > > > <location>all</location> --> does work > > > > > > > <level>6</level> > > > > > > > <timeout>600</timeout> > > > > > > > </active-response> > > > > > > Un saludo, > > > > > Larry A. Rider > > > > > > -----Mensaje original----- > > > > > De: [email protected] [mailto:[email protected]] > > > > > En nombre de cianop > > > > > Enviado el: martes, 31 de marzo de 2009 12:25 > > > > > Para: ossec-list > > > > > Asunto: [ossec-list] Re: active-responsedoesn't work > > > > > > I also tried to run the same command on the agent 000 (the server) but > > > > > doesn't work: no line added to hosts.deny, no active-response.log > > > > > > Luciano > > > > > > On 25 Mar, 15:31, Daniel Cid <[email protected]> wrote: > > > > > > > Hi, > > > > > > > Did you check for the file /var/ossec/logs/active-responses.log on > > > > > > the > > > > > > agent? You configured > > > > > > theresponseto run on the agent side, not on the manager. Also, it > > > > > > will timeout and remove > > > > > > the block after 10 minutes (for the first entry, not yours).... > > > > > > > A good way to test is to run the command agent_control: > > > > > > > # /var/ossec/bin/agent_control -L > > > > > > > OSSEC HIDS agent_control. Available active responses: > > > > > > > Responsename: host-deny600, command: host-deny.sh > > > > > > Responsename: host-deny600, command: host-deny.sh > > > > > > Responsename: firewall-drop600, command: firewall-drop.sh > > > > > > Responsename: win_nullroute600, command: route-null.cmd > > > > > > > # /var/ossec/bin/agent_control -u 200 -b 1.2.3.4 -f firewall-drop600 > > > > > > > OSSEC HIDS agent_control: Running activeresponse'firewall-drop600' > > > > > > on: 200 > > > > > > > The second command will block the ip 1.2.3.4 on the agent 200 using > > > > > > firewall-drop600... > > > > > > > Hope it helps. > > > > > > > -- > > > > > > Daniel B. Cid > > > > > > dcid ( at ) ossec.net > > > > > > > On Wed, Mar 4, 2009 at 5:40 AM, cianop > > > > > > <[email protected]> wrote: > > > > > > > > Thank you for your interest, I already posted all the > > > > > > > configuration in > > > > > > > a previuos post, anyway, following ther is the last notification > > > > > > > (brute force on ftp server): > > > > > > > > Received From: (maia) 192.168.0.11->/var/log/vsftpd.log > > > > > > > Rule: 11451 fired (level 10) -> "FTP brute force (multiple failed > > > > > > > logins)." > > > > > > > Portion of the log(s): > > > > > > > > Tue Mar 3 08:57:45 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > > > > > > Client "221.4.205.132" > > > > > > > Tue Mar 3 08:57:44 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > > > > > > Client "221.4.205.132" > > > > > > > Tue Mar 3 08:57:43 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > > > > > > Client "221.4.205.132" > > > > > > > Tue Mar 3 08:57:42 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > > > > > > Client "221.4.205.132" > > > > > > > Tue Mar 3 08:57:41 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > > > > > > Client "221.4.205.132" > > > > > > > Tue Mar 3 08:57:40 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > > > > > > Client "221.4.205.132" > > > > > > > Tue Mar 3 08:57:39 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > > > > > > Client "221.4.205.132" > > > > > > > > I got email alert without problem also for level 12. I have been > > > > > > > checked for log file but there isn't (active- > > > > > > > responses.log). In alerts.log I finded the same email alert. I > > > > > > > have 1 > > > > > > > ossec server and 4 agent, the alert came from an agent. > > > > > > > Here the active-responsepart of ossec.conf: > > > > > > > > <command> > > > > > > > <name>host-deny</name> > > > > > > > <executable>host-deny.sh</executable> > > > > > > > <expect>srcip</expect> > > > > > > > <timeout_allowed>yes</timeout_allowed> > > > > > > > </command> > > > > > > > > <!-- ActiveResponseConfig --> > > > > > > > <active-response> > > > > > > > <!-- Thisresponseis going to execute the host-deny > > > > > > > - command for every event that fires a rule with > > > > > > > - level (severity) >= 6. > > > > > > > - The IP is going to be blocked for 600 seconds. > > > > > > > --> > > > > > > > <command>host-deny</command> > > > > > > > <location>local</location> > > > > > > > <level>6</level> > > > > > > > <timeout>600</timeout> > > > > > > > </active-response> > > > > > > > > I disabled the firewall drop adding the relative tag > > > > > > > > <active-response> > > > > > > > <!-- Firewall Dropresponse. Block the IP for > > > > > > > - 600 seconds on the firewall (iptables, > > > > > > > - ipfilter, etc). > > > > > > > --> > > > > > > > <disabled>yes</disabled> > > > > > > > <command>firewall-drop</command> > > > > > > > <location>local</location> > > > > > > > <level>6</level> > > > > > > > <timeout>600</timeout> > > > > > > > </active-response> > > > > > > > > here the directory permission on agent and server: > > > > > > > > dr-xr-x--- 3 root ossec 4096 Feb 10 14:58 active-response > > > > > > > dr-xr-x--- 2 root ossec 4096 Feb 10 14:58 bin > > > > > > > dr-xr-x--- 3 root ossec 4096 Feb 18 12:35 etc > > > > > > > drwxr-x--- 2 ossec ossec 4096 Mar 4 09:24 logs > > > > > > > dr-xr-x--- 6 root ossec 4096 Feb 10 14:58 queue > > > > > > > dr-xr-x--- 3 root ossec 4096 Feb 18 12:35 var > > > > > > > > /var/ossec/active-response# ls -l > > > > > > > total 4 > > > > > > > dr-xr-x--- 2 root ossec 4096 Mar 2 11:25 bin > > > > > > > > /var/ossec/active-response/bin# ls -l > > > > > > > total 32 > > > > > > > -rwxr-xr-x 1 root ossec 1711 Jan 6 2007 disable-account.sh > > ... > > leggi tutto
