I'm testing active response in a windows server and it's not working as
expected.
I have this in my ossec.conf
*
<command>
<name>win_nullroute</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>win_nullroute</command>
<location>local</location>
<rules_id>100044</rules_id>
<timeout>600</timeout>
</active-response>*
I have this in my local rules:
* <rule id="100044" level="14">
<if_sid>31100</if_sid>
<regex>teststring1010101</regex>
<description>active response</description>
</rule>*
I restarted both the agent and the server.
I can run the agent_control and it works fine:
*/var/ossec/bin/agent_control -b 1.3.4.26 -f win_nullroute600 -u 012*
Then, on the agent i can see in the logs:
*
04/01/2010 02:40 "active-response/bin/route-null.cmd" add "-" "1.3.4.26"
"(from_the_server) (no_rule_id)"*
But if I try to trigger the rule or the client on which the agent is
installed by passing this:
*2010-04-01 18:40:24 W3SVC13 IND-WEBAP1T-NL2 172.16.2.182 GET
/teststring1010101/- 80 - x.x.x.x HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.0;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+.NET+CLR+3.5.30729;+.NET+CLR+1.1.4322)
- x.x.x.x 404 0 2 *
The decoder and rule seems to work but the active response failed to
trigger. I get an email but nothing else happens. When i run the same log
through the ossec-logtest i get:
***Phase 1: Completed pre-decoding.
full event: '2010-04-01 18:40:24 W3SVC13 IND-WEBAP1T-NL2 172.16.2.182
GET /teststring1010101/- 80 - x.x.x.x HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.0;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+.NET+CLR+3.5.30729;+.NET+CLR+1.1.4322)
- x.x.x.x 404 0 2
'
hostname: 'ossec'
program_name: '(null)'
log: '2010-04-01 18:40:24 W3SVC13 IND-WEBAP1T-NL2 172.16.2.182 GET
/teststring1010101/- 80 - x.x.x.x HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.0;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+.NET+CLR+3.5.30729;+.NET+CLR+1.1.4322)
- x.x.x.x 404 0 2 '
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
url: '/teststring1010101/ -'
srcip: 'x.x.x.x'
id: '404'
**Rule debugging:
Trying rule: 4 - Generic template for all web rules.
*Rule 4 matched.
*Trying child rules.
Trying rule: 31100 - Access log messages grouped.
*Rule 31100 matched.
*Trying child rules.
Trying rule: 100044 - active response
*Rule 100044 matched.
**Phase 3: Completed filtering (rules).
Rule id: '100044'
Level: '14'
Description: 'active response'
**Alert to be generated.
*
But no active response is sent to the client.
To verify I even ran tcpdump to verify the agent_control test sent a UDP
packet but the access attempt did not.
Suggestions?
