Hello,
The use of the <disabled> tag in the 4th active response in my
ossec.conf file stopped processing of the 5th active response and
disabled all active responses.
<active-response>
<!-- This response is going to execute the host-deny
- command on all agents for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<disabled>no</disabled>
<command>host-deny</command>
<location>all</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- This response is going to execute the host-deny
- command on the OSSEC server for every event that fires a rule
with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<disabled>no</disabled>
<command>host-deny</command>
<location>server</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc) for all agents.
-->
<disabled>no</disabled>
<command>firewall-drop</command>
<location>all</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc) for all agents.
-->
<disabled>yes</disabled>
<command>firewall-drop-mac</command>
<location>all</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc) on the OSSEC server.
-->
<disabled>no</disabled>
<command>firewall-drop</command>
<location>server</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
Here's what ar.conf looked like on server and agent hosts:
restart-ossec0 - restart-ossec.sh - 0
restart-ossec0 - restart-ossec.cmd - 0
host-deny600 - host-deny.sh - 600
host-deny600 - host-deny.sh - 600
firewall-drop600 - firewall-drop.sh - 600
You can see that the last two active responses are missing entirely.
If I launch an ssh attack against any agent host, active response
seems to be entirely disabled. The alerts are there, but despite the
fact that they are level 6 or above, no active response is launched,
not even the host-deny600 responses.
If I change <disabled> to no in the 4th active response and restart
the server here's what ar.conf looks like on server and agent hosts:
restart-ossec0 - restart-ossec.sh - 0
restart-ossec0 - restart-ossec.cmd - 0
host-deny600 - host-deny.sh - 600
host-deny600 - host-deny.sh - 600
firewall-drop600 - firewall-drop.sh - 600
firewall-drop-mac600 - ipfw_mac.sh - 600
firewall-drop600 - firewall-drop.sh - 600
If I launch an ssh attack against any agent host, active response
works properly and the host-deny, firewall-drop and ipfw_mac scripts
are launched.
Unless I have misunderstood the use of the <disabled> tag, this
appears to be a bug in the processing of the active responses in the
ossec.conf file.
Trevor
