Regarding OSSEC monitoring:
I also wrote an decoder for active responses being executed. To make
it work, you have to configure ossec to monitor /var/ossec/logs/active-
responses.log on agents and the server.
<!-- decoder for active responses as logged by an OSSEC agent or
server
-Examples
-Sat Feb 20 01:37:44 CET 2010 /var/ossec/active-response/bin/host-
deny.sh add - 192.168.74.204 1266626262.2106252 5706
-Sat Feb 20 01:48:14 CET 2010 /var/ossec/active-response/bin/host-
deny.sh delete - 192.168.74.204 1266626262.2106252 5706
-Extracts:
-name of AR script as 'action'
-type of action(add/remove) as 'status'
-source IP
-ossec id of AR
-->
<decoder name="ar_log">
<prematch>^Mo|^Di|^Mi|^Do|^Fr|^Sa|^So|^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|
^Sun</prematch>
<regex offset="after_prematch"> \d\d. \w\w\w \d\d:\d\d:\d\d CET \d\d
\d\d /var/ossec/active-response/bin/(\S+) (\S+) - (\S+) (\d+.\d+) \d+</
regex>
<order>action, status, srcip, id</order>
</decoder>
Not sure if all the decoded fields make sense.
Here are some rules for that decoder:
<rule id="101010" level="3">
<options>alert_by_email</options>
<decoded_as>ar_log</decoded_as>
<group>active_response_notification</group>
<action>firewall-drop.sh</action>
<status>add</status>
<description>Active response firewall-drop.sh was run, host
blocked</description>
</rule>
<rule id="101011" level="3">
<options>alert_by_email</options>
<decoded_as>ar_log</decoded_as>
<group>active_response_notification</group>
<action>firewall-drop.sh</action>
<status>delete</status>
<description>Active response firewall-drop.sh was run, host
unblocked</description>
</rule>
<rule id="101012" level="3">
<options>alert_by_email</options>
<decoded_as>ar_log</decoded_as>
<group>active_response_notification</group>
<action>host-deny.sh</action>
<status>add</status>
<description>Active response host-deny.sh was run, host added to
hosts.deny</description>
</rule>
<rule id="101013" level="3">
<options>alert_by_email</options>
<decoded_as>ar_log</decoded_as>
<group>active_response_notification</group>
<action>host-deny.sh</action>
<status>delete</status>
<description>Active response host-deny.sh was run, host removed
from hosts.deny</description>
</rule>
I set granular e-mail notifications to e-mail these alerts to a
network admin that is not involved that much in security to find out
if ossec is responsible for access problems.
On Aug 15, 8:41 pm, "dan (ddp)" <[email protected]> wrote:
> On Sat, Aug 14, 2010 at 4:37 AM, ItsMikeE <[email protected]> wrote:
> > Nothing unusual in ossec.log
> > I have a few days off now, so it will be a while before I can try the
> > debug mode
>
> Cool, let us know.
> Also, try taking out the overlap from the syscheck configurations.
>
> 1. <directories check_all="yes">/var/ossec/bin</directories>
> 2. <directories check_all="yes">/var/ossec/etc</directories>
> 3. <directories check_perm="yes" check_owner="yes"
> check_group="yes">/var/ossec</directories>
>
> 3 overlaps 1 & 2. So either remove #3 entirely (for testing) or make
> it more specific:
> <directories check_perm="yes" check_owner="yes"
> check_group="yes">/var/ossec/active-response,/var/ossec/agentless,/var/osse
> c/rules,etc.
>
> I don't know if that could be causing the problem, but it might be worth
> trying.
