Hi
I have the following configuration for active response configured as
following :
<command>
<name>firewall_drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
>/command>
<active-response>
<command>firewall_drop</command>
<location>local</location>
<rules_group>spam,multiple_spam,invalid_login,authentication_failed,authentication_failures</
rules_group>
<timeout>14400</timeout>
</active-response>
One agent is on a Zimbra mail server and the other on a gateway
accepting authenticated ssh connections with certificate.I hopped
block ssh brut force attack, smtp relay ... (obviously I have fed the
white list).
When I have the alert (to test I can run a connection from the outside
on port 25 to my mail server public IP address)
** Alert 1287333792.1772757: - syslog,postfix,spam,
2010 Oct 17 18:43:12 (sx-mail) any->/var/log/mail.info
Rule: 3302 (level 6) -> 'Rejected by access list (Requested action not
taken).'
Src IP: 85.68.23.2
User: (none)
No active response ???
in postfix_rules.xml I have all the same :
<group name="syslog,postfix,">
<rule id="3300" level="0">
...
<rule id="3302" level="6">
<if_sid>3300</if_sid>
<group>spam,</group>
...
Same thing with this alert when I try an ssh connection from the
outside to my gateway :
** Alert 1287333426.1763013: -
syslog,sshd,invalid_login,authentication_failed,
2010 Oct 17 18:37:06 (sx-gateway) 192.168.2.199->/var/log/auth.log
Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user'
Src IP: 212.234.8.12
User: (none)
with in sshd_rules.xml
<group name="syslog,sshd,">
<rule id="5700" level="0" noalert="1">
...
<rule id="5710" level="5">
<if_sid>5700</if_sid>
<group>invalid_login,authentication_failed,</group>
...
I modify my ossec.conf I remove <rules_group> and I put
<rules_id>=3302,5710</rules_id> and it's working !!!
Where is my misconfiguration ?
Anticipated thanks to everybody.
Best regards.
