On Sun, Oct 17, 2010 at 1:19 PM, tux3132 <[email protected]> wrote: > Hi > > I have the following configuration for active response configured as > following : > > <command> > <name>firewall_drop</name> > <executable>firewall-drop.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> >>/command> > > <active-response> > <command>firewall_drop</command> > <location>local</location> > > <rules_group>spam,multiple_spam,invalid_login,authentication_failed,authentication_failures</ > rules_group> > <timeout>14400</timeout> > </active-response> > > One agent is on a Zimbra mail server and the other on a gateway > accepting authenticated ssh connections with certificate.I hopped > block ssh brut force attack, smtp relay ... (obviously I have fed the > white list). > > When I have the alert (to test I can run a connection from the outside > on port 25 to my mail server public IP address) > > ** Alert 1287333792.1772757: - syslog,postfix,spam, > 2010 Oct 17 18:43:12 (sx-mail) any->/var/log/mail.info > Rule: 3302 (level 6) -> 'Rejected by access list (Requested action not > taken).' > Src IP: 85.68.23.2 > User: (none) > > No active response ??? > > in postfix_rules.xml I have all the same : > <group name="syslog,postfix,"> > <rule id="3300" level="0"> > ... > <rule id="3302" level="6"> > <if_sid>3300</if_sid> > <group>spam,</group> > ... > > Same thing with this alert when I try an ssh connection from the > outside to my gateway : > > ** Alert 1287333426.1763013: - > syslog,sshd,invalid_login,authentication_failed, > 2010 Oct 17 18:37:06 (sx-gateway) 192.168.2.199->/var/log/auth.log > Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user' > Src IP: 212.234.8.12 > User: (none) > > with in sshd_rules.xml > <group name="syslog,sshd,"> > <rule id="5700" level="0" noalert="1"> > ... > <rule id="5710" level="5"> > <if_sid>5700</if_sid> > <group>invalid_login,authentication_failed,</group> > ... > > I modify my ossec.conf I remove <rules_group> and I put > <rules_id>=3302,5710</rules_id> and it's working !!! > > Where is my misconfiguration ? > > Anticipated thanks to everybody. > > Best regards. >
Have you tried just 1 <rules_group> instead of the comma separated list? Is ossec-execd running? Anything in ossec.log on the agent or manager that might help track this down? Also try running execd and agentd in debug mode on the agent you're trying to set off the AR on.
