Hi All processes are running.
ossec.log on server and agent are corrects. I try the debug mode and the modified rules_group this evening, I'll give you the result tomorow. Anticipated thanks. Best regards. On 17 oct, 20:34, "dan (ddp)" <[email protected]> wrote: > On Sun, Oct 17, 2010 at 1:19 PM, tux3132 <[email protected]> wrote: > > Hi > > > I have the following configuration for active response configured as > > following : > > > <command> > > <name>firewall_drop</name> > > <executable>firewall-drop.sh</executable> > > <expect>srcip</expect> > > <timeout_allowed>yes</timeout_allowed> > >>/command> > > > <active-response> > > <command>firewall_drop</command> > > <location>local</location> > > > <rules_group>spam,multiple_spam,invalid_login,authentication_failed,authentication_failures</ > > rules_group> > > <timeout>14400</timeout> > > </active-response> > > > One agent is on a Zimbra mail server and the other on a gateway > > accepting authenticated ssh connections with certificate.I hopped > > block ssh brut force attack, smtp relay ... (obviously I have fed the > > white list). > > > When I have the alert (to test I can run a connection from the outside > > on port 25 to my mail server public IP address) > > > ** Alert 1287333792.1772757: - syslog,postfix,spam, > > 2010 Oct 17 18:43:12 (sx-mail) any->/var/log/mail.info > > Rule: 3302 (level 6) -> 'Rejected by access list (Requested action not > > taken).' > > Src IP: 85.68.23.2 > > User: (none) > > > No active response ??? > > > in postfix_rules.xml I have all the same : > > <group name="syslog,postfix,"> > > <rule id="3300" level="0"> > > ... > > <rule id="3302" level="6"> > > <if_sid>3300</if_sid> > > <group>spam,</group> > > ... > > > Same thing with this alert when I try an ssh connection from the > > outside to my gateway : > > > ** Alert 1287333426.1763013: - > > syslog,sshd,invalid_login,authentication_failed, > > 2010 Oct 17 18:37:06 (sx-gateway) 192.168.2.199->/var/log/auth.log > > Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user' > > Src IP: 212.234.8.12 > > User: (none) > > > with in sshd_rules.xml > > <group name="syslog,sshd,"> > > <rule id="5700" level="0" noalert="1"> > > ... > > <rule id="5710" level="5"> > > <if_sid>5700</if_sid> > > <group>invalid_login,authentication_failed,</group> > > ... > > > I modify my ossec.conf I remove <rules_group> and I put > > <rules_id>=3302,5710</rules_id> and it's working !!! > > > Where is my misconfiguration ? > > > Anticipated thanks to everybody. > > > Best regards. > > Have you tried just 1 <rules_group> instead of the comma separated > list? Is ossec-execd running? Anything in ossec.log on the agent or > manager that might help track this down? Also try running execd and > agentd in debug mode on the agent you're trying to set off the AR on.- > Masquer le texte des messages précédents - > > - Afficher le texte des messages précédents -
