*On the server:*
*ossec.conf
*
<active-response>
<command>host-deny</command>
<location>local</location>
<rules_id>100055</rules_id>
<timeout>600</timeout>
</active-response>
*local_rules.xml*
<rule id="100055" level="14">
<decoded_as>ssh-invalid_user</decoded_as>
<match>none</match>
<description>SSHD invalid username detected.</description>
</rule>
*local_decoder.xml*
<decoder name="ssh-invalid_user">
<prematch>Failed \S+ for invalid user </prematch>
<regex>(\S+) from (\S+) </regex>
<order>user, srcip</order>
</decoder>
*Resulting alert notification received:*
OSSEC HIDS Notification.
2010 Nov 04 07:01:08
Received From: xxxx->xxxx
Rule: 100055 fired (level 14) -> "SSHD invalid username detected."
Portion of the log(s):
sshd[21306]: Failed none for invalid user dsfghbdfgd from xxxx port 63135
ssh2
--END OF NOTIFICATION
As you can see, the decoder works, the rule works, the alert is sent, the
OSSEC server seems to attempt AR, but nothing ever actually is sent to the
agent that I can see.
On Thu, Nov 4, 2010 at 3:07 PM, Chad Robertson <[email protected]> wrote:
> No. That the problem. The server doesn't send the client any
> network traffic to tell it that it should run host-deny.sh.
>
How is the AR configured?
> -----Original Message-----
> From: dan (ddp) [mailto:[email protected]]
> Sent: Thursday, November 04, 2010 2:27 PM
> To: [email protected]
> Subject: Re: [ossec-list] active response
>
> Is the AR firing on the agent?
>
> On Thu, Nov 4, 2010 at 12:57 PM, Chad Robertson <[email protected]>
wrote:
>
>> I have a problem getting active response to work between systems. I
>
>> will paste the tcpdumps from both the server and the client when
>
>> triggering a AR rule.
>
>>
>
>>
>
>>
>
>> 08:32:58.458874 IP (tos 0x0, ttl 63, id 17222, offset 0, flags [DF],
>
>> proto UDP (17), length 165) client1.42292 > server1.1514: UDP, length
>
>> 137
>
>>
>
>> 08:33:08.204204 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF],
>> proto
>
>> UDP (17), length 77) server1.syslog > client1.syslog: [udp sum ok]
>
>> SYSLOG,
>
>> length: 49
>
>>
>
>> 08:33:08.206321 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF],
>> proto
>
>> UDP (17), length 109) server1.syslog > client1.syslog: SYSLOG, length:
>
>> 81
>
>>
>
>>
>
>>
>
>> And on the client:
>
>>
>
>>
>
>>
>
>> 07:30:27.865707 IP (tos 0x0, ttl 64, id 17222, offset 0, flags [DF],
>
>> proto UDP (17), length 165)
>
>>
>
>> 07:30:37.610266 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF],
>> proto
>
>> UDP (17), length 77)
>
>>
>
>> 07:30:37.612503 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF],
>> proto
>
>> UDP (17), length 109)
>
>>
>
>>
>
>>
>
>> The server then throws the ar response:
>
>>
>
>>
>
>>
>
>> Thu Nov 4 08:33:08 EDT 2010
>
>> /var/ossec/active-response/bin/host-deny.sh add – x.x.x.x
>
>> 1288873988.634831 100055
>
>>
>
>>
>
>>
>
>> But I don’t see any network activity as a result.
>
>
>
>
