Re: [ossec-list] Active Response... yet again

Wed, 23 Feb 2011 11:42:41 -0800 

I'm not sure you need the <disabled>no</disabled> inside the
<active-response> block.

For those that don't want to look them up:
<rule id="5720" level="10" frequency="6">
    <if_matched_sid>5716</if_matched_sid>
    <same_source_ip />
    <description>Multiple SSHD authentication failures.</description>
    <group>authentication_failures,</group>
  </rule>

<rule id="5712" level="10" frequency="6" timeframe="120" ignore="60">
    <if_matched_sid>5710</if_matched_sid>
    <description>SSHD brute force trying to get access to </description>
    <description>the system.</description>
    <same_source_ip />
    <group>authentication_failures,</group>
  </rule>

I've had these working in the past, haven't looked to see if they've
fired recently.

On Tue, Feb 22, 2011 at 6:04 PM, jplee3 <[email protected]> wrote:
> Okay, so I was able to get 5720 to fire consistently. But now I'm
> having issues with AR working (again). This time the server is getting
> the alerts from the OSSEC agent (as normal) and it is in fact firing
> 5720:
>
> ** Alert 1298415206.1338076638: mail  -
> syslog,sshd,authentication_failures,
> 2011 Feb 22 14:53:26 (irprinfssh1) X.X.X.X->/var/log/secure
> Rule: 5720 (level 10) -> 'Multiple SSHD authentication failures.'
> Src IP: X.X.X.X
> User: jlee
> Feb 22 14:53:25 irprinfssh1 sshd[9503]: Failed password for jlee from
> X.X.X.X port 31903 ssh2
> Feb 22 14:53:23 irprinfssh1 sshd[9503]: Failed password for jlee from
> X.X.X.X port 31903 ssh2
> Feb 22 14:53:13 irprinfssh1 sshd[9470]: Failed password for jlee from
> X.X.X.X port 5118 ssh2
>
>
>
> The AR/command in ossec.conf is as follows:
>
>  <command>
>    <name>route-null</name>
>    <executable>route-null.sh</executable>
>    <expect>srcip</expect>
>    <timeout_allowed>yes</timeout_allowed>
>  </command>
>
>
>  <active-response>
>    <disabled>no</disabled>
>    <command>route-null</command>
>    <location>local</location>
>    <rules_id>5720<rules_id>
>    <timeout>1800</timeout>
>  </active-response>
>
>
>
> Yet again, I'm perplexed... has anybody gotten the AR to work in a
> server-agent setup for rules 5720 and/or 5712?
> NOTE: this was working perfectly for me when I had OSSEC installed in
> local mode.

Reply via email to