It's really weird... I'm scared to touch anything in ossec.conf now because I'm afraid it'll break or something. Maybe I'm just really good at typos or something!
On Wed, Feb 23, 2011 at 11:41 AM, dan (ddp) <[email protected]> wrote: > I'm not sure you need the <disabled>no</disabled> inside the > <active-response> block. > > For those that don't want to look them up: > <rule id="5720" level="10" frequency="6"> > <if_matched_sid>5716</if_matched_sid> > <same_source_ip /> > <description>Multiple SSHD authentication failures.</description> > <group>authentication_failures,</group> > </rule> > > <rule id="5712" level="10" frequency="6" timeframe="120" ignore="60"> > <if_matched_sid>5710</if_matched_sid> > <description>SSHD brute force trying to get access to </description> > <description>the system.</description> > <same_source_ip /> > <group>authentication_failures,</group> > </rule> > > I've had these working in the past, haven't looked to see if they've > fired recently. > > On Tue, Feb 22, 2011 at 6:04 PM, jplee3 <[email protected]> wrote: > > Okay, so I was able to get 5720 to fire consistently. But now I'm > > having issues with AR working (again). This time the server is getting > > the alerts from the OSSEC agent (as normal) and it is in fact firing > > 5720: > > > > ** Alert 1298415206.1338076638: mail - > > syslog,sshd,authentication_failures, > > 2011 Feb 22 14:53:26 (irprinfssh1) X.X.X.X->/var/log/secure > > Rule: 5720 (level 10) -> 'Multiple SSHD authentication failures.' > > Src IP: X.X.X.X > > User: jlee > > Feb 22 14:53:25 irprinfssh1 sshd[9503]: Failed password for jlee from > > X.X.X.X port 31903 ssh2 > > Feb 22 14:53:23 irprinfssh1 sshd[9503]: Failed password for jlee from > > X.X.X.X port 31903 ssh2 > > Feb 22 14:53:13 irprinfssh1 sshd[9470]: Failed password for jlee from > > X.X.X.X port 5118 ssh2 > > > > > > > > The AR/command in ossec.conf is as follows: > > > > <command> > > <name>route-null</name> > > <executable>route-null.sh</executable> > > <expect>srcip</expect> > > <timeout_allowed>yes</timeout_allowed> > > </command> > > > > > > <active-response> > > <disabled>no</disabled> > > <command>route-null</command> > > <location>local</location> > > <rules_id>5720<rules_id> > > <timeout>1800</timeout> > > </active-response> > > > > > > > > Yet again, I'm perplexed... has anybody gotten the AR to work in a > > server-agent setup for rules 5720 and/or 5712? > > NOTE: this was working perfectly for me when I had OSSEC installed in > > local mode. >
