On Mar 3, 2011, at 9:37 PM, dan (ddp) wrote: > Hi Tanishk, > I don't mean to setup syscheck to watch it, I mean to use it as a > localfile source: > <localfile> > <log_format>syslog</log_format> > <location>/var/ossec/logs/active-response.log</location> > </localfile> > > You'll have to write a rule for it, but that shouldn't be too hard.
Allow me to assist. I don't believe I'm the original author of this, but it works.. :) First, the decoder (put this in /var/ossec/etc/local_decoder.xml) <!-- decoder for active responses as logged by an OSSEC agent or server -Examples -Sat Feb 20 01:37:44 CET 2010 /var/ossec/active-response/bin/host- deny.sh add - 192.168.74.204 1266626262.2106252 5706 -Sat Feb 20 01:48:14 CET 2010 /var/ossec/active-response/bin/host- deny.sh delete - 192.168.74.204 1266626262.2106252 5706 Thu Aug 19 01:41:54 EDT 2010 /var/ossec/active-response/bin/firewall-drop.sh add - 110.136.162.142 1282196514.748326 30118 Thu Aug 19 02:43:24 EDT 2010 /var/ossec/active-response/bin/firewall-drop.sh delete - 110.136.162.142 1282196514.748326 30118 -Extracts: -name of AR script as 'action' -type of action(add/remove) as 'status' -source IP -ossec id of AR --> <decoder name="ar_log"> <!-- <prematch>^Mo|^Di|^Mi|^Do|^Fr|^Sa|^So|^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|^Sun</prematch> --> <prematch>^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|^Sun</prematch> <!-- <regex offset="after_prematch"> \w\w\w \d\d. \d\d:\d\d:\d\d \w\w\w \d\d\d\d /var/ossec/active-response/bin/(\S+) (\S+) - (\S+) (\d+.\d+) \d+</regex> --> <regex offset="after_prematch"> \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+ /var/ossec/active-response/bin/(\S+) (\S+) - (\S+) (\d+.\d+) \d+</regex> <order>action, status, srcip, id</order> </decoder> And now the rules (I don't follow the recommended rule numbering, I have my own scheme. Adjust accordingly) <!-- @(#) $Id: ossec_rules.xml,v 1.24 2010/03/04 20:12:33 dcid Exp $ - Official ossec rules for OSSEC. - - Copyright (C) 2009 Trend Micro Inc. - All rights reserved. - - This program is a free software; you can redistribute it - and/or modify it under the terms of the GNU General Public - License (version 2) as published by the FSF - Free Software - Foundation. - - License details: http://www.ossec.net/en/licensing.html --> <group name="ossec,"> <rule id="100001" level="3"> <decoded_as>ar_log</decoded_as> <group>active_response_notification</group> <action>firewall-drop.sh</action> <status>add</status> <description>Active response firewall-drop.sh was run, host blocked</description> </rule> <rule id="100002" level="3"> <decoded_as>ar_log</decoded_as> <group>active_response_notification</group> <action>firewall-drop.sh</action> <status>delete</status> <description>Active response firewall-drop.sh was run, host unblocked</description> </rule> <rule id="100003" level="3"> <decoded_as>ar_log</decoded_as> <group>active_response_notification</group> <action>host-deny.sh</action> <status>add</status> <description>Active response host-deny.sh was run, host added to hosts.deny</description> </rule> <rule id="100004" level="3"> <decoded_as>ar_log</decoded_as> <group>active_response_notification</group> <action>host-deny.sh</action> <status>delete</status> <description>Active response host-deny.sh was run, host removed from hosts.deny</description> </rule> </group> <!-- OSSEC --> > On Thu, Mar 3, 2011 at 9:33 PM, Tanishk Lakhaani <[email protected]> > wrote: >> Hi dan, >> Configuring ossec to watch the active response.log file will fire an alert >> w.r.t Integrity Checksum Changed Event w.r.t active response.log file. But >> what I am looking foirward is, that I get the actual active response log on >> my email, (email alerting is configured). >> >> >> Regards >> Tanishk Lakhaani >> Sent from BlackBerry® on Airtel >> >> -----Original Message----- >> From: "dan (ddp)" <[email protected]> >> Sender: [email protected] >> Date: Wed, 2 Mar 2011 15:38:36 >> To: <[email protected]> >> Reply-To: [email protected] >> Subject: Re: [ossec-list] How to check active response has been activated or >> not ?? >> >> Check the active-response.log file (on the system that runs the active >> response). >> You can configure OSSEC to watch the active-response.log file and fire >> off an email/alert when a new entry is added. It's simple to do, and >> helps solve the notification problem. >> >> On Wed, Mar 2, 2011 at 2:18 PM, Tanishk Lakhaani <[email protected]> >> wrote: >> --------------------------- Jason 'XenoPhage' Frisvold [email protected] --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
