Thanks both for the help. I think I have it working using route-
null. I've got the tests running, but am not seeing the test IP
coming up in the route table.
Here's the active-response...
<active-response>
<command>route-null</command>
<location>local</location>
<rules_id>31151</rules_id> <!-- Multiple web server 400 error
codes from same source IP -->
<timeout>600</timeout>
</active-response>
The rule is verified...
bin/agent_control -L
OSSEC HIDS agent_control. Available active responses:
Response name: host-deny600, command: host-deny.sh
Response name: firewall-drop600, command: firewall-drop.sh
Response name: route-null600, command: route-null.sh
And I run this to test the new active-reponse..
$ bin/agent_control -b 2.3.4.5 -f route-null600 -u 004
OSSEC HIDS agent_control: Running active response 'route-null600' on:
004
This is what the client has in active response log
/var/ossec/active-response/bin/route-null.sh add - 2.3.4.5
(from_the_server) (no_rule_id)
Is the "no_rule_id" why I'm not seeing anything in route table? Do i
have to specify a level in the active-reponse or is the rules_id
enough?
Thanks again!
- Trey
On May 7, 5:50 pm, Jeremy Lee <[email protected]> wrote:
> Check out the how-to
> here:http://www.ossec.net/main/manual/manual-active-response/bin
>
> The route null script is called "route-null.sh" - you would specify the
> script in the AR configuration (in ossec.conf) per the doc.
>
> Also, just so you know, all AR scripts live in
> /var/ossec/active-responses/bin
>
>
>
>
>
>
>
> On Sat, May 7, 2011 at 3:42 PM, treydock <[email protected]> wrote:
> > The route-null idea might be best for me as I don't use IPtables
> > regularly. How could I use route-null with the configuration Frank
> > provided?
>
> > Thanks
> > - Trey
>
> > On May 7, 3:00 pm, Jeremy Lee <[email protected]> wrote:
> > > You could also try using the route-null/null-route script to drop
> > offending
> > > IPs. I find this less "intrusive" and complicated versus dealing with
> > > iptables.
>
> > > On Sat, May 7, 2011 at 12:30 PM, treydock <[email protected]> wrote:
> > > > I run CentOS 5.5 on the system with iptables. How does iptables have
> > > > to be configured to allow this?
>
> > > > On May 7, 8:05 am, Frank Stefan Sundberg Solli <[email protected]>
> > > > wrote:
> > > > > Hi.
>
> > > > > Yes you can do ban on the "multiple 400 errors from same source IP"
>
> > > > > Take this example
>
> > > > > <active-response>
> > > > > <command>firewall-drop</command>
> > > > > <location>local</location>
> > > > > <rules_id>5720, 11210</rules_id> <!-- Multiple SSHD auth
> > failures,
> > > > > proftpd -->
> > > > > <timeout>600</timeout>
> > > > > </active-response>
