Hi. What I did was to change the OSSEC configuration for active
response to call my own Bash scripts to check if the offending IP is
our own office IP or not. If it is our own, just log it, if it is not,
then call the firewall-drop.sh and host-deny.sh OSSEC scripts with the
same parameters. In this way I don't need to restart OSSEC.
The configuration change in ossec.conf would be (this is for firewall-
drop but it is similar for host-deny):
<command>
<name>firewall-drop</name>
<!-- executable>firewall-drop.sh</executable -->
<executable>mv_firewalldrop_ifnotus.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
The script mv_firewalldrop_ifnotus.sh would be:
#!/bin/bash
OURHOST="oventuragw.dyndns.org"
IP=$3
if [ "x${IP}" = "x" ]; then
exit 1;
fi
OURIP=$(/usr/bin/dig +short $OURHOST | /usr/bin/head -n 1)
if [ "x${OURIP}" = "x" ]; then
exit 1;
else
if [ "${OURIP}" = "${IP}" ]; then
echo $(/bin/date) "${IP} firewalldrop" >> /var/ossec/logs/active-
responses-ignored.log
exit 1;
else
/var/ossec/active-response/bin/firewall-drop.sh $1 $2 $3
fi
fi
The script should be in /var/ossec/active-response/bin or OSSEC won't
find it.
This is a quick hack, you can improve it by not using hardcoded paths
or using an array of hostnames to check. I think if active response
get triggered a lot, may be the script should not query directly the
IP to the DNS server, but you can set a cron script to get it and
store it in a file, then modify this script to read that file; in that
way the DNS query is done always at preset times, and not for each
active response trigger.
Hope this helps.
Regards, MV
