Today my campus' vulnerability scanner was blocked by OSSEC. That I expected, but what I didn't expect was there to be no log entries of WHAT triggered the active response. My config for host-deny and firewall-drop is set to level 6, yet I can't find in any logs what event triggered the active response.
Here's the active response log entries Wed Jun 8 21:29:18 CDT 2011 /var/ossec/active-response/bin/host- deny.sh add - <server IP> 1307586547.216909 5706 Wed Jun 8 21:29:18 CDT 2011 /var/ossec/active-response/bin/firewall- drop.sh add - <server IP> 1307586547.216909 5706 Wed Jun 8 21:39:45 CDT 2011 /var/ossec/active-response/bin/firewall- drop.sh delete - <server IP> 1307586547.216909 5706 Wed Jun 8 21:39:45 CDT 2011 /var/ossec/active-response/bin/host- deny.sh delete - <server IP> 1307586547.216909 5706 Based on those logs and the rule ID mentioned (5706) I found that it's related to SSH. So this is the only thing I could find around that time, from the IP that was blocked "<server IP>"...from /var/log/ secure Jun 8 21:29:03 <ossec server> sshd[7272]: Did not receive identification string from <server IP> Jun 8 21:29:24 <ossec server> sshd[7388]: refused connect from ::ffff:<server IP> (::ffff:<server IP>) Looking at Rule #5706 this is Level 6 so it correctly triggered an active response. However I'm concerned as to why OSSEC didn't log an alert or anything besides the active-response. Thanks - Trey
