On Thu, Jun 9, 2011 at 12:54 AM, treydock <[email protected]> wrote: > Today my campus' vulnerability scanner was blocked by OSSEC. That I > expected, but what I didn't expect was there to be no log entries of > WHAT triggered the active response. My config for host-deny and > firewall-drop is set to level 6, yet I can't find in any logs what > event triggered the active response. > > Here's the active response log entries > > > Wed Jun 8 21:29:18 CDT 2011 /var/ossec/active-response/bin/host- > deny.sh add - <server IP> 1307586547.216909 5706 > Wed Jun 8 21:29:18 CDT 2011 /var/ossec/active-response/bin/firewall- > drop.sh add - <server IP> 1307586547.216909 5706 > Wed Jun 8 21:39:45 CDT 2011 /var/ossec/active-response/bin/firewall- > drop.sh delete - <server IP> 1307586547.216909 5706 > Wed Jun 8 21:39:45 CDT 2011 /var/ossec/active-response/bin/host- > deny.sh delete - <server IP> 1307586547.216909 5706 > > Based on those logs and the rule ID mentioned (5706) I found that it's > related to SSH. So this is the only thing I could find around that > time, from the IP that was blocked "<server IP>"...from /var/log/ > secure > > Jun 8 21:29:03 <ossec server> sshd[7272]: Did not receive > identification string from <server IP>
There's nothing in an alerts log file that matches the above message? > Jun 8 21:29:24 <ossec server> sshd[7388]: refused connect > from ::ffff:<server IP> (::ffff:<server IP>) > > Looking at Rule #5706 this is Level 6 so it correctly triggered an > active response. However I'm concerned as to why OSSEC didn't log an > alert or anything besides the active-response. > > Thanks > - Trey
