Looking at the details of the rule I see why I didn't get any emails or extra log entries...it's level 6 (my threshold of notification is 7) and it doesn't have the setting in the rule to send email notifications. I think what threw me off was getting a notification that an active-response was triggered, but not getting a notification of what triggered it. Would it be possible to set OSSEC to email the trigger of an active-response regardless of it's level? The idea being if it's significant enough to trigger active response then it is likely something worth being notified about.
- Trey On Jun 9, 1:27 pm, "dan (ddp)" <[email protected]> wrote: > On Thu, Jun 9, 2011 at 12:54 AM, treydock <[email protected]> wrote: > > Today my campus' vulnerability scanner was blocked by OSSEC. That I > > expected, but what I didn't expect was there to be no log entries of > > WHAT triggered the active response. My config for host-deny and > > firewall-drop is set to level 6, yet I can't find in any logs what > > event triggered the active response. > > > Here's the active response log entries > > > Wed Jun 8 21:29:18 CDT 2011 /var/ossec/active-response/bin/host- > > deny.sh add - <server IP> 1307586547.216909 5706 > > Wed Jun 8 21:29:18 CDT 2011 /var/ossec/active-response/bin/firewall- > > drop.sh add - <server IP> 1307586547.216909 5706 > > Wed Jun 8 21:39:45 CDT 2011 /var/ossec/active-response/bin/firewall- > > drop.sh delete - <server IP> 1307586547.216909 5706 > > Wed Jun 8 21:39:45 CDT 2011 /var/ossec/active-response/bin/host- > > deny.sh delete - <server IP> 1307586547.216909 5706 > > > Based on those logs and the rule ID mentioned (5706) I found that it's > > related to SSH. So this is the only thing I could find around that > > time, from the IP that was blocked "<server IP>"...from /var/log/ > > secure > > > Jun 8 21:29:03 <ossec server> sshd[7272]: Did not receive > > identification string from <server IP> > > There's nothing in an alerts log file that matches the above message? > > > > > > > > > Jun 8 21:29:24 <ossec server> sshd[7388]: refused connect > > from ::ffff:<server IP> (::ffff:<server IP>) > > > Looking at Rule #5706 this is Level 6 so it correctly triggered an > > active response. However I'm concerned as to why OSSEC didn't log an > > alert or anything besides the active-response. > > > Thanks > > - Trey
