Hi Trey, On Thu, Jun 9, 2011 at 10:52 PM, treydock <[email protected]> wrote: > Looking at the details of the rule I see why I didn't get any emails > or extra log entries...it's level 6 (my threshold of notification is > 7) and it doesn't have the setting in the rule to send email > notifications. I think what threw me off was getting a notification > that an active-response was triggered, but not getting a notification > of what triggered it. Would it be possible to set OSSEC to email the > trigger of an active-response regardless of it's level? The idea > being if it's significant enough to trigger active response then it is > likely something worth being notified about. >
There's no setting for this currently. "My config for host-deny and firewall-drop is set to level 6" You've set your AR to be triggered by any alert level 6+. If you want email notifications on them all, you should change the email alert level. After all, if it's worth setting off an AR for, it's worth reporting. > - Trey > > > On Jun 9, 1:27 pm, "dan (ddp)" <[email protected]> wrote: >> On Thu, Jun 9, 2011 at 12:54 AM, treydock <[email protected]> wrote: >> > Today my campus' vulnerability scanner was blocked by OSSEC. That I >> > expected, but what I didn't expect was there to be no log entries of >> > WHAT triggered the active response. My config for host-deny and >> > firewall-drop is set to level 6, yet I can't find in any logs what >> > event triggered the active response. >> >> > Here's the active response log entries >> >> > Wed Jun 8 21:29:18 CDT 2011 /var/ossec/active-response/bin/host- >> > deny.sh add - <server IP> 1307586547.216909 5706 >> > Wed Jun 8 21:29:18 CDT 2011 /var/ossec/active-response/bin/firewall- >> > drop.sh add - <server IP> 1307586547.216909 5706 >> > Wed Jun 8 21:39:45 CDT 2011 /var/ossec/active-response/bin/firewall- >> > drop.sh delete - <server IP> 1307586547.216909 5706 >> > Wed Jun 8 21:39:45 CDT 2011 /var/ossec/active-response/bin/host- >> > deny.sh delete - <server IP> 1307586547.216909 5706 >> >> > Based on those logs and the rule ID mentioned (5706) I found that it's >> > related to SSH. So this is the only thing I could find around that >> > time, from the IP that was blocked "<server IP>"...from /var/log/ >> > secure >> >> > Jun 8 21:29:03 <ossec server> sshd[7272]: Did not receive >> > identification string from <server IP> >> >> There's nothing in an alerts log file that matches the above message? >> >> >> >> >> >> >> >> > Jun 8 21:29:24 <ossec server> sshd[7388]: refused connect >> > from ::ffff:<server IP> (::ffff:<server IP>) >> >> > Looking at Rule #5706 this is Level 6 so it correctly triggered an >> > active response. However I'm concerned as to why OSSEC didn't log an >> > alert or anything besides the active-response. >> >> > Thanks >> > - Trey
