A somewhat related question...I'm now using the built in active-
response notification rules and just had an active-response go off
that didn't send out an email. The following should be sufficient to
over ride the alert setting being emails for all alerts level 7+,
correct?
<email_alerts>
<email_to>[email protected]</email_to>
<group>active_response</group>
</email_alerts>
Thanks
- Trey
On Jun 10, 12:40 pm, "dan (ddp)" <[email protected]> wrote:
> Hi Trey,
>
> On Thu, Jun 9, 2011 at 10:52 PM, treydock <[email protected]> wrote:
> > Looking at the details of the rule I see why I didn't get any emails
> > or extra log entries...it's level 6 (my threshold of notification is
> > 7) and it doesn't have the setting in the rule to send email
> > notifications. I think what threw me off was getting a notification
> > that an active-response was triggered, but not getting a notification
> > of what triggered it. Would it be possible to set OSSEC to email the
> > trigger of an active-response regardless of it's level? The idea
> > being if it's significant enough to trigger active response then it is
> > likely something worth being notified about.
>
> There's no setting for this currently.
> "My config for host-deny and firewall-drop is set to level 6"
> You've set your AR to be triggered by any alert level 6+. If you want
> email notifications on them all, you should change the email alert
> level.
> After all, if it's worth setting off an AR for, it's worth reporting.
>
>
>
>
>
>
>
> > - Trey
>
> > On Jun 9, 1:27 pm, "dan (ddp)" <[email protected]> wrote:
> >> On Thu, Jun 9, 2011 at 12:54 AM, treydock <[email protected]> wrote:
> >> > Today my campus' vulnerability scanner was blocked by OSSEC. That I
> >> > expected, but what I didn't expect was there to be no log entries of
> >> > WHAT triggered the active response. My config for host-deny and
> >> > firewall-drop is set to level 6, yet I can't find in any logs what
> >> > event triggered the active response.
>
> >> > Here's the active response log entries
>
> >> > Wed Jun 8 21:29:18 CDT 2011 /var/ossec/active-response/bin/host-
> >> > deny.sh add - <server IP> 1307586547.216909 5706
> >> > Wed Jun 8 21:29:18 CDT 2011 /var/ossec/active-response/bin/firewall-
> >> > drop.sh add - <server IP> 1307586547.216909 5706
> >> > Wed Jun 8 21:39:45 CDT 2011 /var/ossec/active-response/bin/firewall-
> >> > drop.sh delete - <server IP> 1307586547.216909 5706
> >> > Wed Jun 8 21:39:45 CDT 2011 /var/ossec/active-response/bin/host-
> >> > deny.sh delete - <server IP> 1307586547.216909 5706
>
> >> > Based on those logs and the rule ID mentioned (5706) I found that it's
> >> > related to SSH. So this is the only thing I could find around that
> >> > time, from the IP that was blocked "<server IP>"...from /var/log/
> >> > secure
>
> >> > Jun 8 21:29:03 <ossec server> sshd[7272]: Did not receive
> >> > identification string from <server IP>
>
> >> There's nothing in an alerts log file that matches the above message?
>
> >> > Jun 8 21:29:24 <ossec server> sshd[7388]: refused connect
> >> > from ::ffff:<server IP> (::ffff:<server IP>)
>
> >> > Looking at Rule #5706 this is Level 6 so it correctly triggered an
> >> > active response. However I'm concerned as to why OSSEC didn't log an
> >> > alert or anything besides the active-response.
>
> >> > Thanks
> >> > - Trey
