[ossec-list] Active-Response only executing on server not agents

Wed, 01 Aug 2012 12:58:44 -0700 

Hello All,

I have setup a new server with OSSEC 2.6 on it  running FreeBSD 9.0 64bit

I have a single agent (ID: 001)   running on a Linux node (Ubuntu 12.04 LTS 
32bit 3.4 kernel)

I feed all my logs back via syslog to the central logging server that is 
the same server urnning ossec.

OSSEC is configured to monitor the log files


AR is setup with:

  <active-response>
    <!-- Firewall Drop response. Block the IP for
       - 600 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
    <command>firewall-drop</command>
    <location>server</location>
    <level>6</level>
    <timeout>600</timeout>    
  </active-response>  

  <active-response>
    <!-- Firewall Drop response. Block the IP for
       - 600 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
    <command>firewall-drop</command>
    <location>all</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>


  <active-response>
    <!-- Firewall Drop response. Block the IP for
       - 600 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
    <command>firewall-drop</command>
    <location>defined_aget</location>
    <agent_id>001</agent_id>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>



I know the 'all' will not trigger on the server  but it should trigger the 
agent.  That failed to work on the agent so i added the extra agent_id 001  
to be sure.

Looking at the logs/active-responses.log on the server:

Wed Aug  1 19:41:36 UTC 2012 
/usr/local/ossec-hids/active-response/bin/host-deny.sh add - 61.135.137.2 
1343850096.1242729 5712
Wed Aug  1 19:41:36 UTC 2012 
/usr/local/ossec-hids/active-response/bin/firewall-drop.sh add - 
61.135.137.2 1343850096.1242729 5712

(more entries below and above them)

On the Agent N no log entires show up. The only log entires are where  I 
manually ran ./bin/agent_control  to test server to agent  communications 
which does work:

Wed Aug  1 16:53:19 UTC 2012 /var/ossec/active-response/bin/echoalert.sh 
add - 9.9.9.9 (from_the_server) (no_rule_id)
Wed Aug  1 17:03:49 UTC 2012 /var/ossec/active-response/bin/echoalert.sh 
delete - 9.9.9.9 (from_the_server) (no_rule_id)


Anyone have any idea why the action is triggering on the server but not on 
the agents?

This is basicaly I have a number of frontend servers who are publicly 
exposed that do not have their own firewalls in front of them so each one 
will need to firewall itself   and should firewall based on the reports of 
the other frontends. 
Best Regards,

Reply via email to