Thanks for the response dan. The configs look right to me the problem is that per the logs the Automated Responses are NOT going across to the agent they are only running on the server which is not what I need. I need the firewall to block on the agents. I put some inline notes about the config below but it boils down to : "server" according to posts I've seen -- Runs the command on Managment Server only "all" -- Runs on all agents and excludes the managment server (the source code seems to back this up on quick glance) -- Really should be called 'all agents' ID 001 -- this was a fallback testing. So I have good contact to the agent (according to agent_control manual testing run from the command line by me not by OSSEC itself) AR inside OSSEC it is only executing on the local server (as configured in the first AR block) and is ignoring the 2nd and 3rd AR blocks that say to execute the responses on the agents themselves.
On Wednesday, August 1, 2012 1:07:02 PM UTC-7, dan (ddpbsd) wrote: > I don't see a problem with the config, it sounds like it's doing what > you've configured it to do. > > On Wed, Aug 1, 2012 at 3:56 PM, cmlara <[email protected]> wrote: > > Hello All, > > > > I have setup a new server with OSSEC 2.6 on it running FreeBSD 9.0 > 64bit > > > > I have a single agent (ID: 001) running on a Linux node (Ubuntu 12.04 > LTS > > 32bit 3.4 kernel) > > > > I feed all my logs back via syslog to the central logging server that is > the > > same server urnning ossec. > > > > OSSEC is configured to monitor the log files > > > > > > AR is setup with: > > > > <active-response> > > <!-- Firewall Drop response. Block the IP for > > - 600 seconds on the firewall (iptables, > > - ipfilter, etc). > > --> > > <command>firewall-drop</command> > > <location>server</location> > > <level>6</level> > > <timeout>600</timeout> > > </active-response> > > > > Ok, so everything at level 6+ gets triggered above. Everything. > > <active-response> > > <!-- Firewall Drop response. Block the IP for > > - 600 seconds on the firewall (iptables, > > - ipfilter, etc). > > --> > > <command>firewall-drop</command> > > <location>all</location> > > <level>6</level> > > <timeout>600</timeout> > > </active-response> > > > > We don't get to this one, everything level 6+ is handled in the previous > AR. > > Actually the previous one only runs the processing on the managment server only. This one runs 'all' which actually exculdes the server according to other web posts and the source code. It really should be called 'all agents' > > > > <active-response> > > <!-- Firewall Drop response. Block the IP for > > - 600 seconds on the firewall (iptables, > > - ipfilter, etc). > > --> > > <command>firewall-drop</command> > > <location>defined_aget</location> > > <agent_id>001</agent_id> > > <level>6</level> > > <timeout>600</timeout> > > </active-response> > > > > We don't worry about this one either, everything this one handles is > taken care of in the first AR block. > > Agreed this is a last ditch effort to see if 'all' is broken as well > > > > > > I know the 'all' will not trigger on the server but it should trigger > the > > agent. That failed to work on the agent so i added the extra agent_id > 001 > > to be sure. > > > > Looking at the logs/active-responses.log on the server: > > > > Wed Aug 1 19:41:36 UTC 2012 > > /usr/local/ossec-hids/active-response/bin/host-deny.sh add - > 61.135.137.2 > > 1343850096.1242729 5712 > > Wed Aug 1 19:41:36 UTC 2012 > > /usr/local/ossec-hids/active-response/bin/firewall-drop.sh add - > > 61.135.137.2 1343850096.1242729 5712 > > > > (more entries below and above them) > > > > On the Agent N no log entires show up. The only log entires are where I > > manually ran ./bin/agent_control to test server to agent > communications > > which does work: > > > > Wed Aug 1 16:53:19 UTC 2012 /var/ossec/active-response/bin/echoalert.sh > add > > - 9.9.9.9 (from_the_server) (no_rule_id) > > Wed Aug 1 17:03:49 UTC 2012 /var/ossec/active-response/bin/echoalert.sh > > delete - 9.9.9.9 (from_the_server) (no_rule_id) > > > > > > Anyone have any idea why the action is triggering on the server but not > on > > the agents? > > > > This is basicaly I have a number of frontend servers who are publicly > > exposed that do not have their own firewalls in front of them so each > one > > will need to firewall itself and should firewall based on the reports > of > > the other frontends. > > Best Regards, > > > > >
