How can I debug why the active response is failing for a rule with level 9
and active response is set to level 8?
Both the alert and ossec-logtest show the rule is triggering as expected
and yet no firewall-drop.sh is triggered on the agent (remote) server.
** Alert 1344845403.1519353: mail - syslog,proftpd,
2012 Aug 13 01:10:03 (web) 10.84.168.18->/hsphere/local/var/proftpd/auth.log
Rule: 11204 (level 9) -> 'Login failed accessing the FTP server'
Aug 13 01:10:02 68.111.178.4 proftpd[30057] INFO: Login incorrect. PASS
(hidden)
ossec-testrule: Type one log per line.
Aug 13 01:10:02 68.111.178.4 proftpd[30057] INFO: Login incorrect. PASS
(hidden)
**Phase 1: Completed pre-decoding.
full event: 'Aug 13 01:10:02 68.111.178.4 proftpd[30057] INFO: Login
incorrect. PASS (hidden)'
hostname: '68.111.178.4'
program_name: 'proftpd'
log: 'INFO: Login incorrect. PASS (hidden)'
**Phase 2: Completed decoding.
decoder: 'proftpd'
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched.
*Trying child rules.
Trying rule: 5500 - Grouping of the pam_unix rules.
Trying rule: 5700 - SSHD messages grouped.
Trying rule: 5600 - Grouping for the telnetd rules
Trying rule: 2100 - NFS rules grouped.
Trying rule: 2507 - OpenLDAP group.
Trying rule: 2550 - rshd messages grouped.
Trying rule: 2701 - Ignoring procmail messages.
Trying rule: 2800 - Pre-match rule for smartd.
Trying rule: 5100 - Pre-match rule for kernel messages
Trying rule: 5200 - Ignoring hpiod for producing useless logs.
Trying rule: 2830 - Crontab rule group.
Trying rule: 5300 - Initial grouping for su messages.
Trying rule: 5400 - Initial group for sudo messages
Trying rule: 9100 - PPTPD messages grouped
Trying rule: 9200 - Squid syslog messages grouped
Trying rule: 2900 - Dpkg (Debian Package) log.
Trying rule: 2930 - Yum logs.
Trying rule: 2931 - Yum logs.
Trying rule: 7200 - Grouping of the arpwatch rules.
Trying rule: 7300 - Grouping of Symantec AV rules.
Trying rule: 7400 - Grouping of Symantec Web Security rules.
Trying rule: 4300 - Grouping of PIX rules
Trying rule: 12100 - Grouping of the named rules
Trying rule: 13100 - Grouping for the smbd rules.
Trying rule: 13106 - (null)
Trying rule: 11400 - Grouping for the vsftpd rules.
Trying rule: 11300 - Grouping for the pure-ftpd rules.
Trying rule: 11200 - Grouping for the proftpd rules.
*Rule 11200 matched.
*Trying child rules.
Trying rule: 11202 - FTP session closed.
Trying rule: 11221 - IPv6 error and mod-delay info (ignored).
Trying rule: 11209 - Attempt to bypass firewall that can't adequately
keep state of FTP traffic.
Trying rule: 11218 - FTP process crashed.
Trying rule: 11219 - FTP server Buffer overflow attempt.
Trying rule: 11210 - Multiple failed login attempts.
Trying rule: 11204 - Login failed accessing the FTP server
*Rule 11204 matched.
*Trying child rules.
Trying rule: 40111 - Multiple authentication failures.
**Phase 3: Completed filtering (rules).
Rule id: '11204'
Level: '9'
Description: 'Login failed accessing the FTP server'
**Alert to be generated.
server ossec.conf
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<!-- local means on the server that had the event; e.g.,
lan.web.truepath.com -->
<location>local</location>
<level>8</level>
<timeout>600</timeout>
</active-response>
agent ossec.conf
<!-- block 1 hr, 1 day, 1 week on repeated offenses -->
<active-response>
<repeated_offenders>60,1440,10080</repeated_offenders>
</active-response>
Any hints?
--
Gil Vidals
CONFIDENTIALITY NOTICE: The information contained in this transmission may
contain privileged and confidential information. It is intended only for
the use of the person(s) named above. If you are not the intended
recipient, please contact the sender by reply email and permanently delete
the original message.
