Hey Dan, I took your advice and created a CDB with over 10k IPs and then I
added one of my local IPs to test for an alert. However, the alert does not
fire when one of my local hosts trys to connect or when I change the
blacklists file. I am running tcpdump and I can see the host trying to
connect, but nothing in the alert.log. The active response log is still at
0 as well. What am I doing wrong?
Blacklist format for CDB:
IP1: 192.168.1.8
IP2: 10.10.1.200
etc
In ossec.conf I have
<rules>
...
<list>lists/blacklist.txt</list>
<include>local_rules.xml</include>
</rules>
I added this to execute ossec-makelist when the blacklist changes. I do
not believe it worked because I ran it manuallyy and it showed an update
was needed
<command>
<name>makelists</name>
<executable>makelists.sh</executable>
<expect></expect>
</command>
<active-response>
<disabled>no</disabled>
<command>makelists</command>
<location>server</location>
<rules_id>105001</rules_id>
</active-response>
Here is my blacklist file with the new CDB created from Makelists
[root@RHEL6-4 lists]# ls -la
total 712
drwxr-xr-x. 2 ossec ossec 4096 Mar 6 22:03 .
dr-xr-x---. 15 root ossec 4096 Mar 6 16:49 ..
-rw-r--r--. 1 ossec ossec 239574 Mar 6 22:03 blacklist.txt
-rw-r--r--. 1 ossec ossec 478742 Mar 6 17:09 blacklist.txt.cdb
My local_rules.xml addition for the alert
<rule id="101003" level="0" noalert="1">
<decoded_as>unbound</decoded_as>
<description>Grouping for unbound.</description>
</rule>
<rule id="101004" level="10">
<if_sid>101003</if_sid>
<list field="srcip" lookup="address_match_key">*lists/blacklist.txt.cdb
*</list>
<description>DNS query on a potentially malicious
domain.</description> </rule>
<rule id="101005" level="10">
<if_sid>550</if_sid>
<match>/var/ossec/lists/blacklist.txt</match>
<description>blacklist.txt has been modified</description>
</rule>
On Tuesday, March 5, 2013 5:45:10 PM UTC-6, dan (ddpbsd) wrote:
> On Mon, Mar 4, 2013 at 4:45 PM, TWAD <[email protected] <javascript:>>
> wrote:
> > Hey everybody,
> > I have a task that I'm struggling with; could you help?
> >
> > Task: I need to have a blacklist capability on all of my agents ( to
> alert,
> > not block)
> >
>
> Alerts are only created by the server, not the agents.
>
> > Issue 1: The blacklist contains over 700 IPs (currently) so creating a
> rule
> > for each would (to me) seem taxing on the agent and server
> >
>
> Using a cdb seems like a decent option. I had a cdb of over 100k
> domains at one point.
>
> > Issue 2: The white list will contain over 200 IPs or 10 domains/subnets
> >
> > Questions:
> >
> > Should I use a white list instead of the blacklist?
> > Has anybody on this list done this?
> > What is the most practical method?
> >
> > Reasearch:
> >
> > I found an excellent example written by Anthony Kasza
> > (anthonykasza.webs.com/docs/honeyports.pdf) but none of my agents will
> be
> > running nc.
> > I looked on this list and other great resources but do not have a good
> > answer
> >
> > Thank you in advance for your time!
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> >
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
