what i basically want is that a firewall drop is executed on the host that
originates the alert and if the alert is part of defined groups and level 6
or higher.
initially i had 1 active response block with all agents seperated by
comma's in the <agent_id> field , initially this worked but after
recompiling for geoip this gave errors on the server. now it is configured
as you see below
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>005</agent_id>
<rules_group>apache,web,appsec,attack,web,accesslog,web_scan,recon,invalid_access,automatic_attack</rules_group>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>006</agent_id>
<rules_group>apache,web,appsec,attack,web,accesslog,web_scan,recon,invalid_access,automatic_attack</rules_group>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>007</agent_id>
<rules_group>apache,web,appsec,attack,web,accesslog,web_scan,recon,invalid_access,automatic_attack</rules_group>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>009</agent_id>
<rules_group>apache,web,appsec,attack,web,accesslog,web_scan,recon,invalid_access,automatic_attack</rules_group>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>012</agent_id>
<rules_group>apache,web,appsec,attack,web,accesslog,web_scan,recon,invalid_access,automatic_attack</rules_group>
<level>6</level>
<timeout>600</timeout>
</active-response>
Op woensdag 4 september 2013 18:08:50 UTC+2 schreef dan (ddpbsd):
>
> On Wed, Sep 4, 2013 at 12:01 PM, <[email protected] <javascript:>> wrote:
> >
> >
> > on 1 of my servers i get an alert during testing detected by modsecurity
> and
> > forwarded to ossec , this alert comes from one of the test servers and i
> > would expect that active response would be activated only on the server
> that
> > underwent the action, however apparently this ip address was then
> blocked on
> > all the servers , while only notifying in the alerts that it had
> blocked
> > the ip for only 2 servers (all the client have the same configuration
> > distributed by agent.conf):
> >
> > ** Alert 1378301036.1249820: - apache,access_denied,
> > 2013 Sep 04 15:23:56
> >
> >
> > Wed Sep 4 15:23:56 CEST 2013
> > /var/ossec/active-response/bin/firewall-drop.sh add - 172.30.6.23
> > 1378301036.1249820 30118
> >
> > how is this possible
> >
>
> How is AR configured?
>
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
