My use case for OSSEC has excluded active response from the beginning. In
managing our roll out to servers that are supported by other parts of the
organization I wanted to strictly let OSSEC be a tool in our detection
processes. Last night I had Active Response rules fire on four production
web servers based on a local rule. Copy of active-responses.log from one
server:
Tue Sep 24 19:18:01 CDT 2013 /var/ossec/active-response/bin/host-deny.sh
add - xx.xx.255.91 1380067966.11411291 100300
Tue Sep 24 19:18:01 CDT 2013
/var/ossec/active-response/bin/firewall-drop.sh add - xx.xx.255.91
1380067966.11411291 100300
Tue Sep 24 19:28:31 CDT 2013 /var/ossec/active-response/bin/host-deny.sh
delete - xx.xx.255.91 1380067966.11411291 100300
Tue Sep 24 19:28:31 CDT 2013
/var/ossec/active-response/bin/firewall-drop.sh delete - xx.xx.255.91
1380067966.11411291 100300
Tue Sep 24 19:48:00 CDT 2013 /var/ossec/active-response/bin/host-deny.sh
add - xx.xx.255.91 1380069765.11921039 100300
Tue Sep 24 19:48:00 CDT 2013
/var/ossec/active-response/bin/firewall-drop.sh add - xx.xx.255.91
1380069765.11921039 100300
Tue Sep 24 19:58:30 CDT 2013 /var/ossec/active-response/bin/host-deny.sh
delete - xx.xx.255.91 1380069765.11921039 100300
Tue Sep 24 19:58:30 CDT 2013
/var/ossec/active-response/bin/firewall-drop.sh delete - xx.xx.255.91
1380069765.11921039 100300
Tue Sep 24 20:13:49 CDT 2013 /var/ossec/active-response/bin/host-deny.sh
add - xx.xx.255.91 1380071313.12357928 100300
Tue Sep 24 20:13:49 CDT 2013
/var/ossec/active-response/bin/firewall-drop.sh add - xx.xx.255.91
1380071313.12357928 100300
Tue Sep 24 20:24:19 CDT 2013 /var/ossec/active-response/bin/host-deny.sh
delete - xx.xx.255.91 1380071313.12357928 100300
Tue Sep 24 20:24:19 CDT 2013
/var/ossec/active-response/bin/firewall-drop.sh delete - xx.xx.255.91
1380071313.12357928 100300
Tue Sep 24 20:43:47 CDT 2013 /var/ossec/active-response/bin/host-deny.sh
add - xx.xx.255.91 1380073112.12876411 100300
Tue Sep 24 20:43:47 CDT 2013
/var/ossec/active-response/bin/firewall-drop.sh add - xx.xx.255.91
1380073112.12876411 100300
Tue Sep 24 20:54:17 CDT 2013 /var/ossec/active-response/bin/host-deny.sh
delete - xx.xx.255.91 1380073112.12876411 100300
Tue Sep 24 20:54:17 CDT 2013
/var/ossec/active-response/bin/firewall-drop.sh delete - xx.xx.255.91
1380073112.12876411 100300
Tue Sep 24 21:02:49 CDT 2013 /var/ossec/active-response/bin/host-deny.sh
add - xx.xx.50.89 1380074254.13146850 100300
Tue Sep 24 21:02:49 CDT 2013
/var/ossec/active-response/bin/firewall-drop.sh add - xx.xx.50.89
1380074254.13146850 100300
Tue Sep 24 21:04:00 CDT 2013 /var/ossec/active-response/bin/host-deny.sh
delete - xx.xx.50.89 1380074254.13146850 100300
Tue Sep 24 21:04:00 CDT 2013
/var/ossec/active-response/bin/firewall-drop.sh delete - xx.xx.50.89
1380074254.13146850 100300
My issue is that the Active Response Config section of ossec.conf on the
manager server is commented out. This was intentional as I don't want AR
firing at all:
<!--
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
-->
Any ideas on what might have happened here? My immediate remediation is to
remove all of the active response scripts to prevent unintentional
operation.
Blake
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
