What does your agent's ossec.conf active response set to? Disabled?
From: [email protected] [mailto:[email protected]] On
Behalf Of Blake Johnson
Sent: Wednesday, September 25, 2013 2:35 PM
To: [email protected]
Subject: [ossec-list] Unintended Active Response
My use case for OSSEC has excluded active response from the beginning. In
managing our roll out to servers that are supported by other parts of the
organization I wanted to strictly let OSSEC be a tool in our detection
processes. Last night I had Active Response rules fire on four production web
servers based on a local rule. Copy of active-responses.log from one server:
Tue Sep 24 19:18:01 CDT 2013 /var/ossec/active-response/bin/host-deny.sh add -
xx.xx.255.91 1380067966.11411291 100300
Tue Sep 24 19:18:01 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
add - xx.xx.255.91 1380067966.11411291 100300
Tue Sep 24 19:28:31 CDT 2013 /var/ossec/active-response/bin/host-deny.sh delete
- xx.xx.255.91 1380067966.11411291 100300
Tue Sep 24 19:28:31 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
delete - xx.xx.255.91 1380067966.11411291 100300
Tue Sep 24 19:48:00 CDT 2013 /var/ossec/active-response/bin/host-deny.sh add -
xx.xx.255.91 1380069765.11921039 100300
Tue Sep 24 19:48:00 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
add - xx.xx.255.91 1380069765.11921039 100300
Tue Sep 24 19:58:30 CDT 2013 /var/ossec/active-response/bin/host-deny.sh delete
- xx.xx.255.91 1380069765.11921039 100300
Tue Sep 24 19:58:30 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
delete - xx.xx.255.91 1380069765.11921039 100300
Tue Sep 24 20:13:49 CDT 2013 /var/ossec/active-response/bin/host-deny.sh add -
xx.xx.255.91 1380071313.12357928 100300
Tue Sep 24 20:13:49 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
add - xx.xx.255.91 1380071313.12357928 100300
Tue Sep 24 20:24:19 CDT 2013 /var/ossec/active-response/bin/host-deny.sh delete
- xx.xx.255.91 1380071313.12357928 100300
Tue Sep 24 20:24:19 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
delete - xx.xx.255.91 1380071313.12357928 100300
Tue Sep 24 20:43:47 CDT 2013 /var/ossec/active-response/bin/host-deny.sh add -
xx.xx.255.91 1380073112.12876411 100300
Tue Sep 24 20:43:47 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
add - xx.xx.255.91 1380073112.12876411 100300
Tue Sep 24 20:54:17 CDT 2013 /var/ossec/active-response/bin/host-deny.sh delete
- xx.xx.255.91 1380073112.12876411 100300
Tue Sep 24 20:54:17 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
delete - xx.xx.255.91 1380073112.12876411 100300
Tue Sep 24 21:02:49 CDT 2013 /var/ossec/active-response/bin/host-deny.sh add -
xx.xx.50.89 1380074254.13146850 100300
Tue Sep 24 21:02:49 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
add - xx.xx.50.89 1380074254.13146850 100300
Tue Sep 24 21:04:00 CDT 2013 /var/ossec/active-response/bin/host-deny.sh delete
- xx.xx.50.89 1380074254.13146850 100300
Tue Sep 24 21:04:00 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
delete - xx.xx.50.89 1380074254.13146850 100300
My issue is that the Active Response Config section of ossec.conf on the
manager server is commented out. This was intentional as I don't want AR firing
at all:
<!--
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
-->
Any ideas on what might have happened here? My immediate remediation is to
remove all of the active response scripts to prevent unintentional operation.
Blake
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
[email protected]<mailto:[email protected]>.
For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
