On Wed, Sep 25, 2013 at 2:35 PM, Blake Johnson <[email protected]> wrote: > My use case for OSSEC has excluded active response from the beginning. In > managing our roll out to servers that are supported by other parts of the > organization I wanted to strictly let OSSEC be a tool in our detection > processes. Last night I had Active Response rules fire on four production > web servers based on a local rule. Copy of active-responses.log from one > server: > > Tue Sep 24 19:18:01 CDT 2013 /var/ossec/active-response/bin/host-deny.sh add > - xx.xx.255.91 1380067966.11411291 100300 > Tue Sep 24 19:18:01 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh > add - xx.xx.255.91 1380067966.11411291 100300 > Tue Sep 24 19:28:31 CDT 2013 /var/ossec/active-response/bin/host-deny.sh > delete - xx.xx.255.91 1380067966.11411291 100300 > Tue Sep 24 19:28:31 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh > delete - xx.xx.255.91 1380067966.11411291 100300 > Tue Sep 24 19:48:00 CDT 2013 /var/ossec/active-response/bin/host-deny.sh add > - xx.xx.255.91 1380069765.11921039 100300 > Tue Sep 24 19:48:00 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh > add - xx.xx.255.91 1380069765.11921039 100300 > Tue Sep 24 19:58:30 CDT 2013 /var/ossec/active-response/bin/host-deny.sh > delete - xx.xx.255.91 1380069765.11921039 100300 > Tue Sep 24 19:58:30 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh > delete - xx.xx.255.91 1380069765.11921039 100300 > Tue Sep 24 20:13:49 CDT 2013 /var/ossec/active-response/bin/host-deny.sh add > - xx.xx.255.91 1380071313.12357928 100300 > Tue Sep 24 20:13:49 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh > add - xx.xx.255.91 1380071313.12357928 100300 > Tue Sep 24 20:24:19 CDT 2013 /var/ossec/active-response/bin/host-deny.sh > delete - xx.xx.255.91 1380071313.12357928 100300 > Tue Sep 24 20:24:19 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh > delete - xx.xx.255.91 1380071313.12357928 100300 > Tue Sep 24 20:43:47 CDT 2013 /var/ossec/active-response/bin/host-deny.sh add > - xx.xx.255.91 1380073112.12876411 100300 > Tue Sep 24 20:43:47 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh > add - xx.xx.255.91 1380073112.12876411 100300 > Tue Sep 24 20:54:17 CDT 2013 /var/ossec/active-response/bin/host-deny.sh > delete - xx.xx.255.91 1380073112.12876411 100300 > Tue Sep 24 20:54:17 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh > delete - xx.xx.255.91 1380073112.12876411 100300 > Tue Sep 24 21:02:49 CDT 2013 /var/ossec/active-response/bin/host-deny.sh add > - xx.xx.50.89 1380074254.13146850 100300 > Tue Sep 24 21:02:49 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh > add - xx.xx.50.89 1380074254.13146850 100300 > Tue Sep 24 21:04:00 CDT 2013 /var/ossec/active-response/bin/host-deny.sh > delete - xx.xx.50.89 1380074254.13146850 100300 > Tue Sep 24 21:04:00 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh > delete - xx.xx.50.89 1380074254.13146850 100300 > > My issue is that the Active Response Config section of ossec.conf on the > manager server is commented out. This was intentional as I don't want AR > firing at all: > > <!-- > <!-- Active Response Config -->
I don't think nested comments should work. > <active-response> > <!-- This response is going to execute the host-deny > - command for every event that fires a rule with > - level (severity) >= 6. > - The IP is going to be blocked for 600 seconds. > --> > <command>host-deny</command> > <location>local</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>local</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > --> > > Any ideas on what might have happened here? My immediate remediation is to > remove all of the active response scripts to prevent unintentional > operation. > > Blake > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
