Hi Dan - Thanks for following up.
Just so I understand going forward, is this considered a feature or a bug? Nested comments feel intuitive in the XML style but if they're not intended to work I'll be sure to document that internally and avoid them in my maintenance of our configurations going forward. Thanks Blake On Thursday, September 26, 2013 9:03:04 AM UTC-5, dan (ddpbsd) wrote: > > On Wed, Sep 25, 2013 at 2:35 PM, Blake Johnson > <[email protected]<javascript:>> > wrote: > > My use case for OSSEC has excluded active response from the beginning. > In > > managing our roll out to servers that are supported by other parts of > the > > organization I wanted to strictly let OSSEC be a tool in our detection > > processes. Last night I had Active Response rules fire on four > production > > web servers based on a local rule. Copy of active-responses.log from one > > server: > > > > Tue Sep 24 19:18:01 CDT 2013 /var/ossec/active-response/bin/host-deny.sh > add > > - xx.xx.255.91 1380067966.11411291 100300 > > Tue Sep 24 19:18:01 CDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh > > add - xx.xx.255.91 1380067966.11411291 100300 > > Tue Sep 24 19:28:31 CDT 2013 /var/ossec/active-response/bin/host-deny.sh > > delete - xx.xx.255.91 1380067966.11411291 100300 > > Tue Sep 24 19:28:31 CDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh > > delete - xx.xx.255.91 1380067966.11411291 100300 > > Tue Sep 24 19:48:00 CDT 2013 /var/ossec/active-response/bin/host-deny.sh > add > > - xx.xx.255.91 1380069765.11921039 100300 > > Tue Sep 24 19:48:00 CDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh > > add - xx.xx.255.91 1380069765.11921039 100300 > > Tue Sep 24 19:58:30 CDT 2013 /var/ossec/active-response/bin/host-deny.sh > > delete - xx.xx.255.91 1380069765.11921039 100300 > > Tue Sep 24 19:58:30 CDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh > > delete - xx.xx.255.91 1380069765.11921039 100300 > > Tue Sep 24 20:13:49 CDT 2013 /var/ossec/active-response/bin/host-deny.sh > add > > - xx.xx.255.91 1380071313.12357928 100300 > > Tue Sep 24 20:13:49 CDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh > > add - xx.xx.255.91 1380071313.12357928 100300 > > Tue Sep 24 20:24:19 CDT 2013 /var/ossec/active-response/bin/host-deny.sh > > delete - xx.xx.255.91 1380071313.12357928 100300 > > Tue Sep 24 20:24:19 CDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh > > delete - xx.xx.255.91 1380071313.12357928 100300 > > Tue Sep 24 20:43:47 CDT 2013 /var/ossec/active-response/bin/host-deny.sh > add > > - xx.xx.255.91 1380073112.12876411 100300 > > Tue Sep 24 20:43:47 CDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh > > add - xx.xx.255.91 1380073112.12876411 100300 > > Tue Sep 24 20:54:17 CDT 2013 /var/ossec/active-response/bin/host-deny.sh > > delete - xx.xx.255.91 1380073112.12876411 100300 > > Tue Sep 24 20:54:17 CDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh > > delete - xx.xx.255.91 1380073112.12876411 100300 > > Tue Sep 24 21:02:49 CDT 2013 /var/ossec/active-response/bin/host-deny.sh > add > > - xx.xx.50.89 1380074254.13146850 100300 > > Tue Sep 24 21:02:49 CDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh > > add - xx.xx.50.89 1380074254.13146850 100300 > > Tue Sep 24 21:04:00 CDT 2013 /var/ossec/active-response/bin/host-deny.sh > > delete - xx.xx.50.89 1380074254.13146850 100300 > > Tue Sep 24 21:04:00 CDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh > > delete - xx.xx.50.89 1380074254.13146850 100300 > > > > My issue is that the Active Response Config section of ossec.conf on the > > manager server is commented out. This was intentional as I don't want AR > > firing at all: > > > > <!-- > > <!-- Active Response Config --> > > I don't think nested comments should work. > > > <active-response> > > <!-- This response is going to execute the host-deny > > - command for every event that fires a rule with > > - level (severity) >= 6. > > - The IP is going to be blocked for 600 seconds. > > --> > > <command>host-deny</command> > > <location>local</location> > > <level>6</level> > > <timeout>600</timeout> > > </active-response> > > > > <active-response> > > <!-- Firewall Drop response. Block the IP for > > - 600 seconds on the firewall (iptables, > > - ipfilter, etc). > > --> > > <command>firewall-drop</command> > > <location>local</location> > > <level>6</level> > > <timeout>600</timeout> > > </active-response> > > --> > > > > Any ideas on what might have happened here? My immediate remediation is > to > > remove all of the active response scripts to prevent unintentional > > operation. > > > > Blake > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
