On Tue, Oct 1, 2013 at 9:36 AM, Blake Johnson <[email protected]> wrote: > Hi Dan - > > Thanks for following up. > > Just so I understand going forward, is this considered a feature or a bug?
Are those the only choices? It just is. > Nested comments feel intuitive in the XML style but if they're not intended > to work I'll be sure to document that internally and avoid them in my > maintenance of our configurations going forward. > > Thanks > > Blake > > On Thursday, September 26, 2013 9:03:04 AM UTC-5, dan (ddpbsd) wrote: >> >> On Wed, Sep 25, 2013 at 2:35 PM, Blake Johnson <[email protected]> >> wrote: >> > My use case for OSSEC has excluded active response from the beginning. >> > In >> > managing our roll out to servers that are supported by other parts of >> > the >> > organization I wanted to strictly let OSSEC be a tool in our detection >> > processes. Last night I had Active Response rules fire on four >> > production >> > web servers based on a local rule. Copy of active-responses.log from one >> > server: >> > >> > Tue Sep 24 19:18:01 CDT 2013 /var/ossec/active-response/bin/host-deny.sh >> > add >> > - xx.xx.255.91 1380067966.11411291 100300 >> > Tue Sep 24 19:18:01 CDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh >> > add - xx.xx.255.91 1380067966.11411291 100300 >> > Tue Sep 24 19:28:31 CDT 2013 /var/ossec/active-response/bin/host-deny.sh >> > delete - xx.xx.255.91 1380067966.11411291 100300 >> > Tue Sep 24 19:28:31 CDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh >> > delete - xx.xx.255.91 1380067966.11411291 100300 >> > Tue Sep 24 19:48:00 CDT 2013 /var/ossec/active-response/bin/host-deny.sh >> > add >> > - xx.xx.255.91 1380069765.11921039 100300 >> > Tue Sep 24 19:48:00 CDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh >> > add - xx.xx.255.91 1380069765.11921039 100300 >> > Tue Sep 24 19:58:30 CDT 2013 /var/ossec/active-response/bin/host-deny.sh >> > delete - xx.xx.255.91 1380069765.11921039 100300 >> > Tue Sep 24 19:58:30 CDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh >> > delete - xx.xx.255.91 1380069765.11921039 100300 >> > Tue Sep 24 20:13:49 CDT 2013 /var/ossec/active-response/bin/host-deny.sh >> > add >> > - xx.xx.255.91 1380071313.12357928 100300 >> > Tue Sep 24 20:13:49 CDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh >> > add - xx.xx.255.91 1380071313.12357928 100300 >> > Tue Sep 24 20:24:19 CDT 2013 /var/ossec/active-response/bin/host-deny.sh >> > delete - xx.xx.255.91 1380071313.12357928 100300 >> > Tue Sep 24 20:24:19 CDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh >> > delete - xx.xx.255.91 1380071313.12357928 100300 >> > Tue Sep 24 20:43:47 CDT 2013 /var/ossec/active-response/bin/host-deny.sh >> > add >> > - xx.xx.255.91 1380073112.12876411 100300 >> > Tue Sep 24 20:43:47 CDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh >> > add - xx.xx.255.91 1380073112.12876411 100300 >> > Tue Sep 24 20:54:17 CDT 2013 /var/ossec/active-response/bin/host-deny.sh >> > delete - xx.xx.255.91 1380073112.12876411 100300 >> > Tue Sep 24 20:54:17 CDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh >> > delete - xx.xx.255.91 1380073112.12876411 100300 >> > Tue Sep 24 21:02:49 CDT 2013 /var/ossec/active-response/bin/host-deny.sh >> > add >> > - xx.xx.50.89 1380074254.13146850 100300 >> > Tue Sep 24 21:02:49 CDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh >> > add - xx.xx.50.89 1380074254.13146850 100300 >> > Tue Sep 24 21:04:00 CDT 2013 /var/ossec/active-response/bin/host-deny.sh >> > delete - xx.xx.50.89 1380074254.13146850 100300 >> > Tue Sep 24 21:04:00 CDT 2013 >> > /var/ossec/active-response/bin/firewall-drop.sh >> > delete - xx.xx.50.89 1380074254.13146850 100300 >> > >> > My issue is that the Active Response Config section of ossec.conf on the >> > manager server is commented out. This was intentional as I don't want AR >> > firing at all: >> > >> > <!-- >> > <!-- Active Response Config --> >> >> I don't think nested comments should work. >> >> > <active-response> >> > <!-- This response is going to execute the host-deny >> > - command for every event that fires a rule with >> > - level (severity) >= 6. >> > - The IP is going to be blocked for 600 seconds. >> > --> >> > <command>host-deny</command> >> > <location>local</location> >> > <level>6</level> >> > <timeout>600</timeout> >> > </active-response> >> > >> > <active-response> >> > <!-- Firewall Drop response. Block the IP for >> > - 600 seconds on the firewall (iptables, >> > - ipfilter, etc). >> > --> >> > <command>firewall-drop</command> >> > <location>local</location> >> > <level>6</level> >> > <timeout>600</timeout> >> > </active-response> >> > --> >> > >> > Any ideas on what might have happened here? My immediate remediation is >> > to >> > remove all of the active response scripts to prevent unintentional >> > operation. >> > >> > Blake >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
