I used to add this to my local_rules.xml (uncomment the alert_by_email
option!) and monitor the ossec active_response.log file. I didn't test
this lately as AR is working fine so far.
<group name="ossec,">
<!-- used for debugging AR -->
<rule id="601" level="3" overwrite="yes">
<if_sid>600</if_sid>
<action>firewall-drop.sh</action>
<status>add</status>
<description>Host Blocked by firewall-drop.sh Active
Response</description>
<!--<options>alert_by_email</options>-->
<group>active_response,</group>
</rule>
<!--
<rule id="602" level="3" overwrite="yes">
<if_sid>600</if_sid>
<action>firewall-drop.sh</action>
<status>delete</status>
<description>Host Unblocked by firewall-drop.sh Active
Response</description>
<options>alert_by_email</options>
<group>active_response,</group>
</rule>
-->
</group> <!-- OSSEC -->
Regards
Christian
Am 05.11.2013 17:27, schrieb dan (ddp):
> On Sat, Nov 2, 2013 at 8:27 AM, Gerard Petersen <[email protected]> wrote:
>> Hi All,
>>
>> I'm trying to get notifications for AR Firewall drops but I can't get it to
>> work. The easiest (but not preferred) way seemed to edit file
>> "firewall_rules.xml" and change this:
>>
>> <rule id="4101" level="5">
>> <if_sid>4100</if_sid>
>> <action>DROP</action>
>> <options>no_log</options>
>> <description>Firewall drop event.</description>
>> <group>firewall_drop,</group>
>> </rule>
>>
> Does the above trigger when the logs come in? Can you provide a sample
> of the logs?
>
>
>> Into this:
>>
>> <rule id="4101" level="8">
>> <if_sid>4100</if_sid>
>> <action>DROP</action>
>> <description>Firewall drop event.</description>
>> <group>firewall_drop,</group>
>> </rule>
>>
>> Then, amazingly, the active response stops working completely. The preferred
>> way, as I see it, would be to add a new rule and if_sid from the 4101 with a
>> level=8.
>>
>> <group name="firewall,">
>> <rule id="100201" level="8">
>> <if_sid>4101</if_sid>
>> <description>TEST - Firewall DROP.</description>
>> </rule>
>> </group> <!-- firewall, -->
>>
>> But no luck on either setup. Can anybody see what I do not?
>>
>> Thanx a lot.
>>
>> Kind regards,
>>
>> Gerard.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
