Hi Christian, Thanx a lot for your code snippets. very useful.
Kind regards, Gerard. On Tuesday, November 5, 2013 6:33:20 PM UTC+1, Christian Beer wrote: > > I used to add this to my local_rules.xml (uncomment the alert_by_email > option!) and monitor the ossec active_response.log file. I didn't test > this lately as AR is working fine so far. > > <group name="ossec,"> > <!-- used for debugging AR --> > <rule id="601" level="3" overwrite="yes"> > <if_sid>600</if_sid> > <action>firewall-drop.sh</action> > <status>add</status> > <description>Host Blocked by firewall-drop.sh Active > Response</description> > <!--<options>alert_by_email</options>--> > <group>active_response,</group> > </rule> > <!-- > <rule id="602" level="3" overwrite="yes"> > <if_sid>600</if_sid> > <action>firewall-drop.sh</action> > <status>delete</status> > <description>Host Unblocked by firewall-drop.sh Active > Response</description> > <options>alert_by_email</options> > <group>active_response,</group> > </rule> > --> > </group> <!-- OSSEC --> > > Regards > Christian > > Am 05.11.2013 17:27, schrieb dan (ddp): > > On Sat, Nov 2, 2013 at 8:27 AM, Gerard Petersen > > <[email protected]<javascript:>> > wrote: > >> Hi All, > >> > >> I'm trying to get notifications for AR Firewall drops but I can't get > it to > >> work. The easiest (but not preferred) way seemed to edit file > >> "firewall_rules.xml" and change this: > >> > >> <rule id="4101" level="5"> > >> <if_sid>4100</if_sid> > >> <action>DROP</action> > >> <options>no_log</options> > >> <description>Firewall drop event.</description> > >> <group>firewall_drop,</group> > >> </rule> > >> > > Does the above trigger when the logs come in? Can you provide a sample > > of the logs? > > > > > >> Into this: > >> > >> <rule id="4101" level="8"> > >> <if_sid>4100</if_sid> > >> <action>DROP</action> > >> <description>Firewall drop event.</description> > >> <group>firewall_drop,</group> > >> </rule> > >> > >> Then, amazingly, the active response stops working completely. The > preferred > >> way, as I see it, would be to add a new rule and if_sid from the 4101 > with a > >> level=8. > >> > >> <group name="firewall,"> > >> <rule id="100201" level="8"> > >> <if_sid>4101</if_sid> > >> <description>TEST - Firewall DROP.</description> > >> </rule> > >> </group> <!-- firewall, --> > >> > >> But no luck on either setup. Can anybody see what I do not? > >> > >> Thanx a lot. > >> > >> Kind regards, > >> > >> Gerard. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected] <javascript:>. > >> For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
