[ossec-list] Re: Trying to log firewall drops within OSSEC (so I get notifications)

Thu, 07 Nov 2013 02:46:08 -0800 

@Christian and Dan,

I just tested again with a fresh view and I'm still having problems when 
changing rules (in this case adding Christians rules). My test case is a 
Wordpress brute force login attempt. I can see rule 31509 getting triggered 
('WordPress login attempt.'), after 5 times rule 31510 gets triggered 
(WordPress wp-login.php brute force attempt.'). Then the active response 
kicks in and rule 31510 (configured as level 7) emails me. So everything 
working as it should.

Then, when I override 601,602 with Christian’s rules (placed in 
local_rules.xml on the server) I don’t get the expected email from the 601 
rule. Seems like not all rules in the 'tree' go via the 601 or do they?

I could easily add something to the firewall-drop.sh scripts but then I 
loose the information in the email by what rule the active response was 
actually invoked. Any suggestions are highly appreciated. I can also 
provide any log info that would be useful.

Kind regards,

Gerard.

On Saturday, November 2, 2013 1:27:54 PM UTC+1, Gerard Petersen wrote:
>
> Hi All,
>
> I'm trying to get notifications for AR Firewall drops but I can't get it 
> to work. The easiest (but not preferred) way seemed to edit file 
> "firewall_rules.xml" and change this:
>
>   <rule id="4101" level="5">
>     <if_sid>4100</if_sid>
>     <action>DROP</action>
>     <options>no_log</options>
>     <description>Firewall drop event.</description>
>     <group>firewall_drop,</group>
>   </rule>
>
> Into this:
>
>   <rule id="4101" level="8">
>     <if_sid>4100</if_sid>
>     <action>DROP</action>
>     <description>Firewall drop event.</description>
>     <group>firewall_drop,</group>
>   </rule>
>
> Then, amazingly, the active response stops working completely. The 
> preferred way, as I see it, would be to add a new rule and if_sid from the 
> 4101 with a level=8. 
>
> <group name="firewall,">
>   <rule id="100201" level="8">
>     <if_sid>4101</if_sid>
>     <description>TEST - Firewall DROP.</description>
>   </rule>
> </group> <!-- firewall, -->
>
> But no luck on either setup. Can anybody see what I do not?
>
> Thanx a lot.
>
> Kind regards,
>
> Gerard.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to