The Rules 601 and 602 only get triggered if you monitor your
active_responses.log file in /var/ossec/logs/. Every AR event is a line
in there and at the end of the line should be the rule that invoked this
event. You can take a line and test with ossec_logtest too.
So check your ossec.conf file for:
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/ossec/logs/active-responses.log</location>
> </localfile>
Examples:
> Do 7. Nov 07:59:48 CET 2013
> /var/ossec/active-response/bin/firewall-drop.sh add - 37.187.77.137
> 1383807588.12075 100200
> Do 7. Nov 08:10:19 CET 2013
> /var/ossec/active-response/bin/firewall-drop.sh delete - 37.187.77.137
> 1383807588.12075 100200
In case you have a non-English OS you may have to change the AR decoder.
As you can see I have a German OS so weekdays are in German
abbreviation. This is done by my local_decoder.xml:
> <decoder name="ar_log">
>
> <prematch>^Mo|^Di|^Mi|^Do|^Fr|^Sa|^So|^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|^Sun
> \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+ /\.+/active-response</prematch>
> <regex offset="after_prematch">/bin/(\S+) (\S+) - (\S+)
> (\d+.\d+) (\d+)</regex>
> <order>action, status, srcip, id, extra_data</order>
> </decoder>
This was suggested on this mailing list a long time ago and I just
copied it from there.
Regards
Christian
Am 07.11.2013 10:18, schrieb Gerard Petersen:
> @Christian and Dan,
>
> I just tested again with a fresh view and I'm still having problems
> when changing rules (in this case adding Christians rules). My test
> case is a Wordpress brute force login attempt. I can see rule 31509
> getting triggered ('WordPress login attempt.'), after 5 times rule
> 31510 gets triggered (WordPress wp-login.php brute force attempt.').
> Then the active response kicks in and rule 31510 (configured as level
> 7) emails me. So everything working as it should.
>
> Then, when I override 601,602 with Christian’s rules (placed in
> local_rules.xml on the server) I don’t get the expected email from the
> 601 rule. Seems like not all rules in the 'tree' go via the 601 or do
> they?
>
> I could easily add something to the firewall-drop.sh scripts but then
> I loose the information in the email by what rule the active response
> was actually invoked. Any suggestions are highly appreciated. I can
> also provide any log info that would be useful.
>
> Kind regards,
>
> Gerard.
>
> On Saturday, November 2, 2013 1:27:54 PM UTC+1, Gerard Petersen wrote:
>
> Hi All,
>
> I'm trying to get notifications for AR Firewall drops but I can't
> get it to work. The easiest (but not preferred) way seemed to edit
> file "firewall_rules.xml" and change this:
>
> <rule id="4101" level="5">
> <if_sid>4100</if_sid>
> <action>DROP</action>
> <options>no_log</options>
> <description>Firewall drop event.</description>
> <group>firewall_drop,</group>
> </rule>
>
> Into this:
>
> <rule id="4101" level="8">
> <if_sid>4100</if_sid>
> <action>DROP</action>
> <description>Firewall drop event.</description>
> <group>firewall_drop,</group>
> </rule>
>
> Then, amazingly, the active response stops working completely. The
> preferred way, as I see it, would be to add a new rule and if_sid
> from the 4101 with a level=8.
>
> <group name="firewall,">
> <rule id="100201" level="8">
> <if_sid>4101</if_sid>
> <description>TEST - Firewall DROP.</description>
> </rule>
> </group> <!-- firewall, -->
>
> But no luck on either setup. Can anybody see what I do not?
>
> Thanx a lot.
>
> Kind regards,
>
> Gerard.
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
