Hi Christian,
Thanx a lot for the explanation. I vaguely remember you mentioned the AR
local log file config. Never figured the last parameter in the
firewall-drop.sh call is a rule id :)
I'm running an analyses of all website traffic to get a perspective on what
to trigger on and what to deem not important 'hack-ish' behaviour.
This solves enough for now. I'm going to setup your decoder and local file
config below.
Thanx again! This was very helpful.
Kind regards,
Gerard.
On Thursday, November 7, 2013 1:24:01 PM UTC+1, Christian Beer wrote:
>
> The Rules 601 and 602 only get triggered if you monitor your
> active_responses.log file in /var/ossec/logs/. Every AR event is a line in
> there and at the end of the line should be the rule that invoked this
> event. You can take a line and test with ossec_logtest too.
>
> So check your ossec.conf file for:
>
> <localfile>
> ��� <log_format>syslog</log_format>
> ��� <location>/var/ossec/logs/active-responses.log</location>
> � </localfile>
>
> Examples:
>
> Do 7. Nov 07:59:48 CET 2013
> /var/ossec/active-response/bin/firewall-drop.sh add - 37.187.77.137
> 1383807588.12075 100200
> Do 7. Nov 08:10:19 CET 2013
> /var/ossec/active-response/bin/firewall-drop.sh delete - 37.187.77.137
> 1383807588.12075 100200
>
> In case you have a non-English OS you may have to change the AR decoder.
> As you can see I have a German OS so weekdays are in German abbreviation.
> This is done by my local_decoder.xml:
>
> <decoder name="ar_log">
> �������
> <prematch>^Mo|^Di|^Mi|^Do|^Fr|^Sa|^So|^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|^Sun
> \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+ /\.+/active-response</prematch>
> ������� <regex offset="after_prematch">/bin/(\S+) (\S+) -
> (\S+) (\d+.\d+) (\d+)</regex>
> ������� <order>action, status, srcip, id, extra_data</order>
> </decoder>
>
> This was suggested on this mailing list a long time ago and I just copied
> it from there.
>
> Regards
> Christian
>
> Am 07.11.2013 10:18, schrieb Gerard Petersen:
>
> @Christian and Dan,
>
> I just tested again with a fresh view and I'm still having problems when
> changing rules (in this case adding Christians rules). My test case is a
> Wordpress brute force login attempt. I can see rule 31509 getting triggered
> ('WordPress login attempt.'), after 5 times rule 31510 gets triggered
> (WordPress wp-login.php brute force attempt.'). Then the active response
> kicks in and rule 31510 (configured as level 7) emails me. So everything
> working as it should.
>
> Then, when I override 601,602 with Christian�s rules (placed in
> local_rules.xml on the server) I don�t get the expected email from the
> 601 rule. Seems like not all rules in the 'tree' go via the 601 or do they?
>
> I could easily add something to the firewall-drop.sh scripts but then I
> loose the information in the email by what rule the active response was
> actually invoked. Any suggestions are highly appreciated. I can also
> provide any log info that would be useful.
>
> Kind regards,
>
> Gerard.
>
> On Saturday, November 2, 2013 1:27:54 PM UTC+1, Gerard Petersen wrote:
>>
>> Hi All,
>>
>> I'm trying to get notifications for AR Firewall drops but I can't get
>> it to work. The easiest (but not preferred) way seemed to edit file
>> "firewall_rules.xml" and change this:
>>
>> � <rule id="4101" level="5">
>> � � <if_sid>4100</if_sid>
>> � � <action>DROP</action>
>> � � <options>no_log</options>
>> � � <description>Firewall drop event.</description>
>> � � <group>firewall_drop,</group>
>> � </rule>
>>
>> Into this:
>>
>> � <rule id="4101" level="8">
>> � � <if_sid>4100</if_sid>
>> � � <action>DROP</action>
>> � � <description>Firewall drop event.</description>
>> � � <group>firewall_drop,</group>
>> � </rule>
>>
>> Then, amazingly, the active response stops working�completely. The
>> preferred way, as I see it, would be to add a new rule and if_sid from the
>> 4101 with a level=8.�
>>
>> <group name="firewall,">
>> � <rule id="100201" level="8">
>> � � <if_sid>4101</if_sid>
>> � � <description>TEST - Firewall DROP.</description>
>> � </rule>
>> </group> <!-- firewall, -->
>>
>> But no luck on either setup. Can anybody see what I do not?
>>
>> Thanx a lot.
>>
>> Kind regards,
>>
>> Gerard.
>>
> --
> �
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected] <javascript:>.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
