On Tue, Nov 26, 2013 at 3:08 AM, C. L. Martinez <[email protected]> wrote: > On Tue, Nov 26, 2013 at 6:12 AM, C. L. Martinez <[email protected]> wrote: >> On Mon, Nov 25, 2013 at 2:06 PM, C. L. Martinez <[email protected]> wrote: >>> On Mon, Nov 25, 2013 at 2:02 PM, dan (ddp) <[email protected]> wrote: >>>> On Mon, Nov 25, 2013 at 8:51 AM, C. L. Martinez <[email protected]> >>>> wrote: >>>>> On Mon, Nov 25, 2013 at 1:17 PM, dan (ddp) <[email protected]> wrote: >>>>>> On Mon, Nov 25, 2013 at 6:36 AM, C. L. Martinez <[email protected]> >>>>>> wrote: >>>>>>> Hi all, >>>>>>> >>>>>>> Last week, I have updated 5 clients and one ossec server to release >>>>>>> 2.7.1. My surprise is with restart-ossec active response: it doesn't >>>>>>> works. >>>>>>> >>>>>>> My config (as appears in OSSEC docs) is: >>>>>>> >>>>>>> <command> >>>>>>> <name>restart-ossec</name> >>>>>>> <executable>restart-ossec.sh</executable> >>>>>>> <expect></expect> >>>>>>> </command> >>>>>>> >>>>>>> <active-response> >>>>>>> <command>restart-ossec</command> >>>>>>> <location>local</location> >>>>>>> <rules_id>120000</rules_id> >>>>>>> </active-response> >>>>>>> >>>>>>> and rule 120000: >>>>>>> >>>>>>> <rule id="120000" level="10"> >>>>>>> <if_sid>550</if_sid> >>>>>>> <match>/var/ossec/etc/shared/agent.conf</match> >>>>>>> <description>Customized agent.conf has been modified.</description> >>>>>>> </rule> >>>>>>> >>>>>>> but running agent_control -L: >>>>>>> >>>>>>> OSSEC HIDS agent_control. Available active responses: >>>>>>> >>>>>>> Response name: firewall-drop86400, command: firewall-drop.sh >>>>>>> >>>>>>> .. it doesn't appears ... Any idea why?? >>>>>>> >>>>>> >>>>>> Is ossec-execd running? >>>>>> >>>>>>> -- >>>>> >>>>> Yes, in all components: agents and server ... >>>>> >>>> >>>> Is 120000 firing properly? >>>> >>>>> -- >>>>> >>> >>> Yes, according to my tests .... To be sure, I have added >>> /var/ossec/etc/shared to syscheck section. For example: >>> >>> <agent_config os="Linux"> >>> <syscheck> >>> <scan_on_start>no</scan_on_start> >>> <frequency>43200</frequency> >>> <scan_time>01:33</scan_time> >>> <auto_ignore>no</auto_ignore> >>> <alert_new_files>yes</alert_new_files> >>> <directories report_changes="yes" realtime="yes" >>> check_all="yes">/etc,/var/ossec/etc/shared</directories> >>> <directories check_all="yes" >>> realtime="yes">/usr/bin,/usr/sbin,/bin,/sbin,/usr/local/bin,/usr/local/sbin</directories> >>> <ignore>/etc/adjtime</ignore> >>> <ignore>/etc/aliases.db</ignore> >>> <ignore>/etc/hosts.deny</ignore> >>> <ignore>/etc/ld.so.cache</ignore> >>> <ignore>/etc/lvm/cache/.cache</ignore> >>> <ignore>/etc/mtab</ignore> >>> >>> <ignore>/etc/rc.d/rc0.d,/etc/rc.d/rc1.d,/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d,/etc/rc.d/rc6.d</ignore> >>> </syscheck> >>> .... >> >> >> Please, any idea ?? > > > Uhmm .. is this restart-ossec.sh script correct?? >
The best part about open source is that you don't have to ask such questions: https://bitbucket.org/jbcheng/ossec-hids/src/e0b12fd4961c97850841a6f1a7e8af47f1bb3e41/active-response/restart-ossec.sh?at=default > #!/bin/sh > # Restarts ossec. > # Requirements: none > # Author: Daniel B. Cid > > ACTION=$1 > USER=$2 > IP=$3 > > LOCAL=`dirname $0`; > cd $LOCAL > cd ../ > PWD=`pwd` > UNAME=`uname` > > > # Logging the call > echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log > > > > # Adding the ip to hosts.deny > if [ "x${ACTION}" = "xadd" ]; then > ${PWD}/../bin/ossec-control restart > exit 0; > > > # Deleting from hosts.deny > elif [ "x${ACTION}" = "xdelete" ]; then > exit 0; > > > # Invalid action > else > echo "$0: invalid action: ${ACTION}" > fi > > exit 1; > > it is the default that comes with ossec 2.7.1 ... > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
