Hi All,
I am running ossec 2.7 on Ubuntu and have run into some surprising
issues with the Active Response.
Server : Linux mercury 2.6.32-33-server #72-Ubuntu SMP Fri Jul 29
21:21:55 UTC 2011 x86_64 GNU/Linux
Client : Linux host1 3.2.0-56-virtual #86-Ubuntu SMP Wed Oct 23
18:12:10 UTC 2013 i686 athlon i386 GNU/Linux
***Server available active responses :*
//var/ossec/bin/agent_control -L/*
*/OSSEC HIDS agent_control. Available active responses://
//
// No active response available.//
/
* Server ossec.log errors :*
/2014/01/23 14:58:50 ossec-remoted: Error accessing file
'/etc/shared/ar.conf'/
* Agent ossec.log errors : *
/2014/01/23 14:30:13 ossec-execd(1103): ERROR: Unable to open file
'/var/ossec/etc/shared/ar.conf'.//
//2014/01/23 14:30:13 ossec-execd(1311): ERROR: Invalid command name
'firewall-drop600' provided/.
* Server ossec.conf : *
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
/
/ *Server**etc/shared directory :*/
root@mercury:/var/ossec/etc/shared# ls -l
total 168
-r--r----- 1 root root 153 Jan 23 14:58 ar.conf
-r--r----- 1 root ossec 9501 Nov 8 2012 cis_debian_linux_rcl.txt
-r--r----- 1 root ossec 8192 Nov 8 2012 cis_rhel5_linux_rcl.txt
-r--r----- 1 root ossec 14251 Nov 8 2012 cis_rhel_linux_rcl.txt
-rw-r--r-- 1 ossecr ossec 70186 Jan 23 14:58 merged.mg
-r--r----- 1 root ossec 14872 Nov 8 2012 rootkit_files.txt
-r--r----- 1 root ossec 5193 Nov 8 2012 rootkit_trojans.txt
-r--r----- 1 root ossec 4457 Nov 8 2012 system_audit_rcl.txt
-r--r----- 1 root ossec 4682 Nov 8 2012 win_applications_rcl.txt
-r--r----- 1 root ossec 3859 Nov 8 2012 win_audit_rcl.txt
-r--r----- 1 root ossec 4929 Nov 8 2012 win_malware_rcl.txt
/* Client etc/shared directory : */
//root@host1:/var/ossec/etc/shared# ls -l//
//total 88//
//-rwxrwx--- 1 root ossec 9501 Jan 1 15:21 cis_debian_linux_rcl.txt//
//-rwxrwx--- 1 root ossec 8192 Jan 1 15:21 cis_rhel5_linux_rcl.txt//
//-rwxrwx--- 1 root ossec 14251 Jan 1 15:21 cis_rhel_linux_rcl.txt//
//-rwxrwx--- 1 root ossec 14872 Jan 1 15:21 rootkit_files.txt//
//-rwxrwx--- 1 root ossec 5193 Jan 1 15:21 rootkit_trojans.txt//
//-rwxrwx--- 1 root ossec 4457 Jan 1 15:21 system_audit_rcl.txt//
//-rwxrwx--- 1 root ossec 4682 Jan 1 15:21 win_applications_rcl.txt//
//-rwxrwx--- 1 root ossec 3859 Jan 1 15:21 win_audit_rcl.txt//
//-rwxrwx--- 1 root ossec 4929 Jan 1 15:21 win_malware_rcl.txt//
/ Does Active Response not work out of the box?/
/ ~Jeremy
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
