[ossec-list] Re: Active Response broken in 2.7?

Thu, 23 Jan 2014 17:15:53 -0800 

Hi All,
Just a follow up, I was able to get around this strange issue by doing the following : 

*On the Server : *
chown root:ossec ar.conf
service ossec restart

*On the Agent :*
service ossec restart


*The Agent /var/ossec/etc/shared now magically downloaded the proper 
ar.conf file : *

root@host1:/var/ossec/etc/shared# ls -l
total 168
-rw-r--r-- 1 ossec ossec   153 Jan 23 16:41 ar.conf
-rwxrwx--- 1 root  ossec  9501 Jan 23 16:41 cis_debian_linux_rcl.txt
-rwxrwx--- 1 root  ossec  8192 Jan 23 16:41 cis_rhel5_linux_rcl.txt
-rwxrwx--- 1 root  ossec 14251 Jan 23 16:41 cis_rhel_linux_rcl.txt
-rw-r--r-- 1 ossec ossec 70352 Jan 23 16:41 merged.mg
-rwxrwx--- 1 root  ossec 14872 Jan 23 16:41 rootkit_files.txt
-rwxrwx--- 1 root  ossec  5193 Jan 23 16:41 rootkit_trojans.txt
-rwxrwx--- 1 root  ossec  4457 Jan 23 16:41 system_audit_rcl.txt
-rwxrwx--- 1 root  ossec  4682 Jan 23 16:41 win_applications_rcl.txt
-rwxrwx--- 1 root  ossec  3859 Jan 23 16:41 win_audit_rcl.txt
-rwxrwx--- 1 root  ossec  4929 Jan 23 16:41 win_malware_rcl.txt


No more errors in my logs!!

~Jeremy


On 1/23/2014 4:32 PM, Jeremiah Brock wrote:

Hi All,


    I am running ossec 2.7 on Ubuntu and have run into some surprising 
issues with the Active Response.



    Server : Linux mercury 2.6.32-33-server #72-Ubuntu SMP Fri Jul 29 
21:21:55 UTC 2011 x86_64 GNU/Linux



    Client : Linux host1 3.2.0-56-virtual #86-Ubuntu SMP Wed Oct 23 
18:12:10 UTC 2013 i686 athlon i386 GNU/Linux


***Server available active responses :*
//var/ossec/bin/agent_control -L/*

*/OSSEC HIDS agent_control. Available active responses://
//
//   No active response available.//
/

*    Server ossec.log errors :*

/2014/01/23 14:58:50 ossec-remoted: Error accessing file 
'/etc/shared/ar.conf'/


*    Agent ossec.log errors : *

/2014/01/23 14:30:13 ossec-execd(1103): ERROR: Unable to open file 
'/var/ossec/etc/shared/ar.conf'.//
//2014/01/23 14:30:13 ossec-execd(1311): ERROR: Invalid command name 
'firewall-drop600' provided/.


*    Server ossec.conf : *
  <command>
    <name>host-deny</name>
    <executable>host-deny.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <active-response>
    <command>host-deny</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>

  <active-response>
    <command>firewall-drop</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>
/

/ *Server**etc/shared directory :*/
root@mercury:/var/ossec/etc/shared# ls -l
total 168
-r--r----- 1 root   root    153 Jan 23 14:58 ar.conf
-r--r----- 1 root   ossec  9501 Nov  8  2012 cis_debian_linux_rcl.txt
-r--r----- 1 root   ossec  8192 Nov  8  2012 cis_rhel5_linux_rcl.txt
-r--r----- 1 root   ossec 14251 Nov  8  2012 cis_rhel_linux_rcl.txt
-rw-r--r-- 1 ossecr ossec 70186 Jan 23 14:58 merged.mg
-r--r----- 1 root   ossec 14872 Nov  8  2012 rootkit_files.txt
-r--r----- 1 root   ossec  5193 Nov  8  2012 rootkit_trojans.txt
-r--r----- 1 root   ossec  4457 Nov  8  2012 system_audit_rcl.txt
-r--r----- 1 root   ossec  4682 Nov  8  2012 win_applications_rcl.txt
-r--r----- 1 root   ossec  3859 Nov  8  2012 win_audit_rcl.txt
-r--r----- 1 root   ossec  4929 Nov  8  2012 win_malware_rcl.txt


/*    Client etc/shared directory : */
//root@host1:/var/ossec/etc/shared# ls -l//
//total 88//
//-rwxrwx--- 1 root ossec  9501 Jan  1 15:21 cis_debian_linux_rcl.txt//
//-rwxrwx--- 1 root ossec  8192 Jan  1 15:21 cis_rhel5_linux_rcl.txt//
//-rwxrwx--- 1 root ossec 14251 Jan  1 15:21 cis_rhel_linux_rcl.txt//
//-rwxrwx--- 1 root ossec 14872 Jan  1 15:21 rootkit_files.txt//
//-rwxrwx--- 1 root ossec  5193 Jan  1 15:21 rootkit_trojans.txt//
//-rwxrwx--- 1 root ossec  4457 Jan  1 15:21 system_audit_rcl.txt//
//-rwxrwx--- 1 root ossec  4682 Jan  1 15:21 win_applications_rcl.txt//
//-rwxrwx--- 1 root ossec  3859 Jan  1 15:21 win_audit_rcl.txt//
//-rwxrwx--- 1 root ossec  4929 Jan  1 15:21 win_malware_rcl.txt//


/    Does Active Response not work out of the box?/

/    ~Jeremy


--


--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.






















					Reply via email to