Re: [ossec-list] Re: Active Response broken in 2.7?

[Jeremiah Brock]

Hello Dan,

    Yes, fresh install of 2.7 server mode.
    I confirmed this again this am on another ubuntu 12.04 system doing 
the following :

su root
cd /root/installs
wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz
tar -zxvf ossec-hids-2.7.tar.gz
cd ossec-hids-2.7
./install.sh


    In the prompts I enabled Active Response resulting with the 
following ar.conf root:root ownership which is wrong :



~Jeremy


On 1/24/2014 4:59 AM, dan (ddp) wrote:
On Thu, Jan 23, 2014 at 8:10 PM, Jeremiah Brock
<jeremiah.j.br...@gmail.com> wrote:
Hi All,

     Just a follow up, I was able to get around this strange issue by doing
the following :

Was this a new install?

On the Server :
chown root:ossec ar.conf
service ossec restart

On the Agent :
service ossec restart

The Agent /var/ossec/etc/shared now magically downloaded the proper ar.conf
file :
root@host1:/var/ossec/etc/shared# ls -l
total 168
-rw-r--r-- 1 ossec ossec   153 Jan 23 16:41 ar.conf
-rwxrwx--- 1 root  ossec  9501 Jan 23 16:41 cis_debian_linux_rcl.txt
-rwxrwx--- 1 root  ossec  8192 Jan 23 16:41 cis_rhel5_linux_rcl.txt
-rwxrwx--- 1 root  ossec 14251 Jan 23 16:41 cis_rhel_linux_rcl.txt
-rw-r--r-- 1 ossec ossec 70352 Jan 23 16:41 merged.mg
-rwxrwx--- 1 root  ossec 14872 Jan 23 16:41 rootkit_files.txt
-rwxrwx--- 1 root  ossec  5193 Jan 23 16:41 rootkit_trojans.txt
-rwxrwx--- 1 root  ossec  4457 Jan 23 16:41 system_audit_rcl.txt
-rwxrwx--- 1 root  ossec  4682 Jan 23 16:41 win_applications_rcl.txt
-rwxrwx--- 1 root  ossec  3859 Jan 23 16:41 win_audit_rcl.txt
-rwxrwx--- 1 root  ossec  4929 Jan 23 16:41 win_malware_rcl.txt


No more errors in my logs!!

~Jeremy



On 1/23/2014 4:32 PM, Jeremiah Brock wrote:

Hi All,

     I am running ossec 2.7 on Ubuntu and have run into some surprising
issues with the Active Response.

     Server : Linux mercury 2.6.32-33-server #72-Ubuntu SMP Fri Jul 29
21:21:55 UTC 2011 x86_64 GNU/Linux

     Client : Linux host1 3.2.0-56-virtual #86-Ubuntu SMP Wed Oct 23 18:12:10
UTC 2013 i686 athlon i386 GNU/Linux

     Server available active responses :
/var/ossec/bin/agent_control -L

OSSEC HIDS agent_control. Available active responses:

    No active response available.


     Server ossec.log errors :
2014/01/23 14:58:50 ossec-remoted: Error accessing file
'/etc/shared/ar.conf'

     Agent ossec.log errors :
2014/01/23 14:30:13 ossec-execd(1103): ERROR: Unable to open file
'/var/ossec/etc/shared/ar.conf'.
2014/01/23 14:30:13 ossec-execd(1311): ERROR: Invalid command name
'firewall-drop600' provided.

     Server ossec.conf :
   <command>
     <name>host-deny</name>
     <executable>host-deny.sh</executable>
     <expect>srcip</expect>
     <timeout_allowed>yes</timeout_allowed>
   </command>

   <command>
     <name>firewall-drop</name>
     <executable>firewall-drop.sh</executable>
     <expect>srcip</expect>
     <timeout_allowed>yes</timeout_allowed>
   </command>

   <active-response>
     <command>host-deny</command>
     <location>local</location>
     <level>6</level>
     <timeout>600</timeout>
   </active-response>

   <active-response>
     <command>firewall-drop</command>
     <location>local</location>
     <level>6</level>
     <timeout>600</timeout>
   </active-response>


     Server etc/shared directory :
root@mercury:/var/ossec/etc/shared# ls -l
total 168
-r--r----- 1 root   root    153 Jan 23 14:58 ar.conf
-r--r----- 1 root   ossec  9501 Nov  8  2012 cis_debian_linux_rcl.txt
-r--r----- 1 root   ossec  8192 Nov  8  2012 cis_rhel5_linux_rcl.txt
-r--r----- 1 root   ossec 14251 Nov  8  2012 cis_rhel_linux_rcl.txt
-rw-r--r-- 1 ossecr ossec 70186 Jan 23 14:58 merged.mg
-r--r----- 1 root   ossec 14872 Nov  8  2012 rootkit_files.txt
-r--r----- 1 root   ossec  5193 Nov  8  2012 rootkit_trojans.txt
-r--r----- 1 root   ossec  4457 Nov  8  2012 system_audit_rcl.txt
-r--r----- 1 root   ossec  4682 Nov  8  2012 win_applications_rcl.txt
-r--r----- 1 root   ossec  3859 Nov  8  2012 win_audit_rcl.txt
-r--r----- 1 root   ossec  4929 Nov  8  2012 win_malware_rcl.txt


     Client etc/shared directory :
root@host1:/var/ossec/etc/shared# ls -l
total 88
-rwxrwx--- 1 root ossec  9501 Jan  1 15:21 cis_debian_linux_rcl.txt
-rwxrwx--- 1 root ossec  8192 Jan  1 15:21 cis_rhel5_linux_rcl.txt
-rwxrwx--- 1 root ossec 14251 Jan  1 15:21 cis_rhel_linux_rcl.txt
-rwxrwx--- 1 root ossec 14872 Jan  1 15:21 rootkit_files.txt
-rwxrwx--- 1 root ossec  5193 Jan  1 15:21 rootkit_trojans.txt
-rwxrwx--- 1 root ossec  4457 Jan  1 15:21 system_audit_rcl.txt
-rwxrwx--- 1 root ossec  4682 Jan  1 15:21 win_applications_rcl.txt
-rwxrwx--- 1 root ossec  3859 Jan  1 15:21 win_audit_rcl.txt
-rwxrwx--- 1 root ossec  4929 Jan  1 15:21 win_malware_rcl.txt


     Does Active Response not work out of the box?

     ~Jeremy


--

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
<<inline: gagcidca.png>>