On Thu, Aug 28, 2014 at 10:19 AM, Tim Boyer <[email protected]> wrote: > We've got an instance that we're finally ready to go with Active Response > on. 2.8, running on a RHEL6 server. > > Vanilla OSSEC works great; emails us alerts: > > <global> > <email_notification>yes</email_notification> > <email_to>[email protected]</email_to> > <smtp_server>localhost</smtp_server> > <email_from>[email protected]</email_from> > <white_list>10.127.70.130</white_list> > </global> > > <email_alerts> > <email_to>[email protected]</email_to> > <level>5</level> > <do_not_group /> > </email_alerts> > > So for active response, I've done the usual active response stuff, and it > works great! Test by brute ssh; puts an entry into the log, and slams > iptables shut. > > <rule id="100002" level="3"> > <decoded_as>ar_log</decoded_as> > <options>alert_by_email</options> > <group>active_response_notification</group> > <action>firewall-drop.sh</action> > <status>add</status> > <description>Active response firewall-drop.sh was run, host > blocked</description> > </rule> >
When you use ossec-logtest, do the sample log messages trigger this alert? > Except... no email alert, to anyone. I tried the obvious and set the level > to "14" - still no alert. > > Now, the only weird thing I noticed in the alerts.log was this: > > ** Alert 1409231362.174249: - > ossec,active_response,ative_response_notification > 2014 Aug 28 09:09:22 (roosevelt) > 10.127.72.105->/var/ossec/logs/active-responses.log > Rule: 601 (level 3) -> 'Host Blocked by firewall-drop.sh Active Response' > Src IP: 10.127.72.107 > Thu Aug 28 09:09:20 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh > add - 10.127.72.107 1409231360.173267 5712 > > Note the 'ative_response_notification'. ative, not active, but I don't know > if this could be doing it. > I don't see anything off hand. `grep ative_response /var/ossec/etc/*; `grep ative_response /var/ossec/rules/*` > Suggestions appreciated... > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
