Re: [ossec-list] Active response works - but no email

[dan (ddp)]

On Thu, Aug 28, 2014 at 11:08 AM, dan (ddp) <ddp...@gmail.com> wrote:
> On Thu, Aug 28, 2014 at 10:19 AM, Tim Boyer <boy...@gmail.com> wrote:
>> We've got an instance that we're finally ready to go with Active Response
>> on.  2.8, running on a RHEL6 server.
>>
>> Vanilla OSSEC works great; emails us alerts:
>>
>>   <global>
>>     <email_notification>yes</email_notification>
>>     <email_to>t...@timboyer.org</email_to>
>>     <smtp_server>localhost</smtp_server>
>>     <email_from>timboyer-os...@saratoga.timboyer.org</email_from>
>>     <white_list>10.127.70.130</white_list>
>>   </global>
>>
>>   <email_alerts>
>>     <email_to>ti...@timboyer.org</email_to>
>>     <level>5</level>
>>     <do_not_group />
>>   </email_alerts>
>>
>> So for active response, I've done the usual active response stuff, and it
>> works great!  Test by brute ssh; puts an entry into the log, and slams
>> iptables shut.
>>
>> <rule id="100002" level="3">
>>         <decoded_as>ar_log</decoded_as>
>>         <options>alert_by_email</options>
>>         <group>active_response_notification</group>
>>         <action>firewall-drop.sh</action>
>>         <status>add</status>
>>         <description>Active response firewall-drop.sh was run, host
>> blocked</description>
>> </rule>
>>
>
> When you use ossec-logtest, do the sample log messages trigger this alert?
>

Based on my 2 minute testing, no.

# cat /tmp/xxx | /var/ossec/bin/ossec-logtest
2014/08/28 11:29:59 ossec-testrule: INFO: Reading local decoder file.
2014/08/28 11:30:00 ossec-testrule: INFO: Started (pid: 25863).
ossec-testrule: Type one log per line.

**Phase 1: Completed pre-decoding.
       full event: 'Thu Aug 28 09:09:20 EDT 2014
/var/ossec/active-response/bin/firewall-drop.sh add - 10.127.72.107
1409231360.173267 5712'
       hostname: 'arrakis'
       program_name: '(null)'
       log: 'Thu Aug 28 09:09:20 EDT 2014
/var/ossec/active-response/bin/firewall-drop.sh add - 10.127.72.107
1409231360.173267 5712'

**Phase 2: Completed decoding.
       decoder: 'ar_log'
       action: 'firewall-drop.sh'
       status: 'add'
       srcip: '10.127.72.107'
       id: '1409231360.173267'
       extra_data: '5712'

**Phase 3: Completed filtering (rules).
       Rule id: '601'
       Level: '3'
       Description: 'Host Blocked by firewall-drop.sh Active Response'
**Alert to be generated.

Change the rule to:
<rule id="100002" level="3">
  <if_sid>601</if_sid>
        <decoded_as>ar_log</decoded_as>
        <options>alert_by_email</options>
        <group>active_response_notification</group>
        <action>firewall-drop.sh</action>
        <status>add</status>
        <description>Active response firewall-drop.sh was run, host
blocked</description>
</rule>
and I get this:
# cat /tmp/xxx | /var/ossec/bin/ossec-logtest
2014/08/28 11:31:20 ossec-testrule: INFO: Reading local decoder file.
2014/08/28 11:31:20 ossec-testrule: INFO: Started (pid: 14533).
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
       full event: 'Thu Aug 28 09:09:20 EDT 2014
/var/ossec/active-response/bin/firewall-drop.sh add - 10.127.72.107
1409231360.173267 5712'
       hostname: 'arrakis'
       program_name: '(null)'
       log: 'Thu Aug 28 09:09:20 EDT 2014
/var/ossec/active-response/bin/firewall-drop.sh add - 10.127.72.107
1409231360.173267 5712'

**Phase 2: Completed decoding.
       decoder: 'ar_log'
       action: 'firewall-drop.sh'
       status: 'add'
       srcip: '10.127.72.107'
       id: '1409231360.173267'
       extra_data: '5712'

**Phase 3: Completed filtering (rules).
       Rule id: '100002'
       Level: '3'
       Description: 'Active response firewall-drop.sh was run, host blocked'
**Alert to be generated.



>> Except... no email alert, to anyone.  I tried the obvious and set the level
>> to "14" - still no alert.
>>
>> Now, the only weird thing I noticed in the alerts.log was this:
>>
>> ** Alert 1409231362.174249: -
>> ossec,active_response,ative_response_notification
>> 2014 Aug 28 09:09:22 (roosevelt)
>> 10.127.72.105->/var/ossec/logs/active-responses.log
>> Rule: 601 (level 3) -> 'Host Blocked by firewall-drop.sh Active Response'
>> Src IP: 10.127.72.107
>> Thu Aug 28 09:09:20 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh
>> add - 10.127.72.107 1409231360.173267 5712
>>
>> Note the 'ative_response_notification'.  ative, not active, but I don't know
>> if this could be doing it.
>>
>
> I don't see anything off hand.
> `grep ative_response /var/ossec/etc/*; `grep ative_response 
> /var/ossec/rules/*`
>
>> Suggestions appreciated...
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.