On Thursday, August 28, 2014 11:32:47 AM UTC-4, dan (ddpbsd) wrote: > > On Thu, Aug 28, 2014 at 11:08 AM, dan (ddp) <[email protected] > <javascript:>> wrote: > > On Thu, Aug 28, 2014 at 10:19 AM, Tim Boyer <[email protected] > <javascript:>> wrote: > >> We've got an instance that we're finally ready to go with Active > Response > >> on. 2.8, running on a RHEL6 server. > >> > >> Vanilla OSSEC works great; emails us alerts: > >> > >> <global> > >> <email_notification>yes</email_notification> > >> <email_to>[email protected] <javascript:></email_to> > >> <smtp_server>localhost</smtp_server> > >> <email_from>[email protected] > >> <javascript:></email_from> > > >> <white_list>10.127.70.130</white_list> > >> </global> > >> > >> <email_alerts> > >> <email_to>[email protected] <javascript:></email_to> > >> <level>5</level> > >> <do_not_group /> > >> </email_alerts> > >> > >> So for active response, I've done the usual active response stuff, and > it > >> works great! Test by brute ssh; puts an entry into the log, and slams > >> iptables shut. > >> > >> <rule id="100002" level="3"> > >> <decoded_as>ar_log</decoded_as> > >> <options>alert_by_email</options> > >> <group>active_response_notification</group> > >> <action>firewall-drop.sh</action> > >> <status>add</status> > >> <description>Active response firewall-drop.sh was run, host > >> blocked</description> > >> </rule> > >> > > > > When you use ossec-logtest, do the sample log messages trigger this > alert? > > > > Based on my 2 minute testing, no. > > # cat /tmp/xxx | /var/ossec/bin/ossec-logtest > 2014/08/28 11:29:59 ossec-testrule: INFO: Reading local decoder file. > 2014/08/28 11:30:00 ossec-testrule: INFO: Started (pid: 25863). > ossec-testrule: Type one log per line. > > **Phase 1: Completed pre-decoding. > full event: 'Thu Aug 28 09:09:20 EDT 2014 > /var/ossec/active-response/bin/firewall-drop.sh add - 10.127.72.107 > 1409231360.173267 5712' > hostname: 'arrakis' > program_name: '(null)' > log: 'Thu Aug 28 09:09:20 EDT 2014 > /var/ossec/active-response/bin/firewall-drop.sh add - 10.127.72.107 > 1409231360.173267 5712' > > **Phase 2: Completed decoding. > decoder: 'ar_log' > action: 'firewall-drop.sh' > status: 'add' > srcip: '10.127.72.107' > id: '1409231360.173267' > extra_data: '5712' > > **Phase 3: Completed filtering (rules). > Rule id: '601' > Level: '3' > Description: 'Host Blocked by firewall-drop.sh Active Response' > **Alert to be generated. > > Change the rule to: > <rule id="100002" level="3"> > <if_sid>601</if_sid> > <decoded_as>ar_log</decoded_as> > <options>alert_by_email</options> > <group>active_response_notification</group> > <action>firewall-drop.sh</action> > <status>add</status> > <description>Active response firewall-drop.sh was run, host > blocked</description> > </rule> > and I get this: > # cat /tmp/xxx | /var/ossec/bin/ossec-logtest > 2014/08/28 11:31:20 ossec-testrule: INFO: Reading local decoder file. > 2014/08/28 11:31:20 ossec-testrule: INFO: Started (pid: 14533). > ossec-testrule: Type one log per line. > > > > **Phase 1: Completed pre-decoding. > full event: 'Thu Aug 28 09:09:20 EDT 2014 > /var/ossec/active-response/bin/firewall-drop.sh add - 10.127.72.107 > 1409231360.173267 5712' > hostname: 'arrakis' > program_name: '(null)' > log: 'Thu Aug 28 09:09:20 EDT 2014 > /var/ossec/active-response/bin/firewall-drop.sh add - 10.127.72.107 > 1409231360.173267 5712' > > **Phase 2: Completed decoding. > decoder: 'ar_log' > action: 'firewall-drop.sh' > status: 'add' > srcip: '10.127.72.107' > id: '1409231360.173267' > extra_data: '5712' > > **Phase 3: Completed filtering (rules). > Rule id: '100002' > Level: '3' > Description: 'Active response firewall-drop.sh was run, host > blocked' > **Alert to be generated. > > > > Adding the <if_sid> causes the active response not to trigger.
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
