On Thu, Aug 28, 2014 at 9:05 PM, Tim Boyer <[email protected]> wrote: > > > On Thursday, August 28, 2014 11:32:47 AM UTC-4, dan (ddpbsd) wrote: >> >> On Thu, Aug 28, 2014 at 11:08 AM, dan (ddp) <[email protected]> wrote: >> > On Thu, Aug 28, 2014 at 10:19 AM, Tim Boyer <[email protected]> wrote: >> >> We've got an instance that we're finally ready to go with Active >> >> Response >> >> on. 2.8, running on a RHEL6 server. >> >> >> >> Vanilla OSSEC works great; emails us alerts: >> >> >> >> <global> >> >> <email_notification>yes</email_notification> >> >> <email_to>[email protected]</email_to> >> >> <smtp_server>localhost</smtp_server> >> >> <email_from>[email protected]</email_from> >> >> <white_list>10.127.70.130</white_list> >> >> </global> >> >> >> >> <email_alerts> >> >> <email_to>[email protected]</email_to> >> >> <level>5</level> >> >> <do_not_group /> >> >> </email_alerts> >> >> >> >> So for active response, I've done the usual active response stuff, and >> >> it >> >> works great! Test by brute ssh; puts an entry into the log, and slams >> >> iptables shut. >> >> >> >> <rule id="100002" level="3"> >> >> <decoded_as>ar_log</decoded_as> >> >> <options>alert_by_email</options> >> >> <group>active_response_notification</group> >> >> <action>firewall-drop.sh</action> >> >> <status>add</status> >> >> <description>Active response firewall-drop.sh was run, host >> >> blocked</description> >> >> </rule> >> >> >> > >> > When you use ossec-logtest, do the sample log messages trigger this >> > alert? >> > >> >> Based on my 2 minute testing, no. >> >> # cat /tmp/xxx | /var/ossec/bin/ossec-logtest >> 2014/08/28 11:29:59 ossec-testrule: INFO: Reading local decoder file. >> 2014/08/28 11:30:00 ossec-testrule: INFO: Started (pid: 25863). >> ossec-testrule: Type one log per line. >> >> **Phase 1: Completed pre-decoding. >> full event: 'Thu Aug 28 09:09:20 EDT 2014 >> /var/ossec/active-response/bin/firewall-drop.sh add - 10.127.72.107 >> 1409231360.173267 5712' >> hostname: 'arrakis' >> program_name: '(null)' >> log: 'Thu Aug 28 09:09:20 EDT 2014 >> /var/ossec/active-response/bin/firewall-drop.sh add - 10.127.72.107 >> 1409231360.173267 5712' >> >> **Phase 2: Completed decoding. >> decoder: 'ar_log' >> action: 'firewall-drop.sh' >> status: 'add' >> srcip: '10.127.72.107' >> id: '1409231360.173267' >> extra_data: '5712' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '601' >> Level: '3' >> Description: 'Host Blocked by firewall-drop.sh Active Response' >> **Alert to be generated. >> >> Change the rule to: >> <rule id="100002" level="3"> >> <if_sid>601</if_sid> >> <decoded_as>ar_log</decoded_as> >> <options>alert_by_email</options> >> <group>active_response_notification</group> >> <action>firewall-drop.sh</action> >> <status>add</status> >> <description>Active response firewall-drop.sh was run, host >> blocked</description> >> </rule> >> and I get this: >> # cat /tmp/xxx | /var/ossec/bin/ossec-logtest >> 2014/08/28 11:31:20 ossec-testrule: INFO: Reading local decoder file. >> 2014/08/28 11:31:20 ossec-testrule: INFO: Started (pid: 14533). >> ossec-testrule: Type one log per line. >> >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Thu Aug 28 09:09:20 EDT 2014 >> /var/ossec/active-response/bin/firewall-drop.sh add - 10.127.72.107 >> 1409231360.173267 5712' >> hostname: 'arrakis' >> program_name: '(null)' >> log: 'Thu Aug 28 09:09:20 EDT 2014 >> /var/ossec/active-response/bin/firewall-drop.sh add - 10.127.72.107 >> 1409231360.173267 5712' >> >> **Phase 2: Completed decoding. >> decoder: 'ar_log' >> action: 'firewall-drop.sh' >> status: 'add' >> srcip: '10.127.72.107' >> id: '1409231360.173267' >> extra_data: '5712' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '100002' >> Level: '3' >> Description: 'Active response firewall-drop.sh was run, host >> blocked' >> **Alert to be generated. >> >> >> > > Adding the <if_sid> causes the active response not to trigger. > >
I'm sorry, I don't see your AR configuration. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
