[ossec-list] The rule output is in the log but the available active response is never triggered

Mon, 17 Nov 2014 07:20:40 -0800 

L.S.

I'm completely in the dark. Can somebody please tell me why the active 
response with rule_id 31510 is not triggered?

# Rules from /var/ossec/rules/local_rules.xml

<group name="wordpress,">
    <rule id="31509" level="3" overwrite="yes">
        <if_sid>31108</if_sid>
        <url>/wp-login.php</url>
        <regex>] "POST \S+wp-login.php</regex>
        <description>WordPress LOGIN attempt.</description>
    </rule>
    <rule id="31510" level="8" frequency="3" timeframe="30" overwrite="yes">
        <if_matched_sid>31509</if_matched_sid>
        <same_source_ip />
        <description>WordPress BRUTE FORCE attempt.</description>
    </rule>
</group>

# Active response in ossec.conf 

    <active-response>
        <command>firewall-drop</command>
        <location>local</location>
        <rules_id>31510</rules_id>
        <timeout>1200</timeout>
    </active-response>

    <!-- original -->
    <active-response>
        <!-- Firewall Drop response. Block the IP for
           - 600 seconds on the firewall (iptables,
           - ipfilter, etc).
          -->
        <command>firewall-drop</command>
        <location>local</location>
        <level>6</level>
        <timeout>600</timeout>
    </active-response>

    <command>
        <name>firewall-drop</name>
        <executable>firewall-drop.sh</executable>
        <expect>srcip</expect>
    </command>


# Responses available
./bin/agent_control -L

OSSEC HIDS agent_control. Available active responses:

   Response name: firewall-drop1200, command: firewall-drop.sh
   Response name: firewall-drop600, command: firewall-drop.sh

# Log when emulating a bruteforce (showing the triggered rule)

* Alert 1416236363.329351: - wordpress,
2014 Nov 17 15:59:23 (srvyy) 
192.168.2.13->/var/log/apache2/www.local-test.nl-access.log
Rule: 31509 (level 3) -> 'WordPress LOGIN attempt.'
Src IP: 192.168.2.5
192.168.2.5 - - [17/Nov/2014:15:59:21 +0100] "POST /wp-login.php HTTP/1.1" 
200 1984 "http://www.local-test.nl/wp-login.php"; "Mozilla/5.0 (Macintosh; 
Intel Mac OS X 10_10_0) AppleWebKit/5
37.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36"

** Alert 1416236365.329796: - wordpress,
2014 Nov 17 15:59:25 (srvyy) 
192.168.2.13->/var/log/apache2/www.local-test.nl-access.log
Rule: 31509 (level 3) -> 'WordPress LOGIN attempt.'
Src IP: 192.168.2.5
192.168.2.5 - - [17/Nov/2014:15:59:24 +0100] "POST /wp-login.php HTTP/1.1" 
200 1983 "http://www.local-test.nl/wp-login.php"; "Mozilla/5.0 (Macintosh; 
Intel Mac OS X 10_10_0) AppleWebKit/5
37.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36"

** Alert 1416236367.330241: - wordpress,
2014 Nov 17 15:59:27 (srvyy) 
192.168.2.13->/var/log/apache2/www.local-test.nl-access.log
Rule: 31509 (level 3) -> 'WordPress LOGIN attempt.'
Src IP: 192.168.2.5
192.168.2.5 - - [17/Nov/2014:15:59:26 +0100] "POST /wp-login.php HTTP/1.1" 
200 1983 "http://www.local-test.nl/wp-login.php"; "Mozilla/5.0 (Macintosh; 
Intel Mac OS X 10_10_0) AppleWebKit/5
37.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36"

** Alert 1416236369.330686: - wordpress,
2014 Nov 17 15:59:29 (srvyy) 
192.168.2.13->/var/log/apache2/www.local-test.nl-access.log
Rule: 31509 (level 3) -> 'WordPress LOGIN attempt.'
Src IP: 192.168.2.5
192.168.2.5 - - [17/Nov/2014:15:59:28 +0100] "POST /wp-login.php HTTP/1.1" 
200 1983 "http://www.local-test.nl/wp-login.php"; "Mozilla/5.0 (Macintosh; 
Intel Mac OS X 10_10_0) AppleWebKit/5
37.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36"

** Alert 1416236373.331131: mail  - wordpress,
2014 Nov 17 15:59:33 (srvyy) 
192.168.2.13->/var/log/apache2/www.local-test.nl-access.log
Rule: 31510 (level 8) -> 'WordPress BRUTE FORCE attempt.'
Src IP: 192.168.2.5
192.168.2.5 - - [17/Nov/2014:15:59:30 +0100] "POST /wp-login.php HTTP/1.1" 
200 1983 "http://www.local-test.nl/wp-login.php"; "Mozilla/5.0 (Macintosh; 
Intel Mac OS X 10_10_0) AppleWebKit/5
37.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36"
192.168.2.5 - - [17/Nov/2014:15:59:28 +0100] "POST /wp-login.php HTTP/1.1" 
200 1983 "http://www.local-test.nl/wp-login.php"; "Mozilla/5.0 (Macintosh; 
Intel Mac OS X 10_10_0) AppleWebKit/5
37.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36"
192.168.2.5 - - [17/Nov/2014:15:59:26 +0100] "POST /wp-login.php HTTP/1.1" 
200 1983 "http://www.local-test.nl/wp-login.php"; "Mozilla/5.0 (Macintosh; 
Intel Mac OS X 10_10_0) AppleWebKit/5
37.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36"
192.168.2.5 - - [17/Nov/2014:15:59:24 +0100] "POST /wp-login.php HTTP/1.1" 
200 1983 "http://www.local-test.nl/wp-login.php"; "Mozilla/5.0 (Macintosh; 
Intel Mac OS X 10_10_0) AppleWebKit/5
37.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36"
192.168.2.5 - - [17/Nov/2014:15:59:21 +0100] "POST /wp-login.php HTTP/1.1" 
200 1984 "http://www.local-test.nl/wp-login.php"; "Mozilla/5.0 (Macintosh; 
Intel Mac OS X 10_10_0) AppleWebKit/5
37.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36"

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to