[ossec-list] Active response srcip changes whether response is executed

Mon, 09 Feb 2015 02:21:17 -0800 

Hi,

I using ossec 2.8.1 on Ubuntu 14.04 running locally only, no agents. I have 
the following local_rules.xml defined to exercise syslog monitoring :
$ sudo more /var/ossec/rules/local_rules.xml
<group name="ossectester,local">
  <rule id="100000" level="5">
    <match>OSSEC-TESTER-RULE</match>
    <description>OSSEC Test Alert</description>
  </rule>
</group>

When this rule triggers (by running 'logger "OSSEC-TESTER-RULE"), an active 
response is executed due to this ossec.conf:
<command>
    <name>post2slack</name>
    <executable>ar_slack.sh</executable>
    <expect></expect>
    <timeout_allowed>no</timeout_allowed>
</command>

<active-response>
    <command>post2slack</command>
    <location>local</location>
    <level>4</level>
</active-response>

This works as expected provided I do not populate the command <expect> 
field. If I specify <expect>srcip</expect> the alert still triggers, 
however, the active response is no longer executed. the syslog entry ends 
up as something like:
Feb  9 19:19:53 myhostname gleeder: OSSEC-TESTER-RULE

I can't determine from the documentation whether this should work or not. 
myhostname resolves to 127.0.0.1 but I haven't got any white_list IPs 
specified anyway (my end goal is a to have some white_listing which is why 
I specified srcip).

Is there an implicit white_list default or another reason why specifying 
srcip causes the response to no longer execute? 
Is <expect>srcip</expect> required for white_list to work?

Best regards,
Glen

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

<ossec_config>
<alerts>
    <log_alert_level>4</log_alert_level>
    <email_alert_level>0</email_alert_level>
</alerts>
<rules>
    <include>rules_config.xml</include>
    <include>local_rules.xml</include>
</rules>

<syscheck>
    <disabled>yes</disabled>
</syscheck>
<rootcheck>
    <disabled>yes</disabled>
</rootcheck>

<command>
    <name>post2slack</name>
    <executable>ar_slack.sh</executable>
    <expect></expect>
    <timeout_allowed>no</timeout_allowed>
</command>

<active-response>
    <command>post2slack</command>
    <location>local</location>
    <level>4</level>
</active-response>

<localfile>
        <log_format>syslog</log_format>
    <location>/var/log/syslog</location>
</localfile>
</ossec_config>

Reply via email to