Hi,
I have exactly the same files open:
ossec-exe 43796 root 3u unix 0xffff8801d66cfa80
0t0 1261890 /var/ossec/queue/alerts/execq
ossec-ana 43800 ossec 3u unix 0xffff8801d66cf380
0t0 1261891 /queue/ossec/queue
ossec-ana 43800 ossec 4u REG 8,1
0 38583 /var/ossec/queue/fts/hostinfo
ossec-ana 43800 ossec 5u REG 8,1
114 38584 /var/ossec/queue/fts/fts-queue
ossec-ana 43800 ossec 6u REG 8,1
0 38585 /var/ossec/queue/fts/ig-queue
If you add some agents, you will have another file open like:
ossec-rem 43375 ossecr 5u unix 0xffff8801d674c980
0t0 1232202 /queue/alerts/ar
ossec-rem 43375 ossecr 7u REG 8,1
0 38586 /var/ossec/queue/rids/001
ossec-rem 43375 ossecr 8u REG 8,1
5 38587 /var/ossec/queue/rids/sender_counter
still not working your active-response?
Here is my full test config right now:
ossec.conf
<command>
<name>test</name>
<executable>test.sh</executable>
<expect></expect>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>test</command>
<location>server</location>
<level>0</level>
<rules_id>5501</rules_id>
</active-response>
On Tuesday, February 23, 2016 at 2:31:06 PM UTC+1, Василий Романеев wrote:
>
> I tried.
> If i understand correct, analyticsd send active responces to execd
> Could you please run command lsof | grep ossec | grep queue
> to compare with my output ?
> Thank you!
>
> root@serv-10244 [~]# lsof | grep ossec | grep queue
> ossec-exe 2797 root 5u unix 0xffff88000c3ad0c0 0t0
> 270573469 /var/ossec/queue/alerts/execq
> ossec-ana 2803 ossec 4u unix 0xffff880093835380 0t0
> 270573486 /queue/ossec/queue
> ossec-ana 2803 ossec 5u REG 9,1 0
> 8651763 /var/ossec/queue/fts/hostinfo
> ossec-ana 2803 ossec 6u REG 9,1 102
> 8651748 /var/ossec/queue/fts/fts-queue
> ossec-ana 2803 ossec 7u REG 9,1 0
> 8651749 /var/ossec/queue/fts/ig-queue
>
> 2016-02-23 16:20 GMT+03:00 Pedro S <[email protected] <javascript:>>:
> > I have been trying to replicate your situation, you can install either
> local
> > or server installation, it is working on both.
> >
> > I made it work by adding <rules_id> tag into <active-response> section
> like
> > this:
> >
> > <active-response>
> > <command>testar</command>
> > <location>server</location>
> > <level>6</level>
> > <rules_id>yourRuleID,yourAnotherRuleID</rules_id>
> > </active-response>
> >
> > Try to specify what rules will trigger your active response.
> >
> > Remember to set groups and permissions to your script.sh
> >
> > If you need to extract srcip don't forget to set expect on command
> section:
> >
> > <command>
> > <name>testar</name>
> > <expect>srcip</expect>
> > <executable>testar.sh</executable>
> > </command>
> >
> >
> >
> >
> > Regards,
> >
> > Pedro S.
> >
> >
> > On Tuesday, February 23, 2016 at 1:39:31 PM UTC+1, [email protected]
> wrote:
> >>
> >> Now i haven't any whitelist.
> >>
> >> #ossec.log
> >> 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response initialized
> >> ...
> >> 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response Init
> >> completed.
> >>
> >> #Test active response:
> >> root@serv-10244 [/var/ossec/active-response/bin]# ./testar.sh action
> user
> >> src_ip alert_id rule_id agent_host filename
> >> root@serv-10244 [/var/ossec/active-response/bin]# cat
> >> ../../logs/active-responses.log
> >> Tue Feb 23 07:28:03 EST 2016 ./testar.sh action user src_ip alert_id
> >> rule_id agent_host filename
> >>
> >> Let's go from start.
> >> I need to execute active responcss on the same server, so, i run
> >> ossec-configure and select there installation type "local" and active
> >> responses enabled "yes"
> >> Next i add active response
> >>
> >> <command>
> >> <name>testar</name>
> >> <expect></expect>
> >> <executable>testar.sh</executable>
> >> </command>
> >>
> >> <active-response>
> >> <command>testar</command>
> >> <location>all</location>
> >> <level>6</level>
> >> </active-response>
> >>
> >> But active responces still not executed.
> >>
> >>
> >>> Hi,
> >>>
> >>> The daemon in charge of executing active-response scripts is
> >>> "ossec-execd", I think your conf is good, active-response should be
> active
> >>> and working, try to force some response and check active-response.log.
> >>>
> >>> Check ossec.log for entires like:
> >>>
> >>> 2016/02/23 03:48:19 ossec-analysisd: INFO: 2 IPs in the white list for
> >>> active response.
> >>> 2016/02/23 03:48:19 ossec-analysisd: INFO: 1 Hostname(s) in the white
> >>> list for active response.
> >>>
> >>>
> >>>
> >>> If you really want to check if active-response is active, try this:
> >>>
> >>> Enable debug mode:
> >>> /var/ossec/bin/ossec-control enable debug
> >>>
> >>> Restart OSSEC and check for line:
> >>>
> >>> 2016/02/23 11:40:57 ossec-analysisd: DEBUG: Active response
> initialized
> >>> ...
> >>>
> >>> The scripts should be placed on /var/ossec/active-response/bin with
> >>> execution permissions.
> >>>
> >>> Regards,
> >>>
> >>> Pedro S.
> >>>
> >>>
> >>> On Tuesday, February 23, 2016 at 11:21:13 AM UTC+1, [email protected]
> >>> wrote:
> >>>>
> >>>> Why active-responces is not working ?
> >>>> I receive email notification, but active responce had not started.
> >>>> What may caused a problem?
> >>>>
> >>>> #etc/shared/ar.conf:
> >>>> restart-ossec0 - restart-ossec.sh - 0
> >>>> restart-ossec0 - restart-ossec.cmd - 0
> >>>> testar0 - testar.sh - 0
> >>>> slack0 - slack.py - 0
> >>>>
> >>>>
> >>>> #alert.log
> >>>> ** Alert 1456222573.17132: mail - syslog,sshdauthentication_success,
> >>>> 2016 Feb 23 05:16:13 serv-10244->/var/log/secure
> >>>> Rule: 5715 (level 7) -> 'SSHD authentication success.'
> >>>> Src IP: 104.131.225.112
> >>>> User: root
> >>>> Feb 23 05:16:12 serv-10244 sshd[16530]: Accepted password for root
> from
> >>>> 104.131.225.112 port 47280 ssh2
> >>>>
> >>>> #ossec.conf
> >>>> <command>
> >>>> <name>testar</name>
> >>>> <expect></expect>
> >>>> <executable>testar.sh</executable>
> >>>> </command>
> >>>>
> >>>> <command>
> >>>> <name>slack</name>
> >>>> <expect>user,srcip</expect>
> >>>> <executable>slack.py</executable>
> >>>> </command>
> >>>>
> >>>> <active-response>
> >>>> <command>testar</command>
> >>>> <location>local</location>
> >>>> <rules_id>5715,11309</rules_id>
> >>>> </active-response>
> >>>>
> >>>>
> >>>> <active-response>
> >>>> <command>slack</command>
> >>>> <location>local</location>
> >>>> <rules_id>5715,11309</rules_id>
> >>>> </active-response>
> >>>>
> >>>>
> >>>> #ossec.log:
> >>>> 2016/02/23 05:11:04 ossec-monitord(1225): INFO: SIGNAL Received. Exit
> >>>> Cleaning...
> >>>> 2016/02/23 05:11:04 ossec-logcollector(1225): INFO: SIGNAL Received.
> >>>> Exit Cleaning...
> >>>> 2016/02/23 05:11:04 ossec-remoted(1225): INFO: SIGNAL Received. Exit
> >>>> Cleaning...
> >>>> 2016/02/23 05:11:04 ossec-syscheckd(1225): INFO: SIGNAL Received.
> Exit
> >>>> Cleaning...
> >>>> 2016/02/23 05:11:04 ossec-analysisd(1225): INFO: SIGNAL Received.
> Exit
> >>>> Cleaning...
> >>>> 2016/02/23 05:11:04 ossec-maild(1225): INFO: SIGNAL Received. Exit
> >>>> Cleaning...
> >>>> 2016/02/23 05:11:04 ossec-execd(1314): INFO: Shutdown received.
> Deleting
> >>>> responses.
> >>>> 2016/02/23 05:11:04 ossec-execd(1225): INFO: SIGNAL Received. Exit
> >>>> Cleaning...
> >>>> 2016/02/23 05:11:14 ossec-testrule: INFO: Reading local decoder file.
> >>>> 2016/02/23 05:11:14 ossec-testrule: INFO: Started (pid: 15157).
> >>>> 2016/02/23 05:11:14 ossec-maild: INFO: Started (pid: 15176).
> >>>> 2016/02/23 05:11:15 ossec-execd: INFO: Started (pid: 15180).
> >>>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading local decoder
> file.
> >>>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file:
> >>>> 'sshd_rules.xml'
> >>>> 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15192).
> >>>> 2016/02/23 05:11:15 ossec-rootcheck: System audit file not
> configured.
> >>>> 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15193).
> >>>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file:
> >>>> 'local_rules.xml'
> >>>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Total rules enabled:
> '1258'
> >>>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Started (pid: 15184).
> >>>> 2016/02/23 05:11:16 ossec-monitord: INFO: Started (pid: 15219).
> >>>> 2016/02/23 05:11:16 ossec-remoted(4111): INFO: Maximum number of
> agents
> >>>> allowed: '256'.
> >>>> 2016/02/23 05:11:16 ossec-remoted(1410): INFO: Reading authentication
> >>>> keys file.
> >>>> 2016/02/23 05:11:16 ossec-remoted: INFO: No previous counter
> available
> >>>> for 'local'.
> >>>> 2016/02/23 05:11:16 ossec-remoted: INFO: Assigning counter for agent
> >>>> local: '0:0'.
> >>>> 2016/02/23 05:11:16 ossec-remoted: INFO: No previous sender counter.
> >>>> 2016/02/23 05:11:16 ossec-remoted: INFO: Assigning sender counter:
> 0:0
> >>>> 2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file:
> >>>> '/var/log/messages'.
> >>>> 2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file:
> >>>> '/var/log/secure'.
> >>>> 2016/02/23 05:11:21 ossec-logcollector: INFO: Started (pid: 15188).
> >>>> 2016/02/23 05:11:22 ossec-syscheckd: INFO: Started (pid: 15215).
> >>>> 2016/02/23 05:11:22 ossec-rootcheck: INFO: Started (pid: 15215).
> >>>> 2016/02/23 05:11:22 ossec-syscheckd: INFO: Monitoring directory:
> >>>> '/home/woodwork/public_html'.
> >>>>
> >>>>
> >>>> # ps ax | grep ossec
> >>>> 15176 ? S 0:00 /var/ossec/bin/ossec-maild
> >>>> 15180 ? S 0:00 /var/ossec/bin/ossec-execd
> >>>> 15184 ? S 0:00 /var/ossec/bin/ossec-analysisd
> >>>> 15188 ? S 0:00 /var/ossec/bin/ossec-logcollector
> >>>> 15193 ? Sl 0:00 /var/ossec/bin/ossec-remoted
> >>>> 15215 ? S 0:00 /var/ossec/bin/ossec-syscheckd
> >>>> 15219 ? S 0:00 /var/ossec/bin/ossec-monitord
> >>>>
> > --
> >
> > ---
> > You received this message because you are subscribed to a topic in the
> > Google Groups "ossec-list" group.
> > To unsubscribe from this topic, visit
> > https://groups.google.com/d/topic/ossec-list/b6BbvLBc9ws/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to
> > [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
