Sorry I missclicked and sent the post.
test.sh (+x and root:ossec)
#!/bin/sh
ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5
LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`
# Logging the call
echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >>
${PWD}/../logs/active-responses.log
active-response.log
mar feb 23 08:47:45 PST 2016 /var/ossec/active-response/bin/test.sh add - -
1456246065.10321 5501 /var/log/auth.log -
mar feb 23 08:47:49 PST 2016 /var/ossec/active-response/bin/test.sh add - -
1456246069.11280 5501 /var/log/auth.log -
mar feb 23 08:49:25 PST 2016 /var/ossec/active-response/bin/test.sh add - -
1456246165.12583 5501 /var/log/auth.log -
mar feb 23 08:49:27 PST 2016 /var/ossec/active-response/bin/test.sh add - -
1456246167.13542 5501 /var/log/auth.log -
mar feb 23 08:54:03 PST 2016 /var/ossec/active-response/bin/test.sh add - -
1456246443.14673 5501 /var/log/auth.log -
mar feb 23 08:54:05 PST 2016 /var/ossec/active-response/bin/test.sh add - -
1456246445.15632 5501 /var/log/auth.log -
I hope it helps,
Try to use a basic example like this and see if it is working.
Regards,
Pedro S.
On Tuesday, February 23, 2016 at 5:52:41 PM UTC+1, Pedro S wrote:
>
> Hi,
>
> I have exactly the same files open:
>
> ossec-exe 43796 root 3u unix 0xffff8801d66cfa80
> 0t0 1261890 /var/ossec/queue/alerts/execq
> ossec-ana 43800 ossec 3u unix 0xffff8801d66cf380
> 0t0 1261891 /queue/ossec/queue
> ossec-ana 43800 ossec 4u REG 8,1
> 0 38583 /var/ossec/queue/fts/hostinfo
> ossec-ana 43800 ossec 5u REG 8,1
> 114 38584 /var/ossec/queue/fts/fts-queue
> ossec-ana 43800 ossec 6u REG 8,1
> 0 38585 /var/ossec/queue/fts/ig-queue
>
>
> If you add some agents, you will have another file open like:
>
> ossec-rem 43375 ossecr 5u unix 0xffff8801d674c980
> 0t0 1232202 /queue/alerts/ar
> ossec-rem 43375 ossecr 7u REG 8,1
> 0 38586 /var/ossec/queue/rids/001
> ossec-rem 43375 ossecr 8u REG 8,1
> 5 38587 /var/ossec/queue/rids/sender_counter
>
> still not working your active-response?
>
> Here is my full test config right now:
>
> ossec.conf
> <command>
> <name>test</name>
> <executable>test.sh</executable>
> <expect></expect>
> <timeout_allowed>no</timeout_allowed>
> </command>
>
> <active-response>
> <command>test</command>
> <location>server</location>
> <level>0</level>
> <rules_id>5501</rules_id>
> </active-response>
>
>
>
> On Tuesday, February 23, 2016 at 2:31:06 PM UTC+1, Василий Романеев wrote:
>>
>> I tried.
>> If i understand correct, analyticsd send active responces to execd
>> Could you please run command lsof | grep ossec | grep queue
>> to compare with my output ?
>> Thank you!
>>
>> root@serv-10244 [~]# lsof | grep ossec | grep queue
>> ossec-exe 2797 root 5u unix 0xffff88000c3ad0c0 0t0
>> 270573469 /var/ossec/queue/alerts/execq
>> ossec-ana 2803 ossec 4u unix 0xffff880093835380 0t0
>> 270573486 /queue/ossec/queue
>> ossec-ana 2803 ossec 5u REG 9,1 0
>> 8651763 /var/ossec/queue/fts/hostinfo
>> ossec-ana 2803 ossec 6u REG 9,1 102
>> 8651748 /var/ossec/queue/fts/fts-queue
>> ossec-ana 2803 ossec 7u REG 9,1 0
>> 8651749 /var/ossec/queue/fts/ig-queue
>>
>> 2016-02-23 16:20 GMT+03:00 Pedro S <[email protected]>:
>> > I have been trying to replicate your situation, you can install either
>> local
>> > or server installation, it is working on both.
>> >
>> > I made it work by adding <rules_id> tag into <active-response> section
>> like
>> > this:
>> >
>> > <active-response>
>> > <command>testar</command>
>> > <location>server</location>
>> > <level>6</level>
>> > <rules_id>yourRuleID,yourAnotherRuleID</rules_id>
>> > </active-response>
>> >
>> > Try to specify what rules will trigger your active response.
>> >
>> > Remember to set groups and permissions to your script.sh
>> >
>> > If you need to extract srcip don't forget to set expect on command
>> section:
>> >
>> > <command>
>> > <name>testar</name>
>> > <expect>srcip</expect>
>> > <executable>testar.sh</executable>
>> > </command>
>> >
>> >
>> >
>> >
>> > Regards,
>> >
>> > Pedro S.
>> >
>> >
>> > On Tuesday, February 23, 2016 at 1:39:31 PM UTC+1, [email protected]
>> wrote:
>> >>
>> >> Now i haven't any whitelist.
>> >>
>> >> #ossec.log
>> >> 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response
>> initialized
>> >> ...
>> >> 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response Init
>> >> completed.
>> >>
>> >> #Test active response:
>> >> root@serv-10244 [/var/ossec/active-response/bin]# ./testar.sh action
>> user
>> >> src_ip alert_id rule_id agent_host filename
>> >> root@serv-10244 [/var/ossec/active-response/bin]# cat
>> >> ../../logs/active-responses.log
>> >> Tue Feb 23 07:28:03 EST 2016 ./testar.sh action user src_ip alert_id
>> >> rule_id agent_host filename
>> >>
>> >> Let's go from start.
>> >> I need to execute active responcss on the same server, so, i run
>> >> ossec-configure and select there installation type "local" and active
>> >> responses enabled "yes"
>> >> Next i add active response
>> >>
>> >> <command>
>> >> <name>testar</name>
>> >> <expect></expect>
>> >> <executable>testar.sh</executable>
>> >> </command>
>> >>
>> >> <active-response>
>> >> <command>testar</command>
>> >> <location>all</location>
>> >> <level>6</level>
>> >> </active-response>
>> >>
>> >> But active responces still not executed.
>> >>
>> >>
>> >>> Hi,
>> >>>
>> >>> The daemon in charge of executing active-response scripts is
>> >>> "ossec-execd", I think your conf is good, active-response should be
>> active
>> >>> and working, try to force some response and check
>> active-response.log.
>> >>>
>> >>> Check ossec.log for entires like:
>> >>>
>> >>> 2016/02/23 03:48:19 ossec-analysisd: INFO: 2 IPs in the white list
>> for
>> >>> active response.
>> >>> 2016/02/23 03:48:19 ossec-analysisd: INFO: 1 Hostname(s) in the white
>> >>> list for active response.
>> >>>
>> >>>
>> >>>
>> >>> If you really want to check if active-response is active, try this:
>> >>>
>> >>> Enable debug mode:
>> >>> /var/ossec/bin/ossec-control enable debug
>> >>>
>> >>> Restart OSSEC and check for line:
>> >>>
>> >>> 2016/02/23 11:40:57 ossec-analysisd: DEBUG: Active response
>> initialized
>> >>> ...
>> >>>
>> >>> The scripts should be placed on /var/ossec/active-response/bin with
>> >>> execution permissions.
>> >>>
>> >>> Regards,
>> >>>
>> >>> Pedro S.
>> >>>
>> >>>
>> >>> On Tuesday, February 23, 2016 at 11:21:13 AM UTC+1, [email protected]
>> >>> wrote:
>> >>>>
>> >>>> Why active-responces is not working ?
>> >>>> I receive email notification, but active responce had not started.
>> >>>> What may caused a problem?
>> >>>>
>> >>>> #etc/shared/ar.conf:
>> >>>> restart-ossec0 - restart-ossec.sh - 0
>> >>>> restart-ossec0 - restart-ossec.cmd - 0
>> >>>> testar0 - testar.sh - 0
>> >>>> slack0 - slack.py - 0
>> >>>>
>> >>>>
>> >>>> #alert.log
>> >>>> ** Alert 1456222573.17132: mail -
>> syslog,sshdauthentication_success,
>> >>>> 2016 Feb 23 05:16:13 serv-10244->/var/log/secure
>> >>>> Rule: 5715 (level 7) -> 'SSHD authentication success.'
>> >>>> Src IP: 104.131.225.112
>> >>>> User: root
>> >>>> Feb 23 05:16:12 serv-10244 sshd[16530]: Accepted password for root
>> from
>> >>>> 104.131.225.112 port 47280 ssh2
>> >>>>
>> >>>> #ossec.conf
>> >>>> <command>
>> >>>> <name>testar</name>
>> >>>> <expect></expect>
>> >>>> <executable>testar.sh</executable>
>> >>>> </command>
>> >>>>
>> >>>> <command>
>> >>>> <name>slack</name>
>> >>>> <expect>user,srcip</expect>
>> >>>> <executable>slack.py</executable>
>> >>>> </command>
>> >>>>
>> >>>> <active-response>
>> >>>> <command>testar</command>
>> >>>> <location>local</location>
>> >>>> <rules_id>5715,11309</rules_id>
>> >>>> </active-response>
>> >>>>
>> >>>>
>> >>>> <active-response>
>> >>>> <command>slack</command>
>> >>>> <location>local</location>
>> >>>> <rules_id>5715,11309</rules_id>
>> >>>> </active-response>
>> >>>>
>> >>>>
>> >>>> #ossec.log:
>> >>>> 2016/02/23 05:11:04 ossec-monitord(1225): INFO: SIGNAL Received.
>> Exit
>> >>>> Cleaning...
>> >>>> 2016/02/23 05:11:04 ossec-logcollector(1225): INFO: SIGNAL Received.
>> >>>> Exit Cleaning...
>> >>>> 2016/02/23 05:11:04 ossec-remoted(1225): INFO: SIGNAL Received. Exit
>> >>>> Cleaning...
>> >>>> 2016/02/23 05:11:04 ossec-syscheckd(1225): INFO: SIGNAL Received.
>> Exit
>> >>>> Cleaning...
>> >>>> 2016/02/23 05:11:04 ossec-analysisd(1225): INFO: SIGNAL Received.
>> Exit
>> >>>> Cleaning...
>> >>>> 2016/02/23 05:11:04 ossec-maild(1225): INFO: SIGNAL Received. Exit
>> >>>> Cleaning...
>> >>>> 2016/02/23 05:11:04 ossec-execd(1314): INFO: Shutdown received.
>> Deleting
>> >>>> responses.
>> >>>> 2016/02/23 05:11:04 ossec-execd(1225): INFO: SIGNAL Received. Exit
>> >>>> Cleaning...
>> >>>> 2016/02/23 05:11:14 ossec-testrule: INFO: Reading local decoder
>> file.
>> >>>> 2016/02/23 05:11:14 ossec-testrule: INFO: Started (pid: 15157).
>> >>>> 2016/02/23 05:11:14 ossec-maild: INFO: Started (pid: 15176).
>> >>>> 2016/02/23 05:11:15 ossec-execd: INFO: Started (pid: 15180).
>> >>>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading local decoder
>> file.
>> >>>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file:
>> >>>> 'sshd_rules.xml'
>> >>>> 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15192).
>> >>>> 2016/02/23 05:11:15 ossec-rootcheck: System audit file not
>> configured.
>> >>>> 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15193).
>> >>>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file:
>> >>>> 'local_rules.xml'
>> >>>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Total rules enabled:
>> '1258'
>> >>>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Started (pid: 15184).
>> >>>> 2016/02/23 05:11:16 ossec-monitord: INFO: Started (pid: 15219).
>> >>>> 2016/02/23 05:11:16 ossec-remoted(4111): INFO: Maximum number of
>> agents
>> >>>> allowed: '256'.
>> >>>> 2016/02/23 05:11:16 ossec-remoted(1410): INFO: Reading
>> authentication
>> >>>> keys file.
>> >>>> 2016/02/23 05:11:16 ossec-remoted: INFO: No previous counter
>> available
>> >>>> for 'local'.
>> >>>> 2016/02/23 05:11:16 ossec-remoted: INFO: Assigning counter for agent
>> >>>> local: '0:0'.
>> >>>> 2016/02/23 05:11:16 ossec-remoted: INFO: No previous sender counter.
>> >>>> 2016/02/23 05:11:16 ossec-remoted: INFO: Assigning sender counter:
>> 0:0
>> >>>> 2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file:
>> >>>> '/var/log/messages'.
>> >>>> 2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file:
>> >>>> '/var/log/secure'.
>> >>>> 2016/02/23 05:11:21 ossec-logcollector: INFO: Started (pid: 15188).
>> >>>> 2016/02/23 05:11:22 ossec-syscheckd: INFO: Started (pid: 15215).
>> >>>> 2016/02/23 05:11:22 ossec-rootcheck: INFO: Started (pid: 15215).
>> >>>> 2016/02/23 05:11:22 ossec-syscheckd: INFO: Monitoring directory:
>> >>>> '/home/woodwork/public_html'.
>> >>>>
>> >>>>
>> >>>> # ps ax | grep ossec
>> >>>> 15176 ? S 0:00 /var/ossec/bin/ossec-maild
>> >>>> 15180 ? S 0:00 /var/ossec/bin/ossec-execd
>> >>>> 15184 ? S 0:00 /var/ossec/bin/ossec-analysisd
>> >>>> 15188 ? S 0:00 /var/ossec/bin/ossec-logcollector
>> >>>> 15193 ? Sl 0:00 /var/ossec/bin/ossec-remoted
>> >>>> 15215 ? S 0:00 /var/ossec/bin/ossec-syscheckd
>> >>>> 15219 ? S 0:00 /var/ossec/bin/ossec-monitord
>> >>>>
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to a topic in the
>> > Google Groups "ossec-list" group.
>> > To unsubscribe from this topic, visit
>> > https://groups.google.com/d/topic/ossec-list/b6BbvLBc9ws/unsubscribe.
>> > To unsubscribe from this group and all its topics, send an email to
>> > [email protected].
>> > For more options, visit https://groups.google.com/d/optout.
>>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
