On Fri, Sep 9, 2016 at 6:10 AM, 'James Vernon' via ossec-list <[email protected]> wrote: > Hi guys > > I am wondering of anyone here can help me with an issue with active > response. > > I have been struggling for the last few days to get active response working > on an agent/server setup > and I am at a complete loss. I am using version 2.8.1 > > > I have removed all cases of > > <disabled>yes</disabled> > > from my configs > > The agent.conf file:- > ######################################################################### > > <!-- THIS IS MANAGED BY PUPPET --> > <!-- If you are looking at this from a node --> > <!-- the config file is being disributed from --> > <!-- the ossec server, NOT puppet.... --> > <agent_config> > <syscheck> > <frequency>72000</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/home/test</directories> > <directories check_all="yes">/home/test2</directories> > </syscheck> > > <syscheck> > <frequency>3600</frequency> > <auto_ignore>no</auto_ignore> > <directories check_all="yes">/var/ossec/etc/shared</directories> > </syscheck> > > > <localfile> > <log_format>syslog</log_format> > <location>/media/mylog.txt</location> > </localfile> > > <command> > <name>restart-ossec</name> > <executable>restart-ossec.sh</executable> > <expect></expect> > </command> > > <active-response> > <command>restart-ossec</command> > <location>local</location> > <rules_id>510010</rules_id> > </active-response> >
Active response configuration (in an agent/server setup) belongs in the OSSEC server's ossec.conf. I don't believe these configuration options have any effect when run in an agent's configuration. > <localfile> > <log_format>syslog</log_format> > <location>/var/ossec/logs/active-responses.log</location> > </localfile> > > </agent_config> > ################################################################# > > > As you can see I have been testing a few things on here as this is the first > time I have set this up, > hence the random test of particular directories. > > I added the following rule to the ossec group in ossec_rules.xml under rule > 598:- > > > ################################################################# > > <rule id="510010" level="10"> > <if_sid>550</if_sid> > <match>/var/ossec/etc/shared/agent.conf</match> > <description>agent.conf has been modified</description> > </rule> > > ############################################################### > > Below is a log from the server alert log. > > ############################################################### > > ** Alert 1473414286.15146: mail - ossec, > 2016 Sep 09 10:44:46 (hh-d8-ossecagenttest04) any->syscheck > Rule: 510010 (level 10) -> 'agent.conf has been modified' > Integrity checksum changed for: '/var/ossec/etc/shared/agent.conf' > Size changed from '1128' to '1129' > Old md5sum was: '6b8224b9dc7e9fa8c34363cdf4d0bb34' > New md5sum is : '44bb782b8a6b9bb533aedeceefa5567d' > Old sha1sum was: '1d76592eed55802ca60cd75bee48f697886a3a3a' > New sha1sum is : 'ddeba7ff16ab1daae7833ade47743c45c73f06ce' > > ################################################################ > > > Nothing happends. It sees the rule, its correct but it does not trigger an > active response. > > Below is the content of ar.conf from the agent > > ############################################################### > > restart-ossec0 - restart-ossec.sh - 0 > restart-ossec0 - restart-ossec.cmd - 0 > host-deny600 - host-deny.sh - 600 > firewall-drop600 - firewall-drop.sh - 600 > > > ############################################################### > > The OS is debian 8. > > Am I missing something with these config files? I feel like I am making a > really simple mistake > but I cannot spot it. > > Running ./agent_control -L on the server:- > > ################################################################ > > OSSEC HIDS agent_control. Available active responses: > > Response name: host-deny600, command: host-deny.sh > Response name: firewall-drop600, command: firewall-drop.sh > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
