On Fri, Sep 9, 2016 at 8:37 AM, 'James Vernon' via ossec-list <[email protected]> wrote: > Yep, that was it. Thanks Dan. >
No problem. It's both odd and not odd that agent.conf doesn't affect the OSSEC server. I feel like it's explicitly stated in the docs, but probably hidden between 2 boring sentences or something. > On Friday, 9 September 2016 11:35:41 UTC+1, dan (ddpbsd) wrote: >> >> On Fri, Sep 9, 2016 at 6:10 AM, 'James Vernon' via ossec-list >> <[email protected]> wrote: >> > Hi guys >> > >> > I am wondering of anyone here can help me with an issue with active >> > response. >> > >> > I have been struggling for the last few days to get active response >> > working >> > on an agent/server setup >> > and I am at a complete loss. I am using version 2.8.1 >> > >> > >> > I have removed all cases of >> > >> > <disabled>yes</disabled> >> > >> > from my configs >> > >> > The agent.conf file:- >> > >> > ######################################################################### >> > >> > <!-- THIS IS MANAGED BY PUPPET --> >> > <!-- If you are looking at this from a node --> >> > <!-- the config file is being disributed from --> >> > <!-- the ossec server, NOT puppet.... --> >> > <agent_config> >> > <syscheck> >> > <frequency>72000</frequency> >> > >> > <!-- Directories to check (perform all possible verifications) --> >> > <directories check_all="yes">/home/test</directories> >> > <directories check_all="yes">/home/test2</directories> >> > </syscheck> >> > >> > <syscheck> >> > <frequency>3600</frequency> >> > <auto_ignore>no</auto_ignore> >> > <directories check_all="yes">/var/ossec/etc/shared</directories> >> > </syscheck> >> > >> > >> > <localfile> >> > <log_format>syslog</log_format> >> > <location>/media/mylog.txt</location> >> > </localfile> >> > >> > <command> >> > <name>restart-ossec</name> >> > <executable>restart-ossec.sh</executable> >> > <expect></expect> >> > </command> >> > >> > <active-response> >> > <command>restart-ossec</command> >> > <location>local</location> >> > <rules_id>510010</rules_id> >> > </active-response> >> > >> >> Active response configuration (in an agent/server setup) belongs in >> the OSSEC server's ossec.conf. >> I don't believe these configuration options have any effect when run >> in an agent's configuration. >> >> > <localfile> >> > <log_format>syslog</log_format> >> > <location>/var/ossec/logs/active-responses.log</location> >> > </localfile> >> > >> > </agent_config> >> > ################################################################# >> > >> > >> > As you can see I have been testing a few things on here as this is the >> > first >> > time I have set this up, >> > hence the random test of particular directories. >> > >> > I added the following rule to the ossec group in ossec_rules.xml under >> > rule >> > 598:- >> > >> > >> > ################################################################# >> > >> > <rule id="510010" level="10"> >> > <if_sid>550</if_sid> >> > <match>/var/ossec/etc/shared/agent.conf</match> >> > <description>agent.conf has been modified</description> >> > </rule> >> > >> > ############################################################### >> > >> > Below is a log from the server alert log. >> > >> > ############################################################### >> > >> > ** Alert 1473414286.15146: mail - ossec, >> > 2016 Sep 09 10:44:46 (hh-d8-ossecagenttest04) any->syscheck >> > Rule: 510010 (level 10) -> 'agent.conf has been modified' >> > Integrity checksum changed for: '/var/ossec/etc/shared/agent.conf' >> > Size changed from '1128' to '1129' >> > Old md5sum was: '6b8224b9dc7e9fa8c34363cdf4d0bb34' >> > New md5sum is : '44bb782b8a6b9bb533aedeceefa5567d' >> > Old sha1sum was: '1d76592eed55802ca60cd75bee48f697886a3a3a' >> > New sha1sum is : 'ddeba7ff16ab1daae7833ade47743c45c73f06ce' >> > >> > ################################################################ >> > >> > >> > Nothing happends. It sees the rule, its correct but it does not trigger >> > an >> > active response. >> > >> > Below is the content of ar.conf from the agent >> > >> > ############################################################### >> > >> > restart-ossec0 - restart-ossec.sh - 0 >> > restart-ossec0 - restart-ossec.cmd - 0 >> > host-deny600 - host-deny.sh - 600 >> > firewall-drop600 - firewall-drop.sh - 600 >> > >> > >> > ############################################################### >> > >> > The OS is debian 8. >> > >> > Am I missing something with these config files? I feel like I am making >> > a >> > really simple mistake >> > but I cannot spot it. >> > >> > Running ./agent_control -L on the server:- >> > >> > ################################################################ >> > >> > OSSEC HIDS agent_control. Available active responses: >> > >> > Response name: host-deny600, command: host-deny.sh >> > Response name: firewall-drop600, command: firewall-drop.sh >> > >> > >> > >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
