try to configured the next active response:

On Ossec Server:

<command>

<name>firewall-drop</name>

<executable>firewall-drop.sh</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<active-response> 

<disabled>no</disabled>

<command>firewall-drop</command> 

<location>defined-agent</location> 

<agent_id>021</agent_id>

<rules_id>5712</rules_id> 

<timeout>1800</timeout>

</active-response>

On Ossec agent. (id 021)

<localfile>

<log_format>syslog</log_format>

<location>/var/ossec/logs/active-responses.log</location>

</localfile>

I made a trial failed a few times the access with root account but the 
alert is not generated and active-responses.log on the agent is empty

-bash-3.2# ls -l /var/ossec/logs 

total 86

-rw-r--r-- 1 root root 0 Oct 17 14:30 active-responses.log

-rw-rw-r-- 1 ossec ossec 44032 Oct 17 14:29 ossec.log

It’s the same in the server:

-bash-3.2# ls -l /var/ossec/logs 

total 7432

-rw-rw---- 1 ossec ossec 0 May 19 10:01 active-responses.log

drwxr-x--- 3 ossec ossec 4096 Oct 17 12:56 alerts

drwxr-x--- 3 ossec ossec 4096 Oct 17 12:56 archives

drwxr-x--- 3 ossec ossec 4096 Oct 17 12:56 firewall

-rw-rw---- 1 ossec ossec 7582818 Oct 17 17:09 ossec.log

What I need to do for the alert appears in the Ossec GUI and the IP blocked?

Only I see the next messages in /var/ossec/logs/alers/alerts.log

** Alert 1476724188.107242: mail - syslog,errors,

2016 Oct 17 12:09:48 ixtrtc42scf->/var/log/messages

Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'

Oct 17 12:09:48 ixtrtc42scf kernel: type=1100 
audit(1476724188.016:36149378): user pid=6141 uid=0 auid=4294967295 
ses=4294967295 msg=

'op=PAM:authentication acct="root" exe="/usr/sbin/sshd" 
hostname=10.188.62.176 addr=10.188.62.176 terminal=ssh res=failed'

** Alert 1476724188.107669: mail - syslog,errors,

2016 Oct 17 12:09:48 ixtrtc42scf->/var/log/messages

Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'

Oct 17 12:09:48 ixtrtc42scf kernel: type=1100 
audit(1476724188.016:36149379): user pid=6141 uid=0 auid=4294967295 
ses=4294967295 msg=

'op=password acct="root" exe="/usr/sbin/sshd" hostname=? addr=10.188.62.176 
terminal=ssh res=failed'

** Alert 1476724194.108074: mail - syslog,errors,

2016 Oct 17 12:09:54 ixtrtc42scf->/var/log/messages

Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'

Oct 17 12:09:52 ixtrtc42scf kernel: type=1100 
audit(1476724192.625:36149380): user pid=6141 uid=0 auid=4294967295 
ses=4294967295 msg=

'op=PAM:authentication acct="root" exe="/usr/sbin/sshd" 
hostname=10.188.62.176 addr=10.188.62.176 terminal=ssh res=failed'

** Alert 1476724194.108501: mail - syslog,errors,

2016 Oct 17 12:09:54 ixtrtc42scf->/var/log/messages

Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'

Oct 17 12:09:52 ixtrtc42scf kernel: type=1100 
audit(1476724192.626:36149381): user pid=6141 uid=0 auid=4294967295 
ses=4294967295 msg=

'op=password acct="root" exe="/usr/sbin/sshd" hostname=? addr=10.188.62.176 
terminal=ssh res=failed'

** Alert 1476724194.108906: mail - syslog,errors,

2016 Oct 17 12:09:54 ixtrtc42scf->/var/log/messages

Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'

Oct 17 12:09:52 ixtrtc42scf kernel: type=1100 
audit(1476724192.626:36149382): user pid=6141 uid=0 auid=4294967295 
ses=4294967295 msg=

'op=maxtries exceeded acct="root" exe="/usr/sbin/sshd" hostname=? 
addr=10.188.62.176 terminal=ssh res=failed'

** Alert 1476724194.109320: mail - syslog,errors,

2016 Oct 17 12:09:54 ixtrtc42scf->/var/log/messages

Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'

Oct 17 12:09:52 ixtrtc42scf kernel: type=1112 
audit(1476724192.627:36149387): user pid=6141 uid=0 auid=4294967295 
ses=4294967295 msg=

'op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=10.188.62.176 
terminal=ssh res=failed'

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to