On Wed, Oct 19, 2016 at 1:02 PM, Adiel Navarro <adiel.nava...@mail.telcel.com> wrote: > How can I check the active-responses scripts are running? >
If there are entries in the active-responses.log file, the scripts are running. If there are not entries in the log, you need to figure out why. > In the agent, I have the next lines inserted in ossec.conf to watch the log > files: > > <localfile> > <log_format>syslog</log_format> > <location>/var/ossec/logs/active-responses.log</location> > </localfile> > > How can I configure the rule? > On the OSSEC server add a rule to /var/ossec/rules/local_rules.xml looking for the information in the log message. For instance, I have the following logs: Tue Oct 18 07:04:11 EDT 2016 /var/ossec/active-response/bin/pf.sh add - 42.112.31.172 1476788651.100797 5718 Wed Oct 19 08:10:26 EDT 2016 /var/ossec/active-response/bin/pf.sh add - 117.211.159.74 1476879026.110618 5718 My rules would be something like: <!-- Identify an active response log message --> <rule id="987654" level="0"> <match>/var/ossec/active-response/bin</match> <description>AR fired</description> </rule> <!-- Once the log message is identified, check to see if it is adding something to ossec_fwtable --> <rule id="987655" level="10"> <if_sid>987654</if_sid> <match>pf.sh add </match> <description>pf.sh active response added an ip to the blocklist.</description> </rule> After adding the rules the OSSEC processes on the server would have to be restarted. I could make it fancier by creating a decoder, but it's probably not necessary. > -----Mensaje original----- > De: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] En > nombre de dan (ddp) > Enviado el: miƩrcoles, 19 de octubre de 2016 11:56 a.m. > Para: ossec-list@googlegroups.com > Asunto: Re: [ossec-list] Active response > > On Wed, Oct 19, 2016 at 12:48 PM, Adiel Navarro > <adiel.nava...@mail.telcel.com> wrote: >> How can I Configure ossec to watch the active response.log file will fire an >> alert? >> Why active-responses.log is not writing? >> > > If active-responses.log is empty, it's probably because no active response > scripts are being run. > > Getting alerts when AR scripts are run is pretty simple. Setup a localfile to > watch the log file and create a rule to alert when there are new entries. > >> In agent: >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/ossec/logs/active-responses.log</location> >> </localfile> >> >> -bash-3.2# ls -l /var/ossec/logs >> total 86 >> -rw-r--r-- 1 root root 0 Oct 17 14:30 >> active-responses.log >> -rw-rw-r-- 1 ossec ossec 44032 Oct 17 14:29 ossec.log >> >> in the server: >> -bash-3.2# ls -l /var/ossec/logs >> total 7432 >> -rw-rw---- 1 ossec ossec 0 May 19 10:01 active-responses.log >> drwxr-x--- 3 ossec ossec 4096 Oct 17 12:56 alerts >> drwxr-x--- 3 ossec ossec 4096 Oct 17 12:56 archives >> drwxr-x--- 3 ossec ossec 4096 Oct 17 12:56 firewall >> -rw-rw---- 1 ossec ossec 7582818 Oct 17 17:09 ossec.log >> >> >> >> -----Mensaje original----- >> De: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] En >> nombre de dan (ddp) Enviado el: miƩrcoles, 19 de octubre de 2016 07:50 a.m. >> Para: ossec-list@googlegroups.com >> Asunto: Re: [ossec-list] Active response >> >> On Wed, Oct 19, 2016 at 8:43 AM, dan (ddp) <ddp...@gmail.com> wrote: >>> On Tue, Oct 18, 2016 at 6:54 PM, Aj Navarro <ajnavarro1...@gmail.com> wrote: >> >>>> Only I see the next messages in /var/ossec/logs/alers/alerts.log >>>> >>>> ** Alert 1476724188.107242: mail - syslog,errors, >>>> >>>> 2016 Oct 17 12:09:48 ixtrtc42scf->/var/log/messages >>>> >>>> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' >>>> >>>> Oct 17 12:09:48 ixtrtc42scf kernel: type=1100 >>>> audit(1476724188.016:36149378): user pid=6141 uid=0 auid=4294967295 >>>> ses=4294967295 msg= >>>> >>>> 'op=PAM:authentication acct="root" exe="/usr/sbin/sshd" >>>> hostname=10.188.62.176 addr=10.188.62.176 terminal=ssh res=failed' >>>> >>> >>> These log messages are not triggering 5712. In fact OSSEC isn't sure >>> what to do with these log messages. >>> Is there anything in your auth log? >>> >> >> Digging into it further, we get: >> # cat /tmp/yy | /var/ossec/bin/ossec-logtest -q >> 2016/10/19 08:44:09 ossec-testrule: INFO: Reading the lists file: >> 'rules/lists/ossec.block' >> 2016/10/19 08:44:09 ossec-testrule: INFO: Started (pid: 16098). >> ossec-testrule: Type one log per line. >> >> **Phase 1: Completed pre-decoding. >> full event: 'Oct 17 12:09:48 ixtrtc42scf kernel: type=1100 >> audit(1476724188.016:36149378): user pid=6141 uid=0 auid=4294967295 >> ses=4294967295 msg='op=PAM:authentication acct="root" >> exe="/usr/sbin/sshd" hostname=10.188.62.176 addr=10.188.62.176 terminal=ssh >> res=failed'' >> hostname: 'ixtrtc42scf' >> program_name: 'kernel' >> log: 'type=1100 audit(1476724188.016:36149378): user pid=6141 >> uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication >> acct="root" exe="/usr/sbin/sshd" hostname=10.188.62.176 >> addr=10.188.62.176 terminal=ssh res=failed'' >> >> **Phase 2: Completed decoding. >> decoder: 'iptables' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '1002' >> Level: '2' >> Description: 'Unknown problem somewhere in the system.' >> **Alert to be generated. >> >> So we'll have to create a decoder to deal with these odd log messages. >> Adding the following decoder to my local decoders file: >> <decoder name="wtf-iptables"> >> <parent>iptables</parent> >> <prematch> exe="/usr/sbin/sshd" </prematch> >> <!--<regex> acct="(\S+)" hostname="(\S+)" addr="(\S+)" </regex>--> >> <regex> acct="(\S+)" exe="/\.+/sshd" hostname=(\S+) addr=(\S+) </regex> >> <order>user,dstip, srcip</order> >> </decoder> >> >> I get: >> **Phase 1: Completed pre-decoding. >> full event: 'Oct 17 12:09:48 ixtrtc42scf kernel: type=1100 >> audit(1476724188.016:36149378): user pid=6141 uid=0 auid=4294967295 >> ses=4294967295 msg='op=PAM:authentication acct="root" >> exe="/usr/sbin/sshd" hostname=10.188.62.176 addr=10.188.62.176 terminal=ssh >> res=failed'' >> hostname: 'ixtrtc42scf' >> program_name: 'kernel' >> log: 'type=1100 audit(1476724188.016:36149378): user pid=6141 >> uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication >> acct="root" exe="/usr/sbin/sshd" hostname=10.188.62.176 >> addr=10.188.62.176 terminal=ssh res=failed'' >> >> **Phase 2: Completed decoding. >> decoder: 'iptables' >> dstuser: 'root' >> dstip: '10.188.62.176' >> srcip: '10.188.62.176' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '1002' >> Level: '2' >> Description: 'Unknown problem somewhere in the system.' >> **Alert to be generated. >> >> >> I haven't done any testing to see if this will affect anything else though. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
