On Mon, Nov 14, 2016 at 10:51 AM, Whit Blauvelt <[email protected]> wrote: > On Fri, Nov 11, 2016 at 07:10:51PM -0500, dan (ddp) wrote: >> On Nov 11, 2016 4:11 PM, "Whit Blauvelt" <[email protected]> wrote: >> > >> > With a default agent installation of 2.9rc3 with active response included, >> > I >> > was surprised by a few things: >> > >> > 1. Too frequent connections, even successful ones with valid logins, to an >> > ftp or sftp server are considered an attack and blocked for a time. This >> > was unfortunate, since we use both heavily in contexts where frequent >> > connections are how the systems exchange files. >> >> I think you're expected to tweak ossec to your usage. > > Certainly. But it's also a decent target to have the default installation > not be something that will be dangerously broken unless carefully tweaked > first -- especially without prominent warnings about the dangers involved. > Except in a context of anon FTP servers (does anyone run those any more?) > blocking IPs because they connect using valid logins "too often" is a > dangerous default. "First, do no harm." >
Creating perfect defaults for every environment is nearly impossible. Niche and odd-ball usage patterns can cause issues. Which rule was triggering the alerts? Maybe it's time for a tweak. >> > 2. With iptables, OSSEC adds DROPs without having the LOGged. Yes, OSSEC >> > records adding its rule to its own log. But on systems where there are >> > already complex firewall rules, it's natural to see precisely what's >> > being dropped in the standard logs. It's fairly standard practice with >> > Netfilter to log what you drop. >> >> Please submit a pull request. > > Okay, once I work up the fix. > Much appreciated. :) >> > 3. OSSEC emails notices about the alerts, but not about its active >> > responses. That seems an omission. >> >> Configure ossec to watch the ar log file, then make sure there ia a rule to >> alert you to it doing things. Or create a rule. I can't remember if there is >> one by default or not. > > Thanks, I'll have to do that. > > For consistency, since ossec emails about everything else, wouldn't it be > best if this was default behavior for ar too? > I've always thought AR needed better logging, just haven't looked into changing it. > Is this a project where constructive criticism is not desired? For some > projects putting out a "release candidate" is an invitation to critique, so > it can be better perfected. > Criticism is welcomed, constructive even more so. But I don't always agree with it, and may need more convincing. I guard my hobby time fiercely. > Best, > Whit > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
