how to enable Active Response
64 views
Skip to first unread message
Aaron Bliss
Apr 23, 2008, 2:41:34 PM4/23/08
to ossec...@googlegroups.com
Hi everyone,
I've been using ossec for a few months now and everything is working great (a truly excellent, robust application set). I've deployed the redhat agents with active response disabled, but I would like to start testing this now that mostly everything is working. My goal is to have active response block for example, detected port scans and possibly re-write the iptables rule set to stop the attack in its tracks. It seems to enable active response, to edit /var/ossec/etc/ossec.conf, the section marked:
<active-response>
<disabled>yes</disabled>
</active-response>
and change to
<active-response>
<disabled>no</disabled>
</active-response>
Is that correct? Also, how do I configure ossec to re-write the iptables rules. I looked at the documentation here http://www.ossec.net/main/manual/#active-response, but am still not sure where to begin. Below is the kind of scan that I would like to stop. Others would inlcude for example scans against ssh. Thanks very much for your help.
2008 Apr 07 11:48:26 Rule Id: 5712 level: 10
Location: (cvs1) 137.21.162.100->/var/log/secure
Src IP: 202.144.157.157
SSHD brute force trying to get access to the system. Apr 7 11:48:26 cvs1 sshd[6966]: Failed password for invalid user admin from 202.144.157.157 port 52590 ssh2
Apr 7 11:48:25 cvs1 sshd[6966]: Invalid user admin from 202.144.157.157
Apr 7 11:48:20 cvs1 sshd[6964]: Failed password for invalid user admin from 202.144.157.157 port 52419 ssh2
2008 Apr 01 06:00:56 Rule Id: 30114 level: 10
Location: (status) 137.21.162.150->/etc/httpd/logs/error_log
Src IP: 24.123.67.41
Multiple attempts to access non-existent files (web scan) from same source. [Tue Apr 01 06:00:54 2008] [error] [client 24.123.67.41] File does not exist: /var/www/htdocs/phpMyAdmin-2.6.4
Also, does anyone have any tools to test the above rules out? Thanks again for your help.
Aaron
I've been using ossec for a few months now and everything is working great (a truly excellent, robust application set). I've deployed the redhat agents with active response disabled, but I would like to start testing this now that mostly everything is working. My goal is to have active response block for example, detected port scans and possibly re-write the iptables rule set to stop the attack in its tracks. It seems to enable active response, to edit /var/ossec/etc/ossec.conf, the section marked:
<active-response>
<disabled>yes</disabled>
</active-response>
and change to
<active-response>
<disabled>no</disabled>
</active-response>
Is that correct? Also, how do I configure ossec to re-write the iptables rules. I looked at the documentation here http://www.ossec.net/main/manual/#active-response, but am still not sure where to begin. Below is the kind of scan that I would like to stop. Others would inlcude for example scans against ssh. Thanks very much for your help.
2008 Apr 07 11:48:26 Rule Id: 5712 level: 10
Location: (cvs1) 137.21.162.100->/var/log/secure
Src IP: 202.144.157.157
SSHD brute force trying to get access to the system. Apr 7 11:48:26 cvs1 sshd[6966]: Failed password for invalid user admin from 202.144.157.157 port 52590 ssh2
Apr 7 11:48:25 cvs1 sshd[6966]: Invalid user admin from 202.144.157.157
Apr 7 11:48:20 cvs1 sshd[6964]: Failed password for invalid user admin from 202.144.157.157 port 52419 ssh2
2008 Apr 01 06:00:56 Rule Id: 30114 level: 10
Location: (status) 137.21.162.150->/etc/httpd/logs/error_log
Src IP: 24.123.67.41
Multiple attempts to access non-existent files (web scan) from same source. [Tue Apr 01 06:00:54 2008] [error] [client 24.123.67.41] File does not exist: /var/www/htdocs/phpMyAdmin-2.6.4
Also, does anyone have any tools to test the above rules out? Thanks again for your help.
Aaron
Aaron Bliss
Apr 24, 2008, 12:34:57 PM4/24/08
to ossec...@googlegroups.com
Aaron
Aaron Bliss
Apr 24, 2008, 10:09:05 PM4/24/08
to ossec...@googlegroups.com
I added the following to the ossec-conf file of an ossec agent, but
it's not triggering the active response even though I'm triggering rule
5701. Any ideas? P.S. ossec-execd is running. Thanks for your help.
<command>
<name>sshbrute</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>sshbrute</command>
<location>local</location>
<rules_id>5701</rules_id>
</active-response>
<command>
<name>sshbrute</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>sshbrute</command>
<location>local</location>
<rules_id>5701</rules_id>
</active-response>
-- Aaron Bliss Systems Administrator SUNY Brockport (585) 395-2417
Daniel Cid
Apr 25, 2008, 10:36:14 AM4/25/08
to ossec...@googlegroups.com
Hi Aaron,
The active response configuration must be set on the server side, not
on the agent... Besides that,
your configuration seems fine.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
Reply all
Reply to author
Forward
0 new messages