How to check active response has been activated or not ??
Tanishk Lakhaani
I have active response configured in my environment. No what ia am worried abt is that how do I get to knw that an IP address has been blocked by Active response configuration. Do I need to chek the active response.log file at the manager side everytime... Or there is some other way. I was thinking of integrating the same with email alerting in OSsEC
Regards
Tanishk Lakhaani
Sent from BlackBerry® on Airtel
satish patel
attempt your IP will get block by iptable and /etc/hosts.deny
Enjoy!!!
dan (ddp)
response).
You can configure OSSEC to watch the active-response.log file and fire
off an email/alert when a new entry is added. It's simple to do, and
helps solve the notification problem.
On Wed, Mar 2, 2011 at 2:18 PM, Tanishk Lakhaani <tanis...@gmail.com> wrote:
Tanishk Lakhaani
Configuring ossec to watch the active response.log file will fire an alert w.r.t Integrity Checksum Changed Event w.r.t active response.log file. But what I am looking foirward is, that I get the actual active response log on my email, (email alerting is configured).
Regards
Tanishk Lakhaani
Sent from BlackBerry® on Airtel
dan (ddp)
I don't mean to setup syscheck to watch it, I mean to use it as a
localfile source:
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-response.log</location>
</localfile>
You'll have to write a rule for it, but that shouldn't be too hard.
Jason 'XenoPhage' Frisvold
> Hi Tanishk,
> I don't mean to setup syscheck to watch it, I mean to use it as a
> localfile source:
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/ossec/logs/active-response.log</location>
> </localfile>
>
> You'll have to write a rule for it, but that shouldn't be too hard.
Allow me to assist. I don't believe I'm the original author of this, but it works.. :)
First, the decoder (put this in /var/ossec/etc/local_decoder.xml)
<!-- decoder for active responses as logged by an OSSEC agent or
server
-Examples
-Sat Feb 20 01:37:44 CET 2010 /var/ossec/active-response/bin/host-
deny.sh add - 192.168.74.204 1266626262.2106252 5706
-Sat Feb 20 01:48:14 CET 2010 /var/ossec/active-response/bin/host-
deny.sh delete - 192.168.74.204 1266626262.2106252 5706
Thu Aug 19 01:41:54 EDT 2010 /var/ossec/active-response/bin/firewall-drop.sh add - 110.136.162.142 1282196514.748326 30118
Thu Aug 19 02:43:24 EDT 2010 /var/ossec/active-response/bin/firewall-drop.sh delete - 110.136.162.142 1282196514.748326 30118
-Extracts:
-name of AR script as 'action'
-type of action(add/remove) as 'status'
-source IP
-ossec id of AR
-->
<decoder name="ar_log">
<!-- <prematch>^Mo|^Di|^Mi|^Do|^Fr|^Sa|^So|^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|^Sun</prematch> -->
<prematch>^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|^Sun</prematch>
<!-- <regex offset="after_prematch"> \w\w\w \d\d. \d\d:\d\d:\d\d \w\w\w \d\d\d\d /var/ossec/active-response/bin/(\S+) (\S+) - (\S+) (\d+.\d+) \d+</regex> -->
<regex offset="after_prematch"> \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+ /var/ossec/active-response/bin/(\S+) (\S+) - (\S+) (\d+.\d+) \d+</regex>
<order>action, status, srcip, id</order>
</decoder>
And now the rules (I don't follow the recommended rule numbering, I have my own scheme. Adjust accordingly)
<!-- @(#) $Id: ossec_rules.xml,v 1.24 2010/03/04 20:12:33 dcid Exp $
- Official ossec rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
- All rights reserved.
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- License (version 2) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
-->
<group name="ossec,">
<rule id="100001" level="3">
<decoded_as>ar_log</decoded_as>
<group>active_response_notification</group>
<action>firewall-drop.sh</action>
<status>add</status>
<description>Active response firewall-drop.sh was run, host blocked</description>
</rule>
<rule id="100002" level="3">
<decoded_as>ar_log</decoded_as>
<group>active_response_notification</group>
<action>firewall-drop.sh</action>
<status>delete</status>
<description>Active response firewall-drop.sh was run, host unblocked</description>
</rule>
<rule id="100003" level="3">
<decoded_as>ar_log</decoded_as>
<group>active_response_notification</group>
<action>host-deny.sh</action>
<status>add</status>
<description>Active response host-deny.sh was run, host added to hosts.deny</description>
</rule>
<rule id="100004" level="3">
<decoded_as>ar_log</decoded_as>
<group>active_response_notification</group>
<action>host-deny.sh</action>
<status>delete</status>
<description>Active response host-deny.sh was run, host removed from hosts.deny</description>
</rule>
</group> <!-- OSSEC -->
> On Thu, Mar 3, 2011 at 9:33 PM, Tanishk Lakhaani <tanis...@gmail.com> wrote:
>> Hi dan,
>> Configuring ossec to watch the active response.log file will fire an alert w.r.t Integrity Checksum Changed Event w.r.t active response.log file. But what I am looking foirward is, that I get the actual active response log on my email, (email alerting is configured).
>>
>>
>> Regards
>> Tanishk Lakhaani
>> Sent from BlackBerry® on Airtel
>>
>> -----Original Message-----
>> From: "dan (ddp)" <ddp...@gmail.com>
>> Sender: ossec...@googlegroups.com
>> Date: Wed, 2 Mar 2011 15:38:36
>> To: <ossec...@googlegroups.com>
>> Reply-To: ossec...@googlegroups.com
>> Subject: Re: [ossec-list] How to check active response has been activated or
>> not ??
>>
>> Check the active-response.log file (on the system that runs the active
>> response).
>> You can configure OSSEC to watch the active-response.log file and fire
>> off an email/alert when a new entry is added. It's simple to do, and
>> helps solve the notification problem.
>>
>> On Wed, Mar 2, 2011 at 2:18 PM, Tanishk Lakhaani <tanis...@gmail.com> wrote:
>>
---------------------------
Jason 'XenoPhage' Frisvold
xeno...@godshell.com
---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- Niven's Inverse of Clarke's Third Law
treydock
example I have this working, but wasn't sure the preferred method to
enable email alerting.
My configuration email alert level is set to 7. So if the active
response rule is level 3 should I had "<options>alert_by_email</
options>" to each rule ? Or would this have the same effect?
<email_alerts>
<email_to>treydock@xxxxx</email_to>
<group>active_response_notification</group>
</email_alerts>
Thanks
- Trey
On Mar 14, 9:11 pm, Jason 'XenoPhage' Frisvold
> On Mar 3, 2011, at 9:37 PM, dan (ddp) wrote:
>
> > Hi Tanishk,
> > I don't mean to setup syscheck to watch it, I mean to use it as a
> > localfile source:
> > <localfile>
> > <log_format>syslog</log_format>
> > <location>/var/ossec/logs/active-response.log</location>
> > </localfile>
>
> > You'll have to write a rule for it, but that shouldn't be too hard.
>
> Allow me to assist. I don't believe I'm the original author of this, but it works.. :)
>
> First, the decoder (put this in /var/ossec/etc/local_decoder.xml)
>
> -Examples
> -Sat Feb 20 01:37:44 CET 2010 /var/ossec/active-response/bin/host-
> deny.sh add - 192.168.74.204 1266626262.2106252 5706
> -Sat Feb 20 01:48:14 CET 2010 /var/ossec/active-response/bin/host-
> deny.sh delete - 192.168.74.204 1266626262.2106252 5706
>
> Thu Aug 19 01:41:54 EDT 2010 /var/ossec/active-response/bin/firewall-drop.sh add - 110.136.162.142 1282196514.748326 30118
> Thu Aug 19 02:43:24 EDT 2010 /var/ossec/active-response/bin/firewall-drop.sh delete - 110.136.162.142 1282196514.748326 30118
>
> -Extracts:
> -name of AR script as 'action'
> -type of action(add/remove) as 'status'
> -source IP
> -ossec id of AR
> -->
> <decoder name="ar_log">
>
> <rule id="100002" level="3">
> <decoded_as>ar_log</decoded_as>
> <group>active_response_notification</group>
> <action>firewall-drop.sh</action>
> <status>delete</status>
>
> <rule id="100003" level="3">
> <decoded_as>ar_log</decoded_as>
> <group>active_response_notification</group>
> <action>host-deny.sh</action>
> <status>add</status>
>
> <rule id="100004" level="3">
> <decoded_as>ar_log</decoded_as>
> <group>active_response_notification</group>
> <action>host-deny.sh</action>
> <status>delete</status>
> </group> <!-- OSSEC -->
>
>
>
>
>
>
>
>
>
> > On Thu, Mar 3, 2011 at 9:33 PM, Tanishk Lakhaani <tanishk2...@gmail.com> wrote:
> >> Hi dan,
> >> Regards
> >> Tanishk Lakhaani
> >> Sent from BlackBerry® on Airtel
>
> >> -----Original Message-----
> >> From: "dan (ddp)" <ddp...@gmail.com>
> >> Sender: ossec...@googlegroups.com
> >> Date: Wed, 2 Mar 2011 15:38:36
> >> To: <ossec...@googlegroups.com>
> >> Reply-To: ossec...@googlegroups.com
> >> Subject: Re: [ossec-list] How to checkactiveresponsehas been activated or
> >> not ??
>
> >> You can configure OSSEC to watch theactive-response.log file and fire
>
>
> ---------------------------
> Jason 'XenoPhage' Frisvold
dan (ddp)
> To enable the notification what must be done exactly? Using Jason's
> example I have this working, but wasn't sure the preferred method to
> enable email alerting.
>
> My configuration email alert level is set to 7. So if the active
> response rule is level 3 should I had "<options>alert_by_email</
> options>" to each rule ? Or would this have the same effect?
>
> <email_alerts>
> <email_to>treydock@xxxxx</email_to>
> <group>active_response_notification</group>
> </email_alerts>
>
> Thanks
> - Trey
>
I believe you'd need to add the alert_by_email option to all rules.