Enjoy!!!
On Wed, Mar 2, 2011 at 2:18 PM, Tanishk Lakhaani <tanis...@gmail.com> wrote:
You'll have to write a rule for it, but that shouldn't be too hard.
Allow me to assist. I don't believe I'm the original author of this, but it works.. :)
First, the decoder (put this in /var/ossec/etc/local_decoder.xml)
<!-- decoder for active responses as logged by an OSSEC agent or
server
-Examples
-Sat Feb 20 01:37:44 CET 2010 /var/ossec/active-response/bin/host-
deny.sh add - 192.168.74.204 1266626262.2106252 5706
-Sat Feb 20 01:48:14 CET 2010 /var/ossec/active-response/bin/host-
deny.sh delete - 192.168.74.204 1266626262.2106252 5706
Thu Aug 19 01:41:54 EDT 2010 /var/ossec/active-response/bin/firewall-drop.sh add - 110.136.162.142 1282196514.748326 30118
Thu Aug 19 02:43:24 EDT 2010 /var/ossec/active-response/bin/firewall-drop.sh delete - 110.136.162.142 1282196514.748326 30118
-Extracts:
-name of AR script as 'action'
-type of action(add/remove) as 'status'
-source IP
-ossec id of AR
-->
<decoder name="ar_log">
<!-- <prematch>^Mo|^Di|^Mi|^Do|^Fr|^Sa|^So|^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|^Sun</prematch> -->
<prematch>^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|^Sun</prematch>
<!-- <regex offset="after_prematch"> \w\w\w \d\d. \d\d:\d\d:\d\d \w\w\w \d\d\d\d /var/ossec/active-response/bin/(\S+) (\S+) - (\S+) (\d+.\d+) \d+</regex> -->
<regex offset="after_prematch"> \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+ /var/ossec/active-response/bin/(\S+) (\S+) - (\S+) (\d+.\d+) \d+</regex>
<order>action, status, srcip, id</order>
</decoder>
And now the rules (I don't follow the recommended rule numbering, I have my own scheme. Adjust accordingly)
<!-- @(#) $Id: ossec_rules.xml,v 1.24 2010/03/04 20:12:33 dcid Exp $
- Official ossec rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
- All rights reserved.
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- License (version 2) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
-->
<group name="ossec,">
<rule id="100001" level="3">
<decoded_as>ar_log</decoded_as>
<group>active_response_notification</group>
<action>firewall-drop.sh</action>
<status>add</status>
<description>Active response firewall-drop.sh was run, host blocked</description>
</rule>
<rule id="100002" level="3">
<decoded_as>ar_log</decoded_as>
<group>active_response_notification</group>
<action>firewall-drop.sh</action>
<status>delete</status>
<description>Active response firewall-drop.sh was run, host unblocked</description>
</rule>
<rule id="100003" level="3">
<decoded_as>ar_log</decoded_as>
<group>active_response_notification</group>
<action>host-deny.sh</action>
<status>add</status>
<description>Active response host-deny.sh was run, host added to hosts.deny</description>
</rule>
<rule id="100004" level="3">
<decoded_as>ar_log</decoded_as>
<group>active_response_notification</group>
<action>host-deny.sh</action>
<status>delete</status>
<description>Active response host-deny.sh was run, host removed from hosts.deny</description>
</rule>
</group> <!-- OSSEC -->
> On Thu, Mar 3, 2011 at 9:33 PM, Tanishk Lakhaani <tanis...@gmail.com> wrote:
>> Hi dan,
>> Configuring ossec to watch the active response.log file will fire an alert w.r.t Integrity Checksum Changed Event w.r.t active response.log file. But what I am looking foirward is, that I get the actual active response log on my email, (email alerting is configured).
>>
>>
>> Regards
>> Tanishk Lakhaani
>> Sent from BlackBerry® on Airtel
>>
>> -----Original Message-----
>> From: "dan (ddp)" <ddp...@gmail.com>
>> Sender: ossec...@googlegroups.com
>> Date: Wed, 2 Mar 2011 15:38:36
>> To: <ossec...@googlegroups.com>
>> Reply-To: ossec...@googlegroups.com
>> Subject: Re: [ossec-list] How to check active response has been activated or
>> not ??
>>
>> Check the active-response.log file (on the system that runs the active
>> response).
>> You can configure OSSEC to watch the active-response.log file and fire
>> off an email/alert when a new entry is added. It's simple to do, and
>> helps solve the notification problem.
>>
>> On Wed, Mar 2, 2011 at 2:18 PM, Tanishk Lakhaani <tanis...@gmail.com> wrote:
>>
---------------------------
Jason 'XenoPhage' Frisvold
xeno...@godshell.com
---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- Niven's Inverse of Clarke's Third Law
I believe you'd need to add the alert_by_email option to all rules.