Re: [ossec-list] Active response responding to other agent's alerts?
36 views
Skip to first unread message
dan (ddp)
Nov 8, 2012, 3:45:17 PM11/8/12
to ossec...@googlegroups.com
On Thu, Nov 8, 2012 at 3:39 PM, CTech <chroma...@gmail.com> wrote:
> I have ossec agents running on several machines, but only one of them
> ("agent 001") is set in the server's ossec.config to allow active response.
> The <active-response> section in my server's ossec.config is pasted at the
> bottom of this message, since someone is sure to ask for it otherwise.
>
> This appeared to have been working fine. However, recently "agent 001" began
> blocking traffic from "agent 002." I was able to quickly resolve this by
> adding a <white_list> entry. When I started looking at logs to find out
> exactly what rule "agent 002" had triggered, I found that "agent 002" was
> nowhere in ossec's alert or active-response logs as a source IP sending
> traffic to "agent 001." Where "agent 002" did appear in the logs, having
> triggered an alert, it was because a problem in apache on that server had
> caused it to appear to be attacking itself, triggering a level 6 rule
> multiple times.
>
> So here is my question: Am I missing something, or is active response,
> although firing only on "agent 001," responding to alerts generated on
> "agent 002"? Having "agent 002" whitelisted should prevent today's problem,
> but I don't want iptables on "agent 001" blocking addresses that don't need
> to be blocked. I will greatly appreciate any clarity you can offer.
>
> <active-response>
> <disabled>no</disabled>
> <command>firewall-drop</command>
> <location>defined-agent</location>
> <agent_id>001</agent_id>
> <level>6</level>
> <timeout>600</timeout>
> </active-response>
agent001 could very well be adding blocks based on alerts from agent002.
> I have ossec agents running on several machines, but only one of them
> ("agent 001") is set in the server's ossec.config to allow active response.
> The <active-response> section in my server's ossec.config is pasted at the
> bottom of this message, since someone is sure to ask for it otherwise.
>
> This appeared to have been working fine. However, recently "agent 001" began
> blocking traffic from "agent 002." I was able to quickly resolve this by
> adding a <white_list> entry. When I started looking at logs to find out
> exactly what rule "agent 002" had triggered, I found that "agent 002" was
> nowhere in ossec's alert or active-response logs as a source IP sending
> traffic to "agent 001." Where "agent 002" did appear in the logs, having
> triggered an alert, it was because a problem in apache on that server had
> caused it to appear to be attacking itself, triggering a level 6 rule
> multiple times.
>
> So here is my question: Am I missing something, or is active response,
> although firing only on "agent 001," responding to alerts generated on
> "agent 002"? Having "agent 002" whitelisted should prevent today's problem,
> but I don't want iptables on "agent 001" blocking addresses that don't need
> to be blocked. I will greatly appreciate any clarity you can offer.
>
> <active-response>
> <disabled>no</disabled>
> <command>firewall-drop</command>
> <location>defined-agent</location>
> <agent_id>001</agent_id>
> <level>6</level>
> <timeout>600</timeout>
> </active-response>
agent001 could very well be adding blocks based on alerts from agent002.
dan (ddp)
Nov 8, 2012, 3:51:17 PM11/8/12
to ossec...@googlegroups.com
On Nov 8, 2012 3:50 PM, "CTech" <chroma...@gmail.com> wrote:
>
> Thanks for such a quick response. Do you know of any way to prevent this?
No
Josmell Chavarri
Nov 10, 2017, 8:24:15 AM11/10/17
to ossec-list
Hello I'm having this same problem, you could tell me how you solved this problem.
Thank you
CTech
Nov 10, 2017, 11:29:38 AM11/10/17
to ossec-list
We did not solve the problem and are currently not using ossec.
Reply all
Reply to author
Forward
0 new messages