Active response <expect>srcip</expect> changes whether response is executed

50 views
Skip to first unread message

Glen Leeder

unread,
Feb 9, 2015, 4:26:16 AM2/9/15
to ossec...@googlegroups.com
Hi,

I using ossec 2.8.1 on Ubuntu 14.04 running locally only, no agents. I have the following local_rules.xml defined to exercise syslog monitoring :
$ sudo more /var/ossec/rules/local_rules.xml
<group name="ossectester,local">
  <rule id="100000" level="5">
    <match>OSSEC-TESTER-RULE</match>
    <description>OSSEC Test Alert</description>
  </rule>
</group>

When this rule triggers (by running 'logger "OSSEC-TESTER-RULE"), an active response is executed due to this ossec.conf:
<command>
    <name>post2slack</name>
    <executable>ar_slack.sh</executable>
    <expect></expect>
    <timeout_allowed>no</timeout_allowed>
</command>

<active-response>
    <command>post2slack</command>
    <location>local</location>
    <level>4</level>
</active-response>

This works as expected provided I do not populate the command <expect> field. If I specify <expect>srcip</expect> the alert still triggers, however, the active response is no longer executed. the syslog entry ends up as something like:
Feb  9 19:19:53 myhostname gleeder: OSSEC-TESTER-RULE

I can't determine from the documentation whether this should work or not. myhostname resolves to 127.0.0.1 but I haven't got any white_list IPs specified anyway (my end goal is a to have some white_listing which is why I specified srcip).

Is there an implicit white_list default or another reason why specifying srcip causes the response to no longer execute?
Is <expect>srcip</expect> required for white_list to work?

Best regards,
Glen

ossec.conf

Rodrigo Montoro(Sp0oKeR)

unread,
Feb 9, 2015, 6:00:53 AM2/9/15
to ossec...@googlegroups.com
Hey there,

Do you have expect command installed ?

Did you look into /var/ossec/logs/ossec.log to see if any error ?

Thanks

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

dan (ddp)

unread,
Feb 9, 2015, 8:08:11 AM2/9/15
to ossec...@googlegroups.com
There is no IP in this log message to be decoded, so it makes sense
that AR won't be triggered if it expects there to be a source ip.

> I can't determine from the documentation whether this should work or not.
> myhostname resolves to 127.0.0.1 but I haven't got any white_list IPs
> specified anyway (my end goal is a to have some white_listing which is why I
> specified srcip).
>
> Is there an implicit white_list default or another reason why specifying
> srcip causes the response to no longer execute?
> Is <expect>srcip</expect> required for white_list to work?
>
> Best regards,
> Glen
>

Glen Leeder

unread,
Feb 9, 2015, 5:13:35 PM2/9/15
to ossec...@googlegroups.com
Thanks Dan,

I've changed my rsyslog format to IP addresses instead of hosts and all is good.

Do you know whether the <white_list> directive requires that <expect>srcip</expect> is specified or will it work without that?

Glen

Glen Leeder

unread,
Feb 9, 2015, 6:12:10 PM2/9/15
to ossec...@googlegroups.com
In case anyone is interested my testing showed <expect>srcip</expect> is required for white_list to work and prevent active-responses being called if a particular host is responsible.

I have been able to massage ossec.conf too operate as required for my scenario by defining two commands (1 that expects srcip and 1 that doesn't) and then defining active-responses based upon rules_group, rule_ids etc.

Thanks for the help and clarifications on <expect>.
Glen

dan (ddp)

unread,
Feb 10, 2015, 7:24:14 AM2/10/15
to ossec...@googlegroups.com
On Mon, Feb 9, 2015 at 5:13 PM, Glen Leeder <glen....@gmail.com> wrote:
> Thanks Dan,
>
> I've changed my rsyslog format to IP addresses instead of hosts and all is
> good.
>

I can't be sure, but it seems like you're confused. The log message:
Feb 9 19:19:53 myhostname gleeder: OSSEC-TESTER-RULE
does not contain a srcip. This one does not either:
Feb 9 19:19:53 192.168.1.1 gleeder: OSSEC-TESTER-RULE

So if your AR expects a srcip, these log messages will not trigger it.


> Do you know whether the <white_list> directive requires that
> <expect>srcip</expect> is specified or will it work without that?
>

If there is no srcip in the log message, there is nothing that would
be affected by the whitelist.

Ben

unread,
Sep 24, 2015, 5:44:21 PM9/24/15
to ossec-list
Glen,

Any advice on changing rsyslog format from hostname to IP addresses? I am running on CentOS 6.5, and wanting to change the log hostname to IP address, so I can pass the variable to AR command, then I will get to your same problem:-) Thanks.

Glen Leeder

unread,
Sep 27, 2015, 6:23:10 AM9/27/15
to ossec...@googlegroups.com
Hi Ben,

It's been a while since I messed with this but I eventually got the desired result performing whitelisting against the hostname in the active response itself rather than using ossec whitelisting directly. In some instances, I didn't have control over setting rsyslog to lP rather than host so I have rules that don't <expect> the srcIP but still perform whitelisting based on what a hostname resolves too (via nslookup). The following function is part of a set of common bash functions that is sourced each time an active response is invoked and I can then call this and perform active response based white listing on hostnames:

# usage <srcip>

checkWhitelist()

{

    if [ "$1" != "" ]; then

        WHITE_LIST=`grep "white_list" /var/ossec/etc/ossec.conf | \

                    cut -d">" -f2 | cut -d"<" -f1`

        for ip in $WHITE_LIST; do

            if [ "$1" == "$ip" ]; then

                echo "checkWhitelist: IP is white listed, exitting"

                exit 0

            fi

        done

    fi

}

Probably not the most efficient way to do it but gave me the flexibility to handle syslog messages than contain hostname. May not be what you wanted but it worked for me. 

Cheers,

Glen


--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/b_OeK6W6lPw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

dan (ddp)

unread,
Sep 28, 2015, 8:38:19 AM9/28/15
to ossec...@googlegroups.com
On Thu, Sep 24, 2015 at 5:18 PM, Ben <ben...@gmail.com> wrote:
> Glen,
>
> Any advice on changing rsyslog format from hostname to IP addresses? I am
> running on CentOS 6.5, and wanting to change the log hostname to IP address,
> so I can pass the variable to AR command, then I will get to your same
> problem:-) Thanks.
>

The syslog host (in the syslog header) isn't part of the "log message"
that OSSEC investigates, and won't be used in AR.

Ben

unread,
Oct 2, 2015, 9:56:42 PM10/2/15
to ossec-list
Thanks Glen and Dan. I was able to change the rsyslog format to include the IP address, have custom decoder to extract the scrip from the log message (not from log message header), then use AR to do what to agentless file integrity check.

I wanted to do agentless file integrity check whenever a machine is restarted, so I have a logger statement in rc.d to send to central rsyslog server, it has agent on it. If it detects "system restarted fro 1.2.3.4" then AR will use agentless script to do file integrity check. Did lots of ossec-logtest and it seems to work now.
Reply all
Reply to author
Forward
0 new messages