Active Response Rules
Steve Wieczorek
Hi,
I am running a web server, and have OSSEC running on it. I am trying to create a active response rule/action to run the host-deny script if OSSEC receives any alerts from rule 2502 (User missed the password more than one time). I put the following in my ossec.conf
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>host-deny</command>
<location>local</location>
<rules_id>2502</rules_id>
<timeout>60</timeout>
</active-response>
I restart OSSEC, and watch the active response log, and I run a simulated attack against the server. It shows up in my alerts.log as a 2502 rule, but doesn’t show up in the active response log, or end up denying the host like I was looking for. Is there something wrong with my syntax? I would appreciate any help you can give me. I saw your post, and thought hopefully you could help me.
Thank You
Steve
Suyash Jain
You need to make sure that you are following these things.
Location - > If your web server is on same ossec server than location can be server/local both works else you mention defined-agent and add agent-id.
Check whether host-deny.sh is in <ossec home>/active-response/bin/.
MAKE SURE THIS CONFIGURATION IS DONE ON SERVER CONFIGURATION FILE "NOT AGENT FILE"
For example i have running ossec on my web server itself and if "File does not exist" alert no 30112 comes, it will execute host-deny.
<disabled>no</disabled>
<command>host-deny</command>
<level>5</level>
<rules_id>30112</rules_id>
<timeout>60</timeout>
</active-response>
<disabled>no</disabled>
<command>host-deny</command>
<location>local</location>
<timeout>60</timeout>
</active-response>
This also works.
<disabled>no</disabled>
<command>host-deny</command>
<agent_id>0001</agent_id>
<rules_id>30112</rules_id>
<timeout>60</timeout>
</active-response>
http://www.ossec.net/main/manual/manual-active-responses/
Regards
Suyash
Steve Wieczorek wrote: