Binding IP to OSSEC

115 views
Skip to first unread message

Al Cloman

unread,
Nov 3, 2009, 5:25:22 PM11/3/09
to ossec-list
We are using a VIP client for failover. Is there a way to bind the
OSSEC.conf file to an IP address. I have searched and seen in the
following

http://www.ossec.net/main/manual/configuration-options/

However this shows th ip option. Is there anyway to do this


OSSEC SERVER (primary) - 192.168.152.3
OSSEC SERVER (backup) - 192.168.152.2
VIP CLIENT - 192.168.152.1

We point everything at x.x.152.1 and it bounces to the primary or
the back up if the primary is down.

Martin West

unread,
Nov 5, 2009, 6:57:20 AM11/5/09
to ossec...@googlegroups.com

I looked for a way to selectively get diffs when "Integrity checksum changed " fires.

The only way I can see at the moment is to use the ssh agentless ssh_generic_diff feature on the box its self.

Is there another way?

Thanks Martin West


dan (ddp)

unread,
Nov 5, 2009, 7:54:00 AM11/5/09
to ossec...@googlegroups.com
I've bee playing a bit with active response to get diffs. I store most
config files in a cvs repository (although svn and git would work well
also). My script finds the file that changed, copies it to a checked
out of the repo and does a diff.
I haven't messed with it in a while though due to time constraints.

Daniel Cid

unread,
Nov 5, 2009, 11:02:41 AM11/5/09
to ossec...@googlegroups.com
Hey,

Did you try the <local_ip> option? If you want OSSEC to only bind to
the 192.168.152.1 IP, just add:

<remote>
<connection>secure</connection>
<local_ip>192.168.152.1</local_ip>
</remote>


Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

Martin West

unread,
Nov 5, 2009, 11:14:31 AM11/5/09
to ossec...@googlegroups.com
K, how do you hook in the script?

Martin West
skype:amartinwest

dan (ddp)

unread,
Nov 7, 2009, 7:46:47 AM11/7/09
to ossec...@googlegroups.com
I basically setup an active respose in the server's ossec.conf to fire
on the file integrity rules.
The script would figure out which file probably changed, update its
checkout of the cvs tree, run the diff and email it to me. The hardest
part was figuring out which file changed, since I don't think that
info got passed as an argument to the script (PLEASE show me the error
of my ways if I am wrong).
I got lost in some of the details and lost the time to work on it, so
it never made it to "production."
Hope that helps. I don't have access to the setup right now or I'd
pass an example on.
dan

Martin West

unread,
Nov 7, 2009, 12:43:39 PM11/7/09
to ossec...@googlegroups.com
Thanks, thats a good lead, Ill investigate and if I get anywhere Ill
post the results

Martin West
skype:amartinwest

Martin West

unread,
Nov 8, 2009, 3:26:33 PM11/8/09
to ossec...@googlegroups.com
Here is a solution. One thing I was not sure about was that sometimes you get on a third event "ignoring", wasnt sure how to defeat this.


How to add an active response to OSSEC to get diffs when the Integrity checksum changed rules 550/1/2 fire.

To install create diff-alert.sh and diff-alert-filename.awk in /var/ossec/active-response/bin.

Add the ossec.conf fragments to /var/ossec/etc/ossec.conf

This implementation uses a simple directory structure under /var/ossec/etc/diff-checks
to determine whether a file should diff'ed.

Create /var/ossec/etc/diff-checks

Under this directory create full paths of files to be checked, ie

mkdir -p /var/ossec/etc/diff-checks/etc/awstats
touch /var/ossec/etc/diff-checks/etc/awstats/awstats.objectgizmos.com.conf

Using touch means you get a full diff on first change, alternatively you
can just copy the file of interest into diff-checks.

restart ossec

/var/ossec/bin/ossec-control restart

---- Main script /var/ossec/active-response/bin/diff-alert.sh
#!/bin/bash
# E-mails an alert - showing diff of selected files
#
# Author: Martin West based on Daniel Cids mail-test.sh

# Set to root and use /etc/aliases to redirect root as needed.
MAILADDRESS="root"
ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5

BINDIR=`dirname $0`;
cd $BINDIR
BINDIR=`pwd`

cd ../..
OSSEC_DIR=`pwd`

#** Alert 1257620885.280781: mail  - ossec,syscheck,
#2009 Nov 07 19:08:05 lenovo2->syscheck
#Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).'
#Src IP: (none)
#User: (none)
#Integrity checksum changed for: '/etc/awstats/awstats.objectgizmos.com.conf'

if [ $ACTION = TEST ]; then
  ALERTID="1257620885.280781"
  LOGFILE=${BINDIR}/test.log
else
  LOGFILE=${OSSEC_DIR}/logs/alerts/alerts.log
fi

# Get alert  prefix
ALERTTIME=`echo "$ALERTID" | cut -d  "." -f 1`

# Get alert suffix
ALERTLAST=`echo "$ALERTID" | cut -d  "." -f 2`

# Getting full alert
GREPARG="$ALERTTIME\.$ALERTLAST"

# Put awk program in file to avoid complications of single quote
FILENAME=`grep -A 10 $GREPARG $LOGFILE | grep "Integrity checksum changed for:" | awk -f ${BINDIR}/diff-alert-filen
ame.awk `

if [ $ACTION = TEST ]; then
    echo "$FILENAME"
fi

DIFF_ROOT_DIR="${OSSEC_DIR}/etc/diff-checks"

if [ -f ${DIFF_ROOT_DIR}/${FILENAME:1} ]; then
   # Logging the call
   echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8 $FILENAME" >> ${OSSEC_DIR}/logs/active-responses.log
   DIFF_CMD="diff -s $FILENAME ${DIFF_ROOT_DIR}/${FILENAME:1}"
   if [ $ACTION = TEST ]; then
     DIFF_OUTPUT=`${DIFF_CMD}`
     echo "$DIFF_OUTPUT"
   fi
   SUBJECT="OSSEC Alert ${FILENAME} diff"
   $DIFF_CMD | mail $MAILADDRESS -s "OSSEC Alert ${FILENAME} diff"
   cp --backup=t $FILENAME ${DIFF_ROOT_DIR}/${FILENAME:1}
else
   logger "$0 $FILENAME not found in ${DIFF_ROOT_DIR}/${FILENAME:1}"
   if [ $ACTION = TEST ]; then
     echo "not found ${DIFF_ROOT_DIR}/${FILENAME:1}"
   fi
fi


---- awk script /var/ossec/active-response/bin/diff-alert-filename.awk

BEGIN { FS = "[ :']+" } ; { print $5 }

---- /var/ossec/etc/ossec.conf

 <command>
    <name>diff-alert</name>
    <executable>diff-alert.sh</executable>
    <expect/>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <command>diff-alert</command>
    <location>server</location>
    <rules_id>550,551,552</rules_id>
  </active-response>

Martin West
Reply all
Reply to author
Forward
0 new messages