Active responce is not working
91 views
Skip to first unread message
ba...@x-cart.com
Feb 23, 2016, 5:21:13 AM2/23/16
to ossec-list
Why active-responces is not working ?
I receive email notification, but active responce had not started.
What may caused a problem?
#etc/shared/ar.conf:
restart-ossec0 - restart-ossec.sh - 0
restart-ossec0 - restart-ossec.cmd - 0
testar0 - testar.sh - 0
slack0 - slack.py - 0
#alert.log
** Alert 1456222573.17132: mail - syslog,sshdauthentication_success,
2016 Feb 23 05:16:13 serv-10244->/var/log/secure
Rule: 5715 (level 7) -> 'SSHD authentication success.'
Src IP: 104.131.225.112
User: root
Feb 23 05:16:12 serv-10244 sshd[16530]: Accepted password for root from 104.131.225.112 port 47280 ssh2
#ossec.conf
<command>
<name>testar</name>
<expect></expect>
<executable>testar.sh</executable>
</command>
<command>
<name>slack</name>
<expect>user,srcip</expect>
<executable>slack.py</executable>
</command>
<active-response>
<command>testar</command>
<location>local</location>
<rules_id>5715,11309</rules_id>
</active-response>
<active-response>
<command>slack</command>
<location>local</location>
<rules_id>5715,11309</rules_id>
</active-response>
#ossec.log:
2016/02/23 05:11:04 ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...
2016/02/23 05:11:04 ossec-logcollector(1225): INFO: SIGNAL Received. Exit Cleaning...
2016/02/23 05:11:04 ossec-remoted(1225): INFO: SIGNAL Received. Exit Cleaning...
2016/02/23 05:11:04 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit Cleaning...
2016/02/23 05:11:04 ossec-analysisd(1225): INFO: SIGNAL Received. Exit Cleaning...
2016/02/23 05:11:04 ossec-maild(1225): INFO: SIGNAL Received. Exit Cleaning...
2016/02/23 05:11:04 ossec-execd(1314): INFO: Shutdown received. Deleting responses.
2016/02/23 05:11:04 ossec-execd(1225): INFO: SIGNAL Received. Exit Cleaning...
2016/02/23 05:11:14 ossec-testrule: INFO: Reading local decoder file.
2016/02/23 05:11:14 ossec-testrule: INFO: Started (pid: 15157).
2016/02/23 05:11:14 ossec-maild: INFO: Started (pid: 15176).
2016/02/23 05:11:15 ossec-execd: INFO: Started (pid: 15180).
2016/02/23 05:11:15 ossec-analysisd: INFO: Reading local decoder file.
2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml'
2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15192).
2016/02/23 05:11:15 ossec-rootcheck: System audit file not configured.
2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15193).
2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml'
2016/02/23 05:11:15 ossec-analysisd: INFO: Total rules enabled: '1258'
2016/02/23 05:11:15 ossec-analysisd: INFO: Started (pid: 15184).
2016/02/23 05:11:16 ossec-monitord: INFO: Started (pid: 15219).
2016/02/23 05:11:16 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'.
2016/02/23 05:11:16 ossec-remoted(1410): INFO: Reading authentication keys file.
2016/02/23 05:11:16 ossec-remoted: INFO: No previous counter available for 'local'.
2016/02/23 05:11:16 ossec-remoted: INFO: Assigning counter for agent local: '0:0'.
2016/02/23 05:11:16 ossec-remoted: INFO: No previous sender counter.
2016/02/23 05:11:16 ossec-remoted: INFO: Assigning sender counter: 0:0
2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.
2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'.
2016/02/23 05:11:21 ossec-logcollector: INFO: Started (pid: 15188).
2016/02/23 05:11:22 ossec-syscheckd: INFO: Started (pid: 15215).
2016/02/23 05:11:22 ossec-rootcheck: INFO: Started (pid: 15215).
2016/02/23 05:11:22 ossec-syscheckd: INFO: Monitoring directory: '/home/woodwork/public_html'.
# ps ax | grep ossec
15176 ? S 0:00 /var/ossec/bin/ossec-maild
15180 ? S 0:00 /var/ossec/bin/ossec-execd
15184 ? S 0:00 /var/ossec/bin/ossec-analysisd
15188 ? S 0:00 /var/ossec/bin/ossec-logcollector
15193 ? Sl 0:00 /var/ossec/bin/ossec-remoted
15215 ? S 0:00 /var/ossec/bin/ossec-syscheckd
15219 ? S 0:00 /var/ossec/bin/ossec-monitord
Pedro S
Feb 23, 2016, 6:55:38 AM2/23/16
to ossec-list
Hi,
Restart OSSEC and check for line:
The daemon in charge of executing active-response scripts is "ossec-execd", I think your conf is good, active-response should be active and working, try to force some response and check active-response.log.
Check ossec.log for entires like:
2016/02/23 03:48:19 ossec-analysisd: INFO: 2 IPs in the white list for active response.2016/02/23 03:48:19 ossec-analysisd: INFO: 1 Hostname(s) in the white list for active response.
If you really want to check if active-response is active, try this:
Enable debug mode:
/var/ossec/bin/ossec-control enable debugRestart OSSEC and check for line:
2016/02/23 11:40:57 ossec-analysisd: DEBUG: Active response initialized ...The scripts should be placed on /var/ossec/active-response/bin with execution permissions.
Regards,
Pedro S.
ba...@x-cart.com
Feb 23, 2016, 7:39:31 AM2/23/16
to ossec-list
Now i haven't any whitelist.
#ossec.log
2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response initialized ...
2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response Init completed.
#Test active response:
root@serv-10244 [/var/ossec/active-response/bin]# ./testar.sh action user src_ip alert_id rule_id agent_host filename
root@serv-10244 [/var/ossec/active-response/bin]# cat ../../logs/active-responses.log
Tue Feb 23 07:28:03 EST 2016 ./testar.sh action user src_ip alert_id rule_id agent_host filename
Let's go from start.
I need to execute active responcss on the same server, so, i run ossec-configure and select there installation type "local" and active responses enabled "yes"
Next i add active response
<command>
<name>testar</name>
<expect></expect>
<executable>testar.sh</executable>
</command>
<active-response>
<command>testar</command>
<location>all</location>
<level>6</level>
</active-response>
But active responces still not executed.
Pedro S
Feb 23, 2016, 8:20:45 AM2/23/16
to ossec-list
I have been trying to replicate your situation, you can install either local or server installation, it is working on both.
I made it work by adding <rules_id> tag into <active-response> section like this:
<active-response> <command>testar</command> <location>server</location> <level>6</level>
<rules_id>yourRuleID,yourAnotherRuleID</rules_id>
</active-response>Try to specify what rules will trigger your active response.
Remember to set groups and permissions to your script.sh
If you need to extract srcip don't forget to set expect on command section:
<command>
<name>testar</name>
<expect>srcip</expect>
<executable>testar.sh</executable>
</command>Regards,
Pedro S.
Василий Романеев
Feb 23, 2016, 8:31:06 AM2/23/16
to ossec...@googlegroups.com
I tried.
If i understand correct, analyticsd send active responces to execd
Could you please run command lsof | grep ossec | grep queue
to compare with my output ?
Thank you!
root@serv-10244 [~]# lsof | grep ossec | grep queue
ossec-exe 2797 root 5u unix 0xffff88000c3ad0c0 0t0
270573469 /var/ossec/queue/alerts/execq
ossec-ana 2803 ossec 4u unix 0xffff880093835380 0t0
270573486 /queue/ossec/queue
ossec-ana 2803 ossec 5u REG 9,1 0
8651763 /var/ossec/queue/fts/hostinfo
ossec-ana 2803 ossec 6u REG 9,1 102
8651748 /var/ossec/queue/fts/fts-queue
ossec-ana 2803 ossec 7u REG 9,1 0
8651749 /var/ossec/queue/fts/ig-queue
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/b6BbvLBc9ws/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
If i understand correct, analyticsd send active responces to execd
Could you please run command lsof | grep ossec | grep queue
to compare with my output ?
Thank you!
root@serv-10244 [~]# lsof | grep ossec | grep queue
ossec-exe 2797 root 5u unix 0xffff88000c3ad0c0 0t0
270573469 /var/ossec/queue/alerts/execq
ossec-ana 2803 ossec 4u unix 0xffff880093835380 0t0
270573486 /queue/ossec/queue
ossec-ana 2803 ossec 5u REG 9,1 0
8651763 /var/ossec/queue/fts/hostinfo
ossec-ana 2803 ossec 6u REG 9,1 102
8651748 /var/ossec/queue/fts/fts-queue
ossec-ana 2803 ossec 7u REG 9,1 0
8651749 /var/ossec/queue/fts/ig-queue
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/b6BbvLBc9ws/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Pedro S
Feb 23, 2016, 11:52:41 AM2/23/16
to ossec-list
Hi,
ossec-exe 43796 root 3u unix 0xffff8801d66cfa80 0t0 1261890 /var/ossec/queue/alerts/execqossec-ana 43800 ossec 3u unix 0xffff8801d66cf380 0t0 1261891 /queue/ossec/queueossec-ana 43800 ossec 4u REG 8,1 0 38583 /var/ossec/queue/fts/hostinfoossec-ana 43800 ossec 5u REG 8,1 114 38584 /var/ossec/queue/fts/fts-queueossec-ana 43800 ossec 6u REG 8,1 0 38585 /var/ossec/queue/fts/ig-queueIf you add some agents, you will have another file open like:
ossec-rem 43375 ossecr 5u unix 0xffff8801d674c980 0t0 1232202 /queue/alerts/arossec-rem 43375 ossecr 7u REG 8,1 0 38586 /var/ossec/queue/rids/001ossec-rem 43375 ossecr 8u REG 8,1 5 38587 /var/ossec/queue/rids/sender_counterstill not working your active-response?
Here is my full test config right now:
ossec.conf
<command><name>test</name><executable>test.sh</executable><expect></expect><timeout_allowed>no</timeout_allowed></command>
<active-response> <command>test</command> <location>server</location> <level>0</level> <rules_id>5501</rules_id></active-response>Pedro S
Feb 23, 2016, 11:56:31 AM2/23/16
to ossec-list
Sorry I missclicked and sent the post.
test.sh (+x and root:ossec)
active-response.log
I hope it helps,
test.sh (+x and root:ossec)
#!/bin/sh
ACTION=$1USER=$2IP=$3ALERTID=$4RULEID=$5
LOCAL=`dirname $0`;cd $LOCALcd ../PWD=`pwd`
# Logging the callecho "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log
mar feb 23 08:47:45 PST 2016 /var/ossec/active-response/bin/test.sh add - - 1456246065.10321 5501 /var/log/auth.log -mar feb 23 08:47:49 PST 2016 /var/ossec/active-response/bin/test.sh add - - 1456246069.11280 5501 /var/log/auth.log -mar feb 23 08:49:25 PST 2016 /var/ossec/active-response/bin/test.sh add - - 1456246165.12583 5501 /var/log/auth.log -mar feb 23 08:49:27 PST 2016 /var/ossec/active-response/bin/test.sh add - - 1456246167.13542 5501 /var/log/auth.log -mar feb 23 08:54:03 PST 2016 /var/ossec/active-response/bin/test.sh add - - 1456246443.14673 5501 /var/log/auth.log -mar feb 23 08:54:05 PST 2016 /var/ossec/active-response/bin/test.sh add - - 1456246445.15632 5501 /var/log/auth.log -I hope it helps,
Try to use a basic example like this and see if it is working.
Regards,
Pedro S.
Reply all
Reply to author
Forward
0 new messages