Active Response

[Bob Fudge]

I am hoping someone can help. For the past several weeks I have been trying to make the Active Response work on my "Local" install. I am running RedHat 5.5 and have installed OSSEC version 2.6. I am wanting the Active Response to insert the flagged IP into iptables block list. This whole process has required me to write a decoder because the actual error message is being generated by Tectia Secure Shell. Below, I have include the changes I have made, the decode, which is firing and the new rules I have written. I also want to state that I am seeing the alerts in all logging, the proper emails are being generating and everything is working as expected, but no Active Response is ever attempted. It simply seems it broken.

Active Response Changes in ossec.conf
==============================
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<disabled>yes</disabled>
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>86400</timeout>
</active-response>

<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<disabled>no</disabled>
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<rules_id>11452, 200002, 200004</rules_id>
<timeout>86400</timeout>
</active-response>

Notice, I want to disable the ip from being input in hosts.deny and only want the Active Response to firewall.drop on rules 11452, 200002, and 20004.

Decoder
======
<! -- SSH2 Decoder -->
<decoder name="sshd2">
<program_name>^ssh-server-g3</program_name>
</decoder>

<decoder name="sshd-protocol">
<parent>sshd2</parent>
<prematch>Disconnect</prematch>
<regex offset="after_prematch">, Reason: Protocol error, Src: \S+, Src IP: (\S+), </regex>
<order>srcip</order>
</decoder>

<decoder name="sshd-root-invalid">
<parent>sshd2</parent>
<prematch>Username: root,</prematch>
<regex offset="after_prematch">, Reason: Protocol error, Src: \S+, Src IP: (\S+), </regex>
<order>srcip</order>
</decoder>

The actual error message entry into /var/log/messages file
===========================================
Sep 13 22:11:32 sft2 ssh-server-g3: 411 Login_failure, Username: root, Reason: Protocol error, Src IP: 117.79.92.211, Dst IFace: , Dst IP: 198.4.7.65, Src Port: 32667, Dst Port: 22, "I am sending malformed protocol packets, Remote Disconnect", Session-Id: 22184

Note: This log entry does fire with my ruleid 200003 and 200004. But no Active Response is generated.

Rules
=====
<group name="syslog,sshd2,">
<rule id="200000" level="0" noalert="1">
<decoded_as>sshd2</decoded_as>
<description>SSHD2 messages grouped.</description>
</rule>

<rule id="200001" level="5">
<if_sid>200000</if_sid>
<match>malformed protocol</match>
<group>authentication_failed,</group>
<description>Possible SSHD2 DoS.</description>
</rule>

<rule id="200002" level="10" frequency="8" timeframe="360">
<if_matched_sid>200001</if_matched_sid>
<!-- <same_source_ip /> -->
<group>authentication_failures,</group>
<description>Possible SSHD2 Dos</description>
<description>(high number of malformed protocol attempts).</description>
</rule>

<rule id="200003" level="7">
<if_sid>200000</if_sid>
<match>411 Login_failure, Username: root,</match>
<!-- <group>invalid_login,</group> -->
<description>Illegal root login attempt. </description>
</rule>

<rule id="200004" level="10">
<if_sid>200003</if_sid>
<match>malformed</match>
<group>invalid_login,</group>
<description>Illegal root login. </description>
<description>Possible SSHD2 DoS.</description>
</rule>
</group>

Note: Rules 200001, 200002 also work just fine but no Active Response from rule 200002 either. As far as rule 11452, it has not been altered from install.

Please help. I know the answer is out there. I can't be the only one having this issue.

[dan (ddp)]

On Wed, Sep 14, 2011 at 10:47 AM, Bob Fudge <bob....@one.verizon.com> wrote:
> I am hoping someone can help.  For the past several weeks I have been trying to make the Active Response work on my "Local" install.  I am running RedHat 5.5 and have installed OSSEC version 2.6.  I am wanting the Active Response to insert the flagged IP into iptables block list.  This whole process has required me to write a decoder because the actual error message is being generated by Tectia Secure Shell.  Below, I have include the changes I have made, the decode, which is firing and the new rules I have written.  I also want to state that I am seeing the alerts in all logging, the proper emails are being generating and everything is working as expected, but no Active Response is ever attempted.  It simply seems it broken.
>
> Active Response Changes in ossec.conf
> ==============================
>  <!-- Active Response Config -->
>  <active-response>
>    <!-- This response is going to execute the host-deny
>       - command for every event that fires a rule with
>       - level (severity) >= 6.
>       - The IP is going to be blocked for  600 seconds.
>      -->
>    <disabled>yes</disabled>

^^^^^
You've disabled AR. Remove this.

>    <command>host-deny</command>
>    <location>local</location>
>    <level>6</level>
>    <timeout>86400</timeout>
>  </active-response>
>

^^^^^^
If you don't want this, remove it.

[Bob Fudge]

Well, That's not my understanding. Yes I did disable the Host Deny option, but as I tried to convey, I only want Active Response for IP Drop..... Is this not possible?

[Jeremy Lee]

I went through this issue recently when I thought I could locally disable specific ARs and not others - the "<disabled>yes</disabled>" directive is global and will end up affecting *all* ARs. The best way to 'disable' ARs you don't want active is either to comment them out or remove them completely.

[dan (ddp)]

http://www.ossec.net/doc/syntax/head_ossec_config.active-response.html#element-disabled

"Disables active response if set to yes."

It does not say:
"Disable active response command if set to yes."

[Bob Fudge]

OK I will try this by commenting out the Host.Deny one then.

[Bob Fudge]

Well.... This didn't work either.  Here is the message file entry:

Sep 14 13:13:23 sft2 ssh-server-g3: 411 Login_failure, Username: root, Reason: Protocol error, Src IP: 199.180.129.188, Dst IFace: , Dst IP: 198.4.7.65, Src Port: 38660, Dst Port: 22, "I am sending malformed protocol packets, Remote Disconnect", Session-Id: 27796

Here is the alerts.log:

** Alert 1316020404.4484970: mail  - syslog,sshd2,invalid_login,

2011 Sep 14 13:13:24 sft2->/var/log/messages

Rule: 200004 (level 10) -> 'Illegal root login. Possible SSHD2 DoS.'

Sep 14 13:13:23 sft2 ssh-server-g3: 411 Login_failure, Username: root, Reason: Protocol error, Src IP: 199.180.129.188, Dst IFace: , Dst IP: 198.4.7.65, Src Port: 38660, Dst Port: 22, "I am sending malformed protocol packets, Remote Disconnect", Session-Id: 27796

And nothing from Active Response.  

Are there any other ideas?

[dan (ddp)]

On Wed, Sep 14, 2011 at 1:45 PM, Bob Fudge <bob....@one.verizon.com> wrote:
> Well.... This didn't work either.  Here is the message file entry:
> Sep 14 13:13:23 sft2 ssh-server-g3: 411 Login_failure, Username: root,
> Reason: Protocol error, Src IP: 199.180.129.188, Dst IFace: , Dst IP:
> 198.4.7.65, Src Port: 38660, Dst Port: 22, "I am sending malformed protocol
> packets, Remote Disconnect", Session-Id: 27796
> Here is the alerts.log:
> ** Alert 1316020404.4484970: mail  - syslog,sshd2,invalid_login,
> 2011 Sep 14 13:13:24 sft2->/var/log/messages
> Rule: 200004 (level 10) -> 'Illegal root login. Possible SSHD2 DoS.'
> Sep 14 13:13:23 sft2 ssh-server-g3: 411 Login_failure, Username: root,
> Reason: Protocol error, Src IP: 199.180.129.188, Dst IFace: , Dst IP:
> 198.4.7.65, Src Port: 38660, Dst Port: 22, "I am sending malformed protocol
> packets, Remote Disconnect", Session-Id: 27796
> And nothing from Active Response.
> Are there any other ideas?
>

Maybe it's because your decoders are bad? Did they work for you?

Your decoders:
[root@corrin ossec]# bin/ossec-logtest
2011/09/14 14:39:27 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2011/09/14 14:39:27 ossec-testrule: INFO: Reading decoder file
etc/local_decoder.xml.
2011/09/14 14:39:27 ossec-testrule: INFO: Started (pid: 28271).
ossec-testrule: Type one log per line.

Sep 13 22:11:32 sft2 ssh-server-g3: 411 Login_failure, Username: root,
Reason: Protocol error, Src IP: 117.79.92.211, Dst IFace: , Dst IP:
198.4.7.65, Src Port: 32667, Dst Port: 22, "I am sending malformed
protocol packets, Remote Disconnect", Session-Id: 22184

**Phase 1: Completed pre-decoding.
full event: 'Sep 13 22:11:32 sft2 ssh-server-g3: 411

Login_failure, Username: root, Reason: Protocol error, Src IP:
117.79.92.211, Dst IFace: , Dst IP: 198.4.7.65, Src Port: 32667, Dst
Port: 22, "I am sending malformed protocol packets, Remote

Disconnect", Session-Id: 22184'
hostname: 'sft2'
program_name: 'ssh-server-g3'
log: '411 Login_failure, Username: root, Reason: Protocol

error, Src IP: 117.79.92.211, Dst IFace: , Dst IP: 198.4.7.65, Src
Port: 32667, Dst Port: 22, "I am sending malformed protocol packets,

Remote Disconnect", Session-Id: 22184'

**Phase 2: Completed decoding.
decoder: 'sshd2'

**Phase 3: Completed filtering (rules).
Rule id: '200004'
Level: '10'
Description: 'Illegal root login. Possible SSHD2 DoS.'
**Alert to be generated.

Tweak:
<!--

Sep 13 22:11:32 sft2 ssh-server-g3: 411 Login_failure, Username: root,
Reason: Protocol error, Src IP: 117.79.92.211, Dst IFace: , Dst IP:
198.4.7.65, Src Port: 32667, Dst Port: 22, "I am sending malformed
protocol packets, Remote Disconnect", Session-Id: 22184

-->

<! -- SSH2 Decoder -->
<decoder name="sshd2">
<program_name>^ssh-server-g3</program_name>
</decoder>

<decoder name="sshd-protocol">
<parent>sshd2</parent>
<prematch>Disconnect</prematch>

<regex offset="after_parent">Reason: Protocol error, Src IP: (\S+), </regex>

<order>srcip</order>
</decoder>
<decoder name="sshd-root-invalid">
<parent>sshd2</parent>
<prematch>Username: root, </prematch>

<regex offset="after_prematch">Reason: Protocol error, Src IP: (\S+),</regex>
<order>srcip</order>
</decoder>

Tweaked decoders:
[root@corrin ossec]# bin/ossec-logtest
2011/09/14 14:44:36 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2011/09/14 14:44:36 ossec-testrule: INFO: Reading decoder file
etc/local_decoder.xml.
2011/09/14 14:44:36 ossec-testrule: INFO: Started (pid: 28413).
ossec-testrule: Type one log per line.

Sep 13 22:11:32 sft2 ssh-server-g3: 411 Login_failure, Username: root,
Reason: Protocol error, Src IP: 117.79.92.211, Dst IFace: , Dst IP:
198.4.7.65, Src Port: 32667, Dst Port: 22, "I am sending malformed
protocol packets, Remote Disconnect", Session-Id: 22184

**Phase 1: Completed pre-decoding.
full event: 'Sep 13 22:11:32 sft2 ssh-server-g3: 411

Login_failure, Username: root, Reason: Protocol error, Src IP:
117.79.92.211, Dst IFace: , Dst IP: 198.4.7.65, Src Port: 32667, Dst
Port: 22, "I am sending malformed protocol packets, Remote

Disconnect", Session-Id: 22184'
hostname: 'sft2'
program_name: 'ssh-server-g3'
log: '411 Login_failure, Username: root, Reason: Protocol

error, Src IP: 117.79.92.211, Dst IFace: , Dst IP: 198.4.7.65, Src
Port: 32667, Dst Port: 22, "I am sending malformed protocol packets,

Remote Disconnect", Session-Id: 22184'

**Phase 2: Completed decoding.
decoder: 'sshd2'
srcip: '117.79.92.211'

**Phase 3: Completed filtering (rules).
Rule id: '200004'
Level: '10'
Description: 'Illegal root login. Possible SSHD2 DoS.'
**Alert to be generated.

Notice the srcip. It's hard to block the srcip if it isn't properly decoded.

[Bob Fudge]

No the decoders are correct. All is firing correctly. They are just one line. Perhaps its in the email program, but they are correct.

[dan (ddp)]

On Wed, Sep 14, 2011 at 2:53 PM, Bob Fudge <bob....@one.verizon.com> wrote:
> No the decoders are correct.  All is firing correctly.  They are just one line.  Perhaps its in the email program, but they are correct.
>

That's funny, because they don't work for me, as I displayed with the
ossec-logtest output.

Please provide the ossec-logtest output. Once we get past this we can
continue troubleshooting.

>
>

[Bob Fudge]

[root@sft2 bin]# ./ossec-logtest
2011/09/14 15:46:19 ossec-testrule: INFO: Reading local decoder file.
2011/09/14 15:46:19 ossec-testrule: INFO: Started (pid: 11515).

ossec-testrule: Type one log per line.

Sep 14 13:13:23 sft2 ssh-server-g3: 411 Login_failure, Username: root, Reason: Protocol error, Src IP: 199.180.129.188, Dst IFace: , Dst IP: 198.4.7.65, Src Port: 38660, Dst Port: 22, "I am sending malformed protocol packets, Remote Disconnect", Session-Id: 27796

**Phase 1: Completed pre-decoding.
full event: 'Sep 14 13:13:23 sft2 ssh-server-g3: 411 Login_failure, Username: root, Reason: Protocol error, Src IP: 199.180.129.188, Dst IFace: , Dst IP: 198.4.7.65, Src Port: 38660, Dst Port: 22, "I am sending malformed protocol packets, Remote Disconnect", Session-Id: 27796'
hostname: 'sft2'
program_name: 'ssh-server-g3'
log: '411 Login_failure, Username: root, Reason: Protocol error, Src IP: 199.180.129.188, Dst IFace: , Dst IP: 198.4.7.65, Src Port: 38660, Dst Port: 22, "I am sending malformed protocol packets, Remote Disconnect", Session-Id: 27796'

**Phase 2: Completed decoding.
decoder: 'sshd2'

**Phase 3: Completed filtering (rules).
Rule id: '200004'
Level: '10'
Description: 'Illegal root login. Possible SSHD2 DoS.'
**Alert to be generated.

[dan (ddp)]

On Wed, Sep 14, 2011 at 3:47 PM, Bob Fudge <bob....@one.verizon.com> wrote:
> [root@sft2 bin]# ./ossec-logtest
> 2011/09/14 15:46:19 ossec-testrule: INFO: Reading local decoder file.
> 2011/09/14 15:46:19 ossec-testrule: INFO: Started (pid: 11515).
> ossec-testrule: Type one log per line.
>
> Sep 14 13:13:23 sft2 ssh-server-g3: 411 Login_failure, Username: root, Reason: Protocol error, Src IP: 199.180.129.188, Dst IFace: , Dst IP: 198.4.7.65, Src Port: 38660, Dst Port: 22, "I am sending malformed protocol packets, Remote Disconnect", Session-Id: 27796
>
>
> **Phase 1: Completed pre-decoding.
>       full event: 'Sep 14 13:13:23 sft2 ssh-server-g3: 411 Login_failure, Username: root, Reason: Protocol error, Src IP: 199.180.129.188, Dst IFace: , Dst IP: 198.4.7.65, Src Port: 38660, Dst Port: 22, "I am sending malformed protocol packets, Remote Disconnect", Session-Id: 27796'
>       hostname: 'sft2'
>       program_name: 'ssh-server-g3'
>       log: '411 Login_failure, Username: root, Reason: Protocol error, Src IP: 199.180.129.188, Dst IFace: , Dst IP: 198.4.7.65, Src Port: 38660, Dst Port: 22, "I am sending malformed protocol packets, Remote Disconnect", Session-Id: 27796'
>
> **Phase 2: Completed decoding.
>       decoder: 'sshd2'
>

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
So your decoder isn't working the way you want it to. It's hard to
block an IP that isn't decoded.

[Bob Fudge]

OK you say its isn't working. Can you expand on where the problem is?

[dan (ddp)]

On Wed, Sep 14, 2011 at 4:33 PM, Bob Fudge <bob....@one.verizon.com> wrote:
> OK you say its isn't working.  Can you expand on where the problem is?
>

Your phase 2:

**Phase 2: Completed decoding.
decoder: 'sshd2'

The phase 2 from my tweaked decoders:

**Phase 2: Completed decoding.
decoder: 'sshd2'

srcip: '117.79.92.211'

The srcip is decoded in my version, but not in yours. That srcip would
be used by the AR system to block the srcip. If it isn't decoded, it
can't be blocked.

The regex in your original decoders was a bit off:

<regex offset="after_prematch">, Reason: Protocol error, Src: \S+, Src
IP: (\S+), </regex>

There is nothing in the sample logs you posted that matched "Src: \S+,
Src IP:". ", Reason: Protocol error, Src IP: " does match in though.
So changing the regex a bit (taking out the extra "Src: \S+, ")
allowed the IP to be decoded.

Does that make sense?

[Jeremy Lee]

Looks like Dan came up with a "tweaked" decoder earlier on in the thread:

Tweak:
<!--

Sep 13 22:11:32 sft2 ssh-server-g3: 411 Login_failure, Username: root,
Reason: Protocol error, Src IP: 117.79.92.211, Dst IFace: , Dst IP:
198.4.7.65, Src Port: 32667, Dst Port: 22, "I am sending malformed
protocol packets, Remote Disconnect", Session-Id: 22184

-->

<! -- SSH2 Decoder -->
<decoder name="sshd2">
 <program_name>^ssh-server-g3</program_name>
</decoder>

<decoder name="sshd-protocol">
 <parent>sshd2</parent>
 <prematch>Disconnect</prematch>

 <regex offset="after_parent">Reason: Protocol error, Src IP: (\S+), </regex>

 <order>srcip</order>
</decoder>
<decoder name="sshd-root-invalid">
 <parent>sshd2</parent>
 <prematch>Username: root, </prematch>

 <regex offset="after_prematch">

Reason: Protocol error, Src IP: (\S+),</regex>
 <order>srcip</order>
</decoder>

Expected output from Tweaked decoders:

[root@corrin ossec]# bin/ossec-logtest
2011/09/14 14:44:36 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2011/09/14 14:44:36 ossec-testrule: INFO: Reading decoder file
etc/local_decoder.xml.
2011/09/14 14:44:36 ossec-testrule: INFO: Started (pid: 28413).

ossec-testrule: Type one log per line.

Sep 13 22:11:32 sft2 ssh-server-g3: 411 Login_failure, Username: root,
Reason: Protocol error, Src IP: 117.79.92.211, Dst IFace: , Dst IP:
198.4.7.65, Src Port: 32667, Dst Port: 22, "I am sending malformed
protocol packets, Remote Disconnect", Session-Id: 22184

**Phase 1: Completed pre-decoding.
      full event: 'Sep 13 22:11:32 sft2 ssh-server-g3: 411

Login_failure, Username: root, Reason: Protocol error, Src IP:

117.79.92.211, Dst IFace: , Dst IP: 198.4.7.65, Src Port: 32667, Dst

Port: 22, "I am sending malformed protocol packets, Remote

Disconnect", Session-Id: 22184'

      hostname: 'sft2'
      program_name: 'ssh-server-g3'
      log: '411 Login_failure, Username: root, Reason: Protocol

error, Src IP: 117.79.92.211, Dst IFace: , Dst IP: 198.4.7.65, Src
Port: 32667, Dst Port: 22, "I am sending malformed protocol packets,

Remote Disconnect", Session-Id: 22184'

**Phase 2: Completed decoding.
      decoder: 'sshd2'

      srcip: '117.79.92.211'

**Phase 3: Completed filtering (rules).
      Rule id: '200004'
      Level: '10'
      Description: 'Illegal root login. Possible SSHD2 DoS.'
**Alert to be generated.

Give his "tweak" a try - you'll need to modify your decoder.xml

[dan (ddp)]

Hopefully local_decoder.xml ;)

[Jeremy Lee]

Or yea... local_decoder.xml :)

But if you're making modifications to an existing decoder, do you just comment it out in decoder.xml and create a copy in local_decoder.xml and use the modified copy?

[dan (ddp)]

On Wed, Sep 14, 2011 at 4:50 PM, Jeremy Lee <jpl...@gmail.com> wrote:
> Or yea... local_decoder.xml :)
>
> But if you're making modifications to an existing decoder, do you just
> comment it out in decoder.xml and create a copy in local_decoder.xml and use
> the modified copy?
>

If you're making modifications to an existing decoder you should send
them to the list...
I don't actually have a good way to handle that.

[Bob Fudge]

Ahh, I see. I can't admit I fully understand, but it does work.

Thanks so much,
Bob