active response
771 views
Skip to first unread message
Leonardo Bacha Abrantes
Aug 30, 2012, 8:38:33 AM8/30/12
to Grupo "OSSEC"
Hey people,
good morning!
I have few machines that I want to enable active response. so, my doubt is: to do it I have to folow the steps bellow:
1) delete, on agents, in ossec.conf : <active-response> <disabled>yes</disabled> </active-response>
2) configure the rules on ossec.conf in SERVER. an example to block the source when the rule 31151 is activated.
<active-response>
<command>route-null</command>
<location>local</location>
So, any configuration about rules must be done only in server ? am I correct ?
Thanks a lot!
good morning!
I have few machines that I want to enable active response. so, my doubt is: to do it I have to folow the steps bellow:
1) delete, on agents, in ossec.conf : <active-response> <disabled>yes</disabled> </active-response>
2) configure the rules on ossec.conf in SERVER. an example to block the source when the rule 31151 is activated.
<active-response>
<command>route-null</command>
<location>local</location>
<!– Multiple web server 400 error codes from same source IP –>
<rules_id>31151</rules_id>
<timeout>600</timeout>
</active-response>
3) restart the agent and server.So, any configuration about rules must be done only in server ? am I correct ?
Thanks a lot!
dan (ddp)
Aug 30, 2012, 8:46:33 AM8/30/12
to ossec...@googlegroups.com
shouldn't even exist on an agent). All configuration except
disabling/enabling active response should be done on the server.
Leonardo Bacha Abrantes
Aug 30, 2012, 8:51:58 AM8/30/12
to ossec...@googlegroups.com
Many thanks Dan!
Leonardo Bacha Abrantes
Aug 31, 2012, 12:15:28 PM8/31/12
to ossec...@googlegroups.com
Dan,
I configured my ossec.conf in server with (it's working):
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<agent_id>001</agent_id>
<location>local</location>
<rules_id>31151</rules_id>
<level>7</level>
<timeout>600</timeout>
</active-response>
two questions:
1) if I remove rules_id, the active response will work for all alerts, I mean, for any rule ?
2) ex.: I have two servers with active response enable and I want to exclude block of rule 31151 on server A. How can I do that ?
Many thanks!
I configured my ossec.conf in server with (it's working):
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<agent_id>001</agent_id>
<location>local</location>
<rules_id>31151</rules_id>
<level>7</level>
<timeout>600</timeout>
</active-response>
two questions:
1) if I remove rules_id, the active response will work for all alerts, I mean, for any rule ?
2) ex.: I have two servers with active response enable and I want to exclude block of rule 31151 on server A. How can I do that ?
Many thanks!
dan (ddp)
Aug 31, 2012, 12:24:10 PM8/31/12
to ossec...@googlegroups.com
On Fri, Aug 31, 2012 at 12:15 PM, Leonardo Bacha Abrantes
<leon...@lbasolutions.com> wrote:
> Dan,
>
> I configured my ossec.conf in server with (it's working):
>
> <command>
> <name>firewall-drop</name>
> <executable>firewall-drop.sh</executable>
> <expect>srcip</expect>
> <timeout_allowed>yes</timeout_allowed>
> </command>
>
> <active-response>
> <disabled>no</disabled>
> <command>firewall-drop</command>
> <agent_id>001</agent_id>
> <location>local</location>
> <rules_id>31151</rules_id>
> <level>7</level>
> <timeout>600</timeout>
> </active-response>
>
> two questions:
>
> 1) if I remove rules_id, the active response will work for all alerts, I
> mean, for any rule ?
Anything level 7+ with a srcip.
<leon...@lbasolutions.com> wrote:
> Dan,
>
> I configured my ossec.conf in server with (it's working):
>
> <command>
> <name>firewall-drop</name>
> <executable>firewall-drop.sh</executable>
> <expect>srcip</expect>
> <timeout_allowed>yes</timeout_allowed>
> </command>
>
> <active-response>
> <disabled>no</disabled>
> <command>firewall-drop</command>
> <agent_id>001</agent_id>
> <location>local</location>
> <rules_id>31151</rules_id>
> <level>7</level>
> <timeout>600</timeout>
> </active-response>
>
> two questions:
>
> 1) if I remove rules_id, the active response will work for all alerts, I
> mean, for any rule ?
> 2) ex.: I have two servers with active response enable and I want to exclude
> block of rule 31151 on server A. How can I do that ?
>
Overwrite 31151 so the level < 7, then write an AR for the server that
cares about 31151 to trigger on just that rule.
Leonardo Bacha Abrantes
Aug 31, 2012, 2:09:26 PM8/31/12
to ossec...@googlegroups.com
Sorry Dan, again...
I deleted the iptables rule manually and then I restarted the ossec agent, and after that active response is not working.
>> Client's log
Fri Aug 31 14:54:19 BRT 2012 /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN 1346433702.1874963 5706
Fri Aug 31 14:54:19 BRT 2012 Unable to run (iptables returning != 2): 1 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN 1346433702.1874963 5706
PS: active response is working on others servers.
Can you help me please ?
many thanks!
I deleted the iptables rule manually and then I restarted the ossec agent, and after that active response is not working.
>> Client's log
Fri Aug 31 14:54:19 BRT 2012 /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN 1346433702.1874963 5706
Fri Aug 31 14:54:19 BRT 2012 Unable to run (iptables returning != 2): 1 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN 1346433702.1874963 5706
PS: active response is working on others servers.
Can you help me please ?
many thanks!
dan (ddp)
Aug 31, 2012, 2:15:54 PM8/31/12
to ossec...@googlegroups.com
On Fri, Aug 31, 2012 at 2:09 PM, Leonardo Bacha Abrantes
<leon...@lbasolutions.com> wrote:
> Sorry Dan, again...
>
> I deleted the iptables rule manually and then I restarted the ossec agent,
> and after that active response is not working.
>
What rule did you delete?
<leon...@lbasolutions.com> wrote:
> Sorry Dan, again...
>
> I deleted the iptables rule manually and then I restarted the ossec agent,
> and after that active response is not working.
>
>>> Client's log
> Fri Aug 31 14:54:19 BRT 2012 /var/ossec/active-response/bin/firewall-drop.sh
> delete - UNKNOWN 1346433702.1874963 5706
> Fri Aug 31 14:54:19 BRT 2012 Unable to run (iptables returning != 2): 1 -
> /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN
> 1346433702.1874963 5706
>
Leonardo Bacha Abrantes
Aug 31, 2012, 2:23:11 PM8/31/12
to ossec...@googlegroups.com
I don't delete rules on ossec. I removed the iptables rules which was inserted by active response.
I only change the rule to send me alerts, however, it was not work.
<rule id="601" level="3">
<if_sid>600</if_sid>
<options>alert_by_email</options>
<action>firewall-drop.sh</action>
<status>add</status>
<description>Host Blocked by firewall-drop.sh Active Response</description>
<group>active_response,</group>
</rule>
it only is happening in one server. others are working very well.
I only change the rule to send me alerts, however, it was not work.
<rule id="601" level="3">
<if_sid>600</if_sid>
<options>alert_by_email</options>
<action>firewall-drop.sh</action>
<status>add</status>
<description>Host Blocked by firewall-drop.sh Active Response</description>
<group>active_response,</group>
</rule>
it only is happening in one server. others are working very well.
dan (ddp)
Aug 31, 2012, 2:29:16 PM8/31/12
to ossec...@googlegroups.com
On Fri, Aug 31, 2012 at 2:23 PM, Leonardo Bacha Abrantes
<leon...@lbasolutions.com> wrote:
> I don't delete rules on ossec. I removed the iptables rules which was
> inserted by active response.
> I only change the rule to send me alerts, however, it was not work.
>
> <rule id="601" level="3">
> <if_sid>600</if_sid>
> <options>alert_by_email</options>
> <action>firewall-drop.sh</action>
> <status>add</status>
> <description>Host Blocked by firewall-drop.sh Active
> Response</description>
> <group>active_response,</group>
> </rule>
>
> it only is happening in one server. others are working very well.
>
I'm confused. What's the problem? What are you trying to accomplish?
<leon...@lbasolutions.com> wrote:
> I don't delete rules on ossec. I removed the iptables rules which was
> inserted by active response.
> I only change the rule to send me alerts, however, it was not work.
>
> <rule id="601" level="3">
> <if_sid>600</if_sid>
> <options>alert_by_email</options>
> <action>firewall-drop.sh</action>
> <status>add</status>
> <description>Host Blocked by firewall-drop.sh Active
> Response</description>
> <group>active_response,</group>
> </rule>
>
> it only is happening in one server. others are working very well.
>
What is happening instead?
dan (ddp)
Aug 31, 2012, 2:30:50 PM8/31/12
to ossec...@googlegroups.com
On Fri, Aug 31, 2012 at 2:09 PM, Leonardo Bacha Abrantes
<leon...@lbasolutions.com> wrote:
> Sorry Dan, again...
>
> I deleted the iptables rule manually and then I restarted the ossec agent,
> and after that active response is not working.
>
>>> Client's log
> Fri Aug 31 14:54:19 BRT 2012 /var/ossec/active-response/bin/firewall-drop.sh
> delete - UNKNOWN 1346433702.1874963 5706
> Fri Aug 31 14:54:19 BRT 2012 Unable to run (iptables returning != 2): 1 -
> /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN
> 1346433702.1874963 5706
>
After your latest email this makes a bit more sense. The script tried
<leon...@lbasolutions.com> wrote:
> Sorry Dan, again...
>
> I deleted the iptables rule manually and then I restarted the ossec agent,
> and after that active response is not working.
>
>>> Client's log
> Fri Aug 31 14:54:19 BRT 2012 /var/ossec/active-response/bin/firewall-drop.sh
> delete - UNKNOWN 1346433702.1874963 5706
> Fri Aug 31 14:54:19 BRT 2012 Unable to run (iptables returning != 2): 1 -
> /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN
> 1346433702.1874963 5706
>
to delete an IP from your iptables block list. You had already removed
that IP so iptables returned an error.
Leonardo Bacha Abrantes
Aug 31, 2012, 2:39:48 PM8/31/12
to ossec...@googlegroups.com
sorry Dan,
I was testing active response. The ossec server was configured and then used nessus to scan my servers to test it.
so, in one server the active response added a iptables rule to block a source ip, so, I deleted this rule manually: iptables -D INPUT 1, and restarted the server.
I run nessus against the machine above, and appear in log:
Fri Aug 31 15:31:30 BRT 2012 Unable to run (iptables returning != 2): 6 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN 1346435873.1919331 5706
----
I tested on other server and active response worked and now, i tested again in another server and I received the same message.
:(
I was testing active response. The ossec server was configured and then used nessus to scan my servers to test it.
so, in one server the active response added a iptables rule to block a source ip, so, I deleted this rule manually: iptables -D INPUT 1, and restarted the server.
I run nessus against the machine above, and appear in log:
Fri Aug 31 15:31:30 BRT 2012 Unable to run (iptables returning != 2): 6 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN 1346435873.1919331 5706
----
I tested on other server and active response worked and now, i tested again in another server and I received the same message.
:(
dan (ddp)
Aug 31, 2012, 2:45:53 PM8/31/12
to ossec...@googlegroups.com
On Fri, Aug 31, 2012 at 2:39 PM, Leonardo Bacha Abrantes
<leon...@lbasolutions.com> wrote:
> sorry Dan,
>
> I was testing active response. The ossec server was configured and then used
> nessus to scan my servers to test it.
>
> so, in one server the active response added a iptables rule to block a
> source ip, so, I deleted this rule manually: iptables -D INPUT 1, and
> restarted the server.
> I run nessus against the machine above, and appear in log:
>
> Fri Aug 31 15:31:30 BRT 2012 Unable to run (iptables returning != 2): 6 -
> /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN
> 1346435873.1919331 5706
> ----
> I tested on other server and active response worked and now, i tested again
> in another server and I received the same message.
>
> :(
>
If you manually delete the block OSSEC cannot delete the block.
<leon...@lbasolutions.com> wrote:
> sorry Dan,
>
> I was testing active response. The ossec server was configured and then used
> nessus to scan my servers to test it.
>
> so, in one server the active response added a iptables rule to block a
> source ip, so, I deleted this rule manually: iptables -D INPUT 1, and
> restarted the server.
> I run nessus against the machine above, and appear in log:
>
> Fri Aug 31 15:31:30 BRT 2012 Unable to run (iptables returning != 2): 6 -
> /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN
> 1346435873.1919331 5706
> ----
> I tested on other server and active response worked and now, i tested again
> in another server and I received the same message.
>
> :(
>
Reply all
Reply to author
Forward
0 new messages