OSSEC Active Response - "dstip"

[jplee3]

Hi all,

Is there a way to pass the decoder order variable "dstip" (as well as
anything else like "extra_data", etc, to Active Response?


I have the following command setup in my ossec.conf:

<command>
<name>testing<name>
<executable>testing.sh</executable>
<expect>srcip, dstip</expect>
</command>


The testing.sh AR script contains the following

#!/bin/sh
echo $@ >> /tmp/testing

So anything and everything getting passed to AR should get spit out
into /tmp/testing.

However, when I look at /tmp/testing I do not see the dstip that I
have setup in the decoder. I do see the srcip however.

Is there a way to get the dstip to show in the output?

[Guilherme de Freitas Figueiredo]

Hi!

I'm trying to put dstip in ossec too, but into active-response to work
with snort, but I did not know quite what to do.

if anyone has a solution, it would be welcome

Att,

Guilherme

[jplee3]

For now I've had to use "user" and "srcip" as those appear to be the
only flags that can be passed through... For example, I'm using "user"
to display what the hostname is and "srcip" what the dstip would be.
After reading around, it looks like you can't pass dstip. It would be
*awesome* if passing all decoder <order> variables to AR were possible
in the next OSSEC release :)


BTW: is it possible to force assign a hostname? The machine where I'm
logging isn't necessarily where I want the AR to occur - I want the AR
to occur at the location of a hostname/IP identified in the log
however.

On Dec 15, 5:29 am, Guilherme de Freitas Figueiredo <g...@wkve.com.br>
wrote:

[Christopher Moraes]

Hi,

The docs (http://www.ossec.net/doc/manual/ar/ar-custom.html) mention 6 parameters that are passed to an active response command

1. action (delete or add)
2. user name (or - if not set)
3. src ip (or - if not set)
4. Alert id (uniq for every alert)
5. Rule id
6. Agent name/host/filename

I've also been looking for a way to pass extra_data or the entire log message to the active response script, but so far the only way seems to be the one mentioned in the example (in the docs).  i.e. to grep the alert file for the alert id.

Regards,

Chris

[Rutger Sassen]

Hi,

Another approach would be to use granular email for the specific
event(s) and configure Postfix (or the MTA of your choice) to execute
your script for mailbox delivery to that specific user. The email
contains the entire log message, so no need to grep in the alert log.

I admit it's a bit of a workaround, but it should work.

Regards,

Rutger

On 12/15/2010 07:24 PM, Christopher Moraes wrote:
> Hi,
>
> The docs (http://www.ossec.net/doc/manual/ar/ar-custom.html) mention 6
> parameters that are passed to an active response command
>

> 1. action (delete or add)
> 2. user name (or - if not set)
> 3. src ip (or - if not set)
> 4. Alert id (uniq for every alert)
> 5. Rule id
> 6. Agent name/host/filename

>
> I've also been looking for a way to pass extra_data or the entire log
> message to the active response script, but so far the only way seems to
> be the one mentioned in the example (in the docs). i.e. to grep the
> alert file for the alert id.
>
> Regards,
> Chris
>
>
> On Wed, Dec 15, 2010 at 12:42 PM, jplee3 <jpl...@gmail.com
> <mailto:jpl...@gmail.com>> wrote:
>
> For now I've had to use "user" and "srcip" as those appear to be the
> only flags that can be passed through... For example, I'm using "user"
> to display what the hostname is and "srcip" what the dstip would be.
> After reading around, it looks like you can't pass dstip. It would be
> *awesome* if passing all decoder <order> variables to AR were possible
> in the next OSSEC release :)
>
>
> BTW: is it possible to force assign a hostname? The machine where I'm
> logging isn't necessarily where I want the AR to occur - I want the AR
> to occur at the location of a hostname/IP identified in the log
> however.
>
> On Dec 15, 5:29 am, Guilherme de Freitas Figueiredo

> <g...@wkve.com.br <mailto:g...@wkve.com.br>>