Active Response Error

165 views
Skip to first unread message

Cal

unread,
Dec 29, 2015, 1:13:54 PM12/29/15
to ossec-list
I'm on v.2.8.3 and trying to get active response configured for my OSSEC server. I get the error "ossec-config(1303): ERROR: Invalid command 'firewall-drop' in the active response" after restart. I checked the permission for ar.conf, which is chowned root/ossec. . I place "firewall-drop600 - firewall-drop.sh - 600" in ar.conf, however the file is cleared after OSSEC restarts. Prior to restart, /var/ossec/bin/agent_control -L shows the valid response options, but after restart nothing is visible.

Here's my ossec.conf, which I've tried several options from examples online:

  <active-response>
    <disabled>no</disabled>
    <command>firewall-drop</command>
    <location>all</location>
    <rules_id>5712</rules_id>
    <timeout>600</timeout>
  </active-response>

Any help appreciated!

dan (ddp)

unread,
Dec 29, 2015, 1:18:05 PM12/29/15
to ossec...@googlegroups.com
Do you have this in your ossec.conf:
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>


> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Cal

unread,
Dec 29, 2015, 3:31:36 PM12/29/15
to ossec-list
Yes I do.

Restarting OSSEC:
ossec-config(1303): ERROR: Invalid command 'firewall-drop' in the active response.
ossec-config(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.
ossec-analysisd(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.


# cat ar.conf
restart-ossec0 - restart-ossec.sh - 0
restart-ossec0 - restart-ossec.cmd - 0
(and if I add 'firewall-drop600 - firewall-drop.sh - 600' in ar.conf, it is cleared and resets to the above after restart)


# /var/ossec/bin/agent_control -L
OSSEC HIDS agent_control. Available active responses:

Cal

unread,
Dec 29, 2015, 3:37:39 PM12/29/15
to ossec-list
Thanks for the feedback. I double checked my <command><name>firewall-drop.... line and found a typo in the tag. Thanks!


On Tuesday, December 29, 2015 at 1:18:05 PM UTC-5, dan (ddpbsd) wrote:

dan (ddp)

unread,
Dec 29, 2015, 5:25:20 PM12/29/15
to ossec...@googlegroups.com


On Dec 29, 2015 3:31 PM, "Cal" <brandon...@gmail.com> wrote:
>
> Yes I do.
>
> Restarting OSSEC:
> ossec-config(1303): ERROR: Invalid command 'firewall-drop' in the active response.
> ossec-config(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.
> ossec-analysisd(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.
>
>
> # cat ar.conf
> restart-ossec0 - restart-ossec.sh - 0
> restart-ossec0 - restart-ossec.cmd - 0
> (and if I add 'firewall-drop600 - firewall-drop.sh - 600' in ar.conf, it is cleared and resets to the above after restart)
>

Because you don't modify that file, ossec should fill it in.
Since you said the command block I pasted is in your ossec.conf, can you make sure the script exists? Is it executable?

Cal

unread,
Dec 29, 2015, 5:57:16 PM12/29/15
to ossec-list
Yes, the script worked! Just fat fingered the tag.

Cal

unread,
Dec 29, 2015, 5:57:42 PM12/29/15
to ossec-list
And thanks for your help!
Reply all
Reply to author
Forward
0 new messages