[ossec-list] Re: active-response with freebsd and PF

Fri, 25 Apr 2008 07:49:59 -0700 

Hi Kivanio,

I need the output from the command as I said:

# /bin/sh -x /var/ossec/active-response/bin/firewall-drop.sh add XXX 192.168.2.1

This will give me debug information from the script and not from your
terminal. I also tried it on
FreeBSD and worked fine...

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On Wed, Apr 23, 2008 at 5:09 PM, Kivanio Barbosa <[EMAIL PROTECTED]> wrote:
> Daniel,
>
> i forgot to say ossec is 1.5 beta, but the same happend with 1.4.
>
>
>
> On Wed, Apr 23, 2008 at 4:00 PM, Kivanio Barbosa <[EMAIL PROTECTED]> wrote:
>
> > Daniel,
> >
> >
> > I wrote in first mail that i did it.
> >
> >
> > so, I make all again, see:
> >
> >
> > My SO is FREEBSD 7.0, not OpenBSD, OK?
> >
> >
> > FreeBSD server.org.br 7.0-RELEASE FreeBSD 7.0-RELEASE #8: Thu Mar 20
> 12:06:04 AMT 2008     [EMAIL PROTECTED]:/usr/src/sys/i386/compile/server
> i386
> >
> >
> >
> >
> >
> >
> > server joao /usr/home/joao # /bin/csh -x (I use csh instead of sh)
> > You have mail.
> >
> >
> > server joao /usr/local/ossec # cd logs/
> > chdir logs/
> > set prompt=`hostname -s` joao `pwd` #
> > hostname -s
> > pwd
> >
> >
> > LAST LOGS:
> >
> >
> > server joao /usr/local/ossec/logs # tail -f active-responses.log
> > tail -f active-responses.log
> > Wed Apr 23 15:34:08 AMT 2008
> /usr/local/ossec/active-response/bin/host-deny.sh delete - 200.154.55.4
> 1208978646.1095546 20101
> > Wed Apr 23 15:34:08 AMT 2008
> /usr/local/ossec/active-response/bin/host-deny.sh delete - 64.15.125.220
> 1208978568.1092931 20101
> > Wed Apr 23 15:34:09 AMT 2008
> /usr/local/ossec/active-response/bin/firewall-drop.sh delete - 200.154.55.4
> 1208978646.1095546 20101
> > Wed Apr 23 15:34:09 AMT 2008
> /usr/local/ossec/active-response/bin/firewall-drop.sh delete - 64.15.125.220
> 1208978568.1092931 20101
> > Wed Apr 23 15:34:24 AMT 2008
> /usr/local/ossec/active-response/bin/host-deny.sh add - 64.15.120.163
> 1208979264.1112819 20101
> > Wed Apr 23 15:34:24 AMT 2008
> /usr/local/ossec/active-response/bin/firewall-drop.sh add - 64.15.120.163
> 1208979264.1112819 20101
> > Wed Apr 23 15:37:14 AMT 2008
> /usr/local/ossec/active-response/bin/host-deny.sh delete - 64.15.125.226
> 1208978772.1096671 20101
> > Wed Apr 23 15:37:14 AMT 2008
> /usr/local/ossec/active-response/bin/firewall-drop.sh delete - 64.15.125.226
> 1208978772.1096671 20101
> > Wed Apr 23 15:37:36 AMT 2008
> /usr/local/ossec/active-response/bin/host-deny.sh add - 64.15.117.210
> 1208979456.1117309 20101
> > Wed Apr 23 15:37:36 AMT 2008
> /usr/local/ossec/active-response/bin/firewall-drop.sh add - 64.15.117.210
> 1208979456.1117309 20101
> >
> >
> >
> >
> > TABLE CLEAR:
> >
> >
> > server joao /usr/local/ossec/logs # pfctl -t ossec_fwtable -T show
> >
> > pfctl -t ossec_fwtable -T show
> >
> >
> >
> >
> > I TRY USE MANUALLY:
> >
> >
> > server joao /usr/local/ossec/logs #
> /usr/local/ossec/active-response/bin/firewall-drop.sh add - 200.221.7.40
> 1208979566.1118443 20101
> > /usr/local/ossec/active-response/bin/firewall-drop.sh add - 200.221.7.40
> 1208979566.1118443 20101
> > cat: "/etc/pf.conf": No such file or directory
> >
> >
> > IN MANUAL THE SCRIPT DON'T SUCH FILE, THE I EDIT FILE AND SET THE PATH
> /etc/pf.conf INSTEAD VARIABLE ${PFCTL_RULES}
> >
> >
> > server joao /usr/local/ossec/logs # mcedit
> ../active-response/bin/firewall-drop.sh
> > mcedit ../active-response/bin/firewall-drop.sh
> >
> >
> > TRY AGAIN:
> >
> >
> > server joao /usr/local/ossec/logs #
> /usr/local/ossec/active-response/bin/firewall-drop.sh add - 200.221.7.40
> 1208979566.1118443 20101
> > /usr/local/ossec/active-response/bin/firewall-drop.sh add - 200.221.7.40
> 1208979566.1118443 20101
> >
> >
> > ALL OK, BUT:
> >
> >
> > server joao /usr/local/ossec/logs # pfctl -t ossec_fwtable -T show
> >
> > pfctl -t ossec_fwtable -T show
> > server joao /usr/local/ossec/logs #
> >
> >
> > TABLE STAYED CLEAR.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On Wed, Apr 23, 2008 at 2:01 PM, Daniel Cid <[EMAIL PROTECTED]> wrote:
> >
> > >
> > > Hi Kevin,
> > >
> > > The active responses are run by the ossec-execd process as root. So
> > > there is no need to use sudo
> > > in there... I initially thought about that, but since sudo is not
> > > widely supported, I decided to stick with
> > > running as root instead.
> > >
> > > Kivanio,
> > >
> > > Do you mind running the active response manually? Try
> > >
> > > # /bin/sh -x /var/ossec/active-response/bin/firewall-drop.sh add XXX
> 192.168.2.1
> > >
> > > And then check the content of the table:
> > >
> > >
> > > # pfctl -t ossec_fwtable -T show
> > >
> > > If that doesn' t work, please show us the output from /bin/sh -x
> > > (debugging enabled)... I tried this
> > > over on OpenBSD and is working fine...
> > >
> > >
> > >
> > > Thanks,
> > >
> > >
> > > --
> > > Daniel B. Cid
> > > dcid ( at ) ossec.net
> > >
> > >
> >
> >
>
>
>
> --
> Kivanio Pereira Barbosa
> Cel 8121-4248
>
> www.eiqconsultoria.com.br

Reply via email to