Hi, Did you check for the file /var/ossec/logs/active-responses.log on the agent? You configured the response to run on the agent side, not on the manager. Also, it will timeout and remove the block after 10 minutes (for the first entry, not yours)....
A good way to test is to run the command agent_control: # /var/ossec/bin/agent_control -L OSSEC HIDS agent_control. Available active responses: Response name: host-deny600, command: host-deny.sh Response name: host-deny600, command: host-deny.sh Response name: firewall-drop600, command: firewall-drop.sh Response name: win_nullroute600, command: route-null.cmd # /var/ossec/bin/agent_control -u 200 -b 1.2.3.4 -f firewall-drop600 OSSEC HIDS agent_control: Running active response 'firewall-drop600' on: 200 The second command will block the ip 1.2.3.4 on the agent 200 using firewall-drop600... Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Wed, Mar 4, 2009 at 5:40 AM, cianop <luciano.branc...@feltrinelli.it> wrote: > > Thank you for your interest, I already posted all the configuration in > a previuos post, anyway, following ther is the last notification > (brute force on ftp server): > > Received From: (maia) 192.168.0.11->/var/log/vsftpd.log > Rule: 11451 fired (level 10) -> "FTP brute force (multiple failed > logins)." > Portion of the log(s): > > Tue Mar 3 08:57:45 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > Client "221.4.205.132" > Tue Mar 3 08:57:44 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > Client "221.4.205.132" > Tue Mar 3 08:57:43 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > Client "221.4.205.132" > Tue Mar 3 08:57:42 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > Client "221.4.205.132" > Tue Mar 3 08:57:41 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > Client "221.4.205.132" > Tue Mar 3 08:57:40 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > Client "221.4.205.132" > Tue Mar 3 08:57:39 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > Client "221.4.205.132" > > I got email alert without problem also for level 12. I have been > checked for log file but there isn't (active- > responses.log). In alerts.log I finded the same email alert. I have 1 > ossec server and 4 agent, the alert came from an agent. > Here the active-response part of ossec.conf: > > <command> > <name>host-deny</name> > <executable>host-deny.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <!-- Active Response Config --> > <active-response> > <!-- This response is going to execute the host-deny > - command for every event that fires a rule with > - level (severity) >= 6. > - The IP is going to be blocked for 600 seconds. > --> > <command>host-deny</command> > <location>local</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > I disabled the firewall drop adding the relative tag > > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <disabled>yes</disabled> > <command>firewall-drop</command> > <location>local</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > here the directory permission on agent and server: > > dr-xr-x--- 3 root ossec 4096 Feb 10 14:58 active-response > dr-xr-x--- 2 root ossec 4096 Feb 10 14:58 bin > dr-xr-x--- 3 root ossec 4096 Feb 18 12:35 etc > drwxr-x--- 2 ossec ossec 4096 Mar 4 09:24 logs > dr-xr-x--- 6 root ossec 4096 Feb 10 14:58 queue > dr-xr-x--- 3 root ossec 4096 Feb 18 12:35 var > > /var/ossec/active-response# ls -l > total 4 > dr-xr-x--- 2 root ossec 4096 Mar 2 11:25 bin > > /var/ossec/active-response/bin# ls -l > total 32 > -rwxr-xr-x 1 root ossec 1711 Jan 6 2007 disable-account.sh > -rwxr-xr-x 1 root ossec 3705 Jan 6 2007 firewall-drop.sh > -rwxr-xr-x 1 root ossec 3018 Jun 11 2008 host-deny.sh > -rwxr-xr-x 1 root ossec 1385 Jan 6 2007 ipfw.sh > -rwxr-xr-x 1 root ossec 1617 Jan 6 2007 ipfw_mac.sh > -rwxr-xr-x 1 root ossec 1849 Jun 6 2008 pf.sh > -rwxr-xr-x 1 root ossec 2542 Feb 18 17:08 pix-blacklist.sh > -rwxr-xr-x 1 root ossec 1182 May 24 2008 route-null.sh > > I also raised the debug level to 2 in server > > # Analysisd (server or local) > analysisd.debug=2 > > # Unix agentd > agent.debug=2 > > to have more info but nothing more in alert logs. > > I also added my own active response based on rule id rather than > severity level but doesn't work. > > <command> > <name>pix-blacklist</name> > <executable>pix-blacklist.sh</executable> > <expect>srcip</expect> > <timeout_allowed>no</timeout_allowed> > </command> > > <active-response> > <!-- This response is going to execute the pix-blacklist > - command for every event that fires a rule with > - level (severity) >= 6. > - The IP is going to be logged for Pix Blacklist. > --> > <command>pix-blacklist</command> > <location>local</location> > <rules_id>31151,30114,31163,31106</rules_id> > </active-response> > > Last, the ossec server is an ubuntu breezy server, the agent that > raise alert is a debian 3.1 server and both run ossec 1.6.1 > > I hope this info can be helpfull. > > Thank you > > Luciano > > > On 3 Mar, 15:55, Damon Getsman <dgets...@amirehab.net> wrote: >> I would suggest posting the version of OSsec that you're using, the rule >> that is specifically being fired @ level 10 (I believe there is more than >> one type of ssh brute force attack if I remember correctly), and then the >> <active-response> portion of your ossec.conf file. Snippets of the log >> itself may help, too. >> >> I know that you specified that you're using the 'defaults', but if you tag >> these pieces of information along in your messages it'll make things easier >> for someone that may know the answer of the top of their head to post a >> response to you. I'm pretty sure most of the people on this mailing list >> don't have the time to sit and research various responses to questions like >> this most of the time; nobody gets paid to respond to the mailing list. :) >> >> HTH. >> ---------- >> Damon Getsman >> -=-=-=- >> ITRxhttp://www.itrx-nd.com/ >> Programmer/IT Customer Relations/Sys Admin >> -=-=-=- >> >> On Tue, Mar 3, 2009 at 2:23 AM, cianop >> <luciano.branc...@feltrinelli.it>wrote: >> >> >> >> > Hey, someone can help me please, I have a lot of brute force attack >> > notificated by OSSEC, and if the active-response doesn't work before >> > or after they go inside. Anyone at Ossec can help me? >> >> [snip] >> On 19 Feb, 16:18, cianop <luciano.branc...@feltrinelli.it> wrote:> Hi, I had >> an OSSEC notification that say that a rule with level 10 was >> > fired but I didn't see any active-response action. I mean no >> > modification of hosts.* no logs in active-response dir or logs dir. >> > I have the default rules installed and the two default command and >> > related active-response (host-deny >> > and firewall-drop) with the firewall-drop disabled. There is also no >> > error in ossec.log >> >> [snip] >
