This is really a pity. Are we the only ones? I think there are a lot of server/agent installations with active responses. What could be the reason? OS is openSuse 10.3 64Bit except one agent wich is opensuse 10.2 32Bit. Ossec Vers. 2.0
If there is no solution, I think I'm forced to go back to a local (non server/agent) installation on each server. Mathias On Apr 22, 9:21 am, cianop <luciano.branc...@feltrinelli.it> wrote: > I tried all the options, all, server, local but doesn't work. > > L > > On 21 Apr, 19:09, "Larry Rider Bou" <lri...@activaicon.com> wrote: > > > Hello, > > > As I said previously on this thread, try the following change > > because it worked for me. > > > Change in your ossec configuration file the following line: > > > <location>local</location> > > > With: > > > <location>all</location> > > > And tell us if it works. > > > Un saludo, > > Larry A. Rider > > > -----Mensaje original----- > > De: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] En > > nombre de cianop > > Enviado el: martes, 21 de abril de 2009 14:26 > > Para: ossec-list > > Asunto: [ossec-list] Re: active-responsedoesn't work > > > I'm sorry but I have no idea, I tried all that you have tried, but it > > didn't work. Maybe could be a Operating system problem or linked to > > the c library or c compiler. But this is out of my knowledge, and > > should be the ossec team to answer, if they want... o better if we > > pay... It should be very nice to know witch version of linux kernel, > > gcc, libstdc... are better and works. > > > Luciano > > > On 16 Apr, 13:59, mathias1104 <mathias.s...@googlemail.com> wrote: > > > > Hi, > > > I've a problem that look similar. > > > One Server, 4 Agents. > > > Everthing works fine, only avtive responses don't work. > > > Also if I try > > > agent_control -u 004 -b 1.2.3.4 -f host-deny600 > > > it works, but if I simulate a brute force attack on the same agent, I > > > received a message with level 10- so far, so good, but activeresponse > > > don't work. > > > So the communication between agent and server seems ok, but the server > > > don't initiate the activeresponse. > > > Any idea, whats wrong? > > > > <command> > > > <name>host-deny</name> > > > <executable>host-deny.sh</executable> > > > <expect>srcip</expect> > > > <timeout_allowed>yes</timeout_allowed> > > > </command> > > > > <active-response> > > > <disabled>no</disabled> > > > <!-- Thisresponseis going to execute the host-deny > > > - command for every event that fires a rule with > > > - level (severity) >= 6. > > > - The IP is going to be blocked for 600 seconds. > > > --> > > > <command>host-deny</command> > > > <location>local</location> > > > <level>6</level> > > > <timeout>600</timeout> > > > </active-response> > > > > On Mar 31, 4:09 pm, "Larry Rider Bou" <lri...@activaicon.com> wrote: > > > > > Hello, > > > > > I posted a bug that was not solved with same problem. > > > > > If instead of: > > > > > > > <active-response> > > > > > > <!-- Thisresponseis going to execute the host-deny > > > > > > - command for every event that fires a rule with > > > > > > - level (severity) >= 6. > > > > > > - The IP is going to be blocked for 600 seconds. > > > > > > --> > > > > > > <command>host-deny</command> > > > > > > <location>local</location> --> Does not work. > > > > > > <level>6</level> > > > > > > <timeout>600</timeout> > > > > > > </active-response> > > > > > You write : (Change local for all) it will work. (It does for > > > > me) > > > > > > > <active-response> > > > > > > <!-- Thisresponseis going to execute the host-deny > > > > > > - command for every event that fires a rule with > > > > > > - level (severity) >= 6. > > > > > > - The IP is going to be blocked for 600 seconds. > > > > > > --> > > > > > > <command>host-deny</command> > > > > > > <location>all</location> --> does work > > > > > > <level>6</level> > > > > > > <timeout>600</timeout> > > > > > > </active-response> > > > > > Un saludo, > > > > Larry A. Rider > > > > > -----Mensaje original----- > > > > De: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] En > > > > nombre de cianop > > > > Enviado el: martes, 31 de marzo de 2009 12:25 > > > > Para: ossec-list > > > > Asunto: [ossec-list] Re: active-responsedoesn't work > > > > > I also tried to run the same command on the agent 000 (the server) but > > > > doesn't work: no line added to hosts.deny, no active-response.log > > > > > Luciano > > > > > On 25 Mar, 15:31, Daniel Cid <daniel....@gmail.com> wrote: > > > > > > Hi, > > > > > > Did you check for the file /var/ossec/logs/active-responses.log on the > > > > > agent? You configured > > > > > theresponseto run on the agent side, not on the manager. Also, it > > > > > will timeout and remove > > > > > the block after 10 minutes (for the first entry, not yours).... > > > > > > A good way to test is to run the command agent_control: > > > > > > # /var/ossec/bin/agent_control -L > > > > > > OSSEC HIDS agent_control. Available active responses: > > > > > > Responsename: host-deny600, command: host-deny.sh > > > > > Responsename: host-deny600, command: host-deny.sh > > > > > Responsename: firewall-drop600, command: firewall-drop.sh > > > > > Responsename: win_nullroute600, command: route-null.cmd > > > > > > # /var/ossec/bin/agent_control -u 200 -b 1.2.3.4 -f firewall-drop600 > > > > > > OSSEC HIDS agent_control: Running activeresponse'firewall-drop600' > > > > > on: 200 > > > > > > The second command will block the ip 1.2.3.4 on the agent 200 using > > > > > firewall-drop600... > > > > > > Hope it helps. > > > > > > -- > > > > > Daniel B. Cid > > > > > dcid ( at ) ossec.net > > > > > > On Wed, Mar 4, 2009 at 5:40 AM, cianop > > > > > <luciano.branc...@feltrinelli.it> wrote: > > > > > > > Thank you for your interest, I already posted all the configuration > > > > > > in > > > > > > a previuos post, anyway, following ther is the last notification > > > > > > (brute force on ftp server): > > > > > > > Received From: (maia) 192.168.0.11->/var/log/vsftpd.log > > > > > > Rule: 11451 fired (level 10) -> "FTP brute force (multiple failed > > > > > > logins)." > > > > > > Portion of the log(s): > > > > > > > Tue Mar 3 08:57:45 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > > > > > Client "221.4.205.132" > > > > > > Tue Mar 3 08:57:44 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > > > > > Client "221.4.205.132" > > > > > > Tue Mar 3 08:57:43 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > > > > > Client "221.4.205.132" > > > > > > Tue Mar 3 08:57:42 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > > > > > Client "221.4.205.132" > > > > > > Tue Mar 3 08:57:41 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > > > > > Client "221.4.205.132" > > > > > > Tue Mar 3 08:57:40 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > > > > > Client "221.4.205.132" > > > > > > Tue Mar 3 08:57:39 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > > > > > Client "221.4.205.132" > > > > > > > I got email alert without problem also for level 12. I have been > > > > > > checked for log file but there isn't (active- > > > > > > responses.log). In alerts.log I finded the same email alert. I have > > > > > > 1 > > > > > > ossec server and 4 agent, the alert came from an agent. > > > > > > Here the active-responsepart of ossec.conf: > > > > > > > <command> > > > > > > <name>host-deny</name> > > > > > > <executable>host-deny.sh</executable> > > > > > > <expect>srcip</expect> > > > > > > <timeout_allowed>yes</timeout_allowed> > > > > > > </command> > > > > > > > <!-- ActiveResponseConfig --> > > > > > > <active-response> > > > > > > <!-- Thisresponseis going to execute the host-deny > > > > > > - command for every event that fires a rule with > > > > > > - level (severity) >= 6. > > > > > > - The IP is going to be blocked for 600 seconds. > > > > > > --> > > > > > > <command>host-deny</command> > > > > > > <location>local</location> > > > > > > <level>6</level> > > > > > > <timeout>600</timeout> > > > > > > </active-response> > > > > > > > I disabled the firewall drop adding the relative tag > > > > > > > <active-response> > > > > > > <!-- Firewall Dropresponse. Block the IP for > > > > > > - 600 seconds on the firewall (iptables, > > > > > > - ipfilter, etc). > > > > > > --> > > > > > > <disabled>yes</disabled> > > > > > > <command>firewall-drop</command> > > > > > > <location>local</location> > > > > > > <level>6</level> > > > > > > <timeout>600</timeout> > > > > > > </active-response> > > > > > > > here the directory permission on agent and server: > > > > > > > dr-xr-x--- 3 root ossec 4096 Feb 10 14:58 active-response > > > > > > dr-xr-x--- 2 root ossec 4096 Feb 10 14:58 bin > > > > > > dr-xr-x--- 3 root ossec 4096 Feb 18 12:35 etc > > > > > > drwxr-x--- 2 ossec ossec 4096 Mar 4 09:24 logs > > > > > > dr-xr-x--- 6 root ossec 4096 Feb 10 14:58 queue > > > > > > dr-xr-x--- 3 root ossec 4096 Feb 18 12:35 var > > > > > > > /var/ossec/active-response# ls -l > > > > > > total 4 > > > > > > dr-xr-x--- 2 root ossec 4096 Mar 2 11:25 bin > > > > > > > /var/ossec/active-response/bin# ls -l > > > > > > total 32 > > > > > > -rwxr-xr-x 1 root ossec 1711 Jan 6 2007 disable-account.sh > > > > > > -rwxr-xr-x 1 root ossec 3705 Jan 6 2007 firewall-drop.sh > > > > > > -rwxr-xr-x 1 root ossec 3018 Jun 11 2008 host-deny.sh > > > > > > -rwxr-xr-x 1 root ossec 1385 Jan 6 2007 ipfw.sh > > > > > > -rwxr-xr-x 1 root ossec 1617 Jan 6 2007 ipfw_mac.sh > > > > > > -rwxr-xr-x 1 root ossec 1849 Jun 6 2008 pf.sh > > > > > > -rwxr-xr-x 1 root ossec 2542 Feb 18 17:08 pix-blacklist.sh > > > > > > -rwxr-xr-x 1 root ossec 1182 May 24 2008 route-null.sh > > > > > > > I also raised the debug level to 2 in server > > > > > > > # Analysisd (server or local) > > > > > > analysisd.debug=2 > > > > > > > # Unix agentd > > > > > > agent.debug=2 > > > > > > > to have more info but nothing more in alert logs. > > > > > > > I also added my own activeresponsebased on rule id rather than > > > > > > severity level but doesn't work. > > > > > > > <command> > > > > > > <name>pix-blacklist</name> > > > > > > <executable>pix-blacklist.sh</executable> > > > > > > <expect>srcip</expect> > > > > > > <timeout_allowed>no</timeout_allowed> > > ... > > read more »
