Hello Folks,
I am wondering why active response on an OSSEC client which happens to
be an MS Windows 2008 Server is not being triggered. What is
frustrating is that it was working this morning while I was
troubleshooting it.
To start:
(1) The OSSEC server is properly configured:
OSSEC HIDS agent_control. Available active responses:
Response name: firewall-drop600, command: firewall-drop.sh
Response name: firewall-drop3600, command: firewall-drop.sh
Response name: win_nullroute600, command: route-null.cmd
Response name: win_nullroute3600, command: route-null.cmd
[r...@wiggum alerts]#
(2) The OSSEC server is talking to the OSSEC agent, a shown below:
[r...@wiggum alerts]# agent_control -i 114
OSSEC HIDS agent_control. Agent information:
Agent ID: 114
Agent Name: reports.capitalplan.org
IP address: 100.100.100.100
Status: Active
Operating system: Microsoft Windows Server 2008 Enterprise
Edition (fu..
Client version: OSSEC HIDS v2.3 /
c9bc807c7443d9ac069afac46a9d2635
Last keep alive: Mon Sep 20 15:04:47 2010
Syscheck last started at: Mon Sep 20 14:49:54 2010
Rootcheck last started at: Mon Sep 20 14:50:26 2010
(3) active response is configured to be triggered from the OSSEC
server:
[r...@wiggum alerts]# agent_control -b 100.100.100.100 -f
win_nullroute600 -u 114
OSSEC HIDS agent_control: Running active response 'win_nullroute600'
on: 114
[r...@wiggum alerts]#
The problem is that the active-responses.log has shown no updated
entry since 1230 PM EST (add 3 hours to the time that you are
reading)
09/20/2010 07:00 "active-response/bin/route-null.cmd" add "-"
"2.3.4.5" "(from_the_server) (no_rule_id)"
09/20/2010 07:06 "active-response/bin/route-null.cmd" add "-"
"224.224.224.224" "(from_the_server) (no_rule_id)"
09/20/2010 07:08 "active-response/bin/route-null.cmd" add "-"
"100.100.100.100" "(from_the_server) (no_rule_id)"
09/20/2010 07:10 "active-response/bin/route-null.cmd" delete "-"
"2.3.4.5" "(from_the_server) (no_rule_id)"
09/20/2010 07:18 "active-response/bin/route-null.cmd" delete "-"
"224.224.224.224" "(from_the_server) (no_rule_id)"
09/20/2010 07:29 "active-response/bin/route-null.cmd" add "-"
"100.100.100.100" "(from_the_server) (no_rule_id)"
09/20/2010 07:41 "active-response/bin/route-null.cmd" add "-"
"100.100.100.100" "(from_the_server) (no_rule_id)"
09/20/2010 07:49 "active-response/bin/route-null.cmd" add "-"
"100.100.100.100" "(from_the_server) (no_rule_id)"
09/20/2010 07:57 "active-response/bin/route-null.cmd" add "-"
"100.100.100.100" "(from_the_server) (no_rule_id)"
09/20/2010 08:49 "active-response/bin/route-null.cmd" add "-"
"100.100.100.100" "(from_the_server) (no_rule_id)"
09/20/2010 09:08 "active-response/bin/route-null.cmd" add "-"
"100.100.100.100" "(from_the_server) (no_rule_id)"
64.62.138.162(Preferred)
09/20/2010 09:20 "active-response/bin/route-null.cmd" add "-"
"100.100.100.100" "(from_the_server) (no_rule_id)"
64.62.138.162(Preferred)
Note that the module responsible for active response on the OSSEC
agent is up and operational
2010/09/20 11:47:15 ossec-execd: INFO: Started (pid: 8568)
If I were to deliberately screw up the syntax of the agent_control
command:
OSSEC HIDS agent_control: Running active response 'win_nulroute600'
on: 114
I'd get on the OSSEC server:
OSSEC HIDS agent_control: Running active response 'win_nulroute600'
on: 114
[r...@wiggum alerts]#
And I'd get on the ossec.log of the OSSEC agent:
9/20 12:25:52 ossec-execd(1311): ERROR: Invalid command name
'win_nulroute600' provided.
(I had to restart OSSEC on the agent to get this feedback line)
However, the active-response log doesn't get updated with new entries.
For reference, I had to edit the route-null.cmd script on the OSSEC
agent (it's buggy for Windows Server 2008):
:: Simple script to null route an ip address.
@ECHO OFF
ECHO.
:: Logging it all
FOR /F "TOKENS=1* DELIMS= " %%A IN ('DATE/T') DO SET DATE=%%B
FOR /F "TOKENS=1* DELIMS= " %%A IN ('TIME/T') DO SET TIME=%%A
IF "%1"=="add" GOTO ADD
IF "%1"=="delete" GOTO DEL
:ERROR
ECHO "Invalid argument. %1"
GOTO Exit;
:: Adding to the blocked.
:ADD
:: Extracts last ip address from ipconfig.
FOR /F "TOKENS=2* DELIMS=:" %%A IN ('IPCONFIG | FIND "IPv4"') DO FOR %
%B IN (%%A) DO SET IPADDR=%%B <-- I made the change here
# route add %3 mask 255.255.255.255 %IPADDR%
route add %3 mask 255.255.255.255 150.150.150.150 <-- I made the
change here
ECHO %DATE% %TIME% %0 %1 %2 %3 %4 %5 %6 %7 %8 %9 %IPADDR% >> active-
response\active-responses.log
GOTO Exit;
:DEL
route delete %3
:Exit
Questions: Why is active response no longer working?
Regards,
Vietnhi Phuvan
