On Mon, Oct 18, 2010 at 4:35 AM, tux3132 <tux3...@gmail.com> wrote: > Hi > > All processes are running. > > ossec.log on server and agent are corrects. > > I try the debug mode and the modified rules_group this evening, I'll > give you the result tomorow. > > Anticipated thanks. > > Best regards. >
I've switched my AR over to the rules_group setup. So hopefully I'll be able to test it later. > On 17 oct, 20:34, "dan (ddp)" <ddp...@gmail.com> wrote: >> On Sun, Oct 17, 2010 at 1:19 PM, tux3132 <tux3...@gmail.com> wrote: >> > Hi >> >> > I have the following configuration for active response configured as >> > following : >> >> > <command> >> > <name>firewall_drop</name> >> > <executable>firewall-drop.sh</executable> >> > <expect>srcip</expect> >> > <timeout_allowed>yes</timeout_allowed> >> >>/command> >> >> > <active-response> >> > <command>firewall_drop</command> >> > <location>local</location> >> >> > <rules_group>spam,multiple_spam,invalid_login,authentication_failed,authentication_failures</ >> > rules_group> >> > <timeout>14400</timeout> >> > </active-response> >> >> > One agent is on a Zimbra mail server and the other on a gateway >> > accepting authenticated ssh connections with certificate.I hopped >> > block ssh brut force attack, smtp relay ... (obviously I have fed the >> > white list). >> >> > When I have the alert (to test I can run a connection from the outside >> > on port 25 to my mail server public IP address) >> >> > ** Alert 1287333792.1772757: - syslog,postfix,spam, >> > 2010 Oct 17 18:43:12 (sx-mail) any->/var/log/mail.info >> > Rule: 3302 (level 6) -> 'Rejected by access list (Requested action not >> > taken).' >> > Src IP: 85.68.23.2 >> > User: (none) >> >> > No active response ??? >> >> > in postfix_rules.xml I have all the same : >> > <group name="syslog,postfix,"> >> > <rule id="3300" level="0"> >> > ... >> > <rule id="3302" level="6"> >> > <if_sid>3300</if_sid> >> > <group>spam,</group> >> > ... >> >> > Same thing with this alert when I try an ssh connection from the >> > outside to my gateway : >> >> > ** Alert 1287333426.1763013: - >> > syslog,sshd,invalid_login,authentication_failed, >> > 2010 Oct 17 18:37:06 (sx-gateway) 192.168.2.199->/var/log/auth.log >> > Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user' >> > Src IP: 212.234.8.12 >> > User: (none) >> >> > with in sshd_rules.xml >> > <group name="syslog,sshd,"> >> > <rule id="5700" level="0" noalert="1"> >> > ... >> > <rule id="5710" level="5"> >> > <if_sid>5700</if_sid> >> > <group>invalid_login,authentication_failed,</group> >> > ... >> >> > I modify my ossec.conf I remove <rules_group> and I put >> > <rules_id>=3302,5710</rules_id> and it's working !!! >> >> > Where is my misconfiguration ? >> >> > Anticipated thanks to everybody. >> >> > Best regards. >> >> Have you tried just 1 <rules_group> instead of the comma separated >> list? Is ossec-execd running? Anything in ossec.log on the agent or >> manager that might help track this down? Also try running execd and >> agentd in debug mode on the agent you're trying to set off the AR on.- >> Masquer le texte des messages précédents - >> >> - Afficher le texte des messages précédents -