Does the source IP even show when that rule is tripped? On Wed, Oct 27, 2010 at 11:30 AM, Steven Stern < subscribed-li...@sterndata.com> wrote:
> Thanks. I've changed it and will await the next attack. > > On Wed, Oct 27, 2010 at 1:15 PM, jplee3 <jpl...@gmail.com> wrote: > > Your <command> section looks OK. There may be issues with the <active- > > response> portion however. Try this: > > > > <active-response> > > <disabled>no</disabled> > > <command>firewall-drop</command> > > <location>local</location> > > <rules_id>31151</rules_id> > > <level>8</level> (I don't think you even need this flag if you > > *only* want to trigger on the rule id 31151) > > </active-response> > > > > > > Let us know if that works. I think it might be the "disabled" flag > > that was keeping it back. > > > > > > On Oct 27, 10:44 am, Steven Stern <subscribed-li...@sterndata.com> > > wrote: > >> In /var/ossec/etc/osse.conf, I have > >> > >> <command> > >> <name>firewall-drop</name> > >> <executable>firewall-drop.sh</executable> > >> <expect>srcip</expect> > >> <timeout_allowed>yes</timeout_allowed> > >> </command> > >> > >> <active-response> > >> <command>firewall-drop</command> > >> <location>local</location> > >> <rules_id>31151</rules_id> > >> <level>8</level> > >> </active-response> > >> > >> My logs show multiple 31151 alerts. For example: > >> ossec-alerts-23.log:Rule: 31151 (level 10) -> 'Mutiple web server 400 > >> error codes from same source ip.' > >> ossec-alerts-25.log:Rule: 31151 (level 10) -> 'Mutiple web server 400 > >> error codes from same source ip.' > >> > >> As far as I can tell, the active response has never been triggered. > >> There's no active-response log in /var/ossec/logs and no logging of > >> firewall changes. > >> > >> What am I missing? > > >
