In the beginning there is no AR log on the agent. After testing the host.sh
script as root the log showed up. I chown and chgrp the log to ossec.
By default there was nothing in the ossec.conf file about AR.
I added this to the agent ossec.conf file while troubleshooting:
<active-response>
<disabled>no</disabled>
</active-response>
I ran it locally (while "su ossec -s /bin/sh") and it did not return any
errors though it did not successfully add the entry to the host.deny file
either.
here's the dump again. The top two packets are the only ones sent by the
client when I attempt an in
11:41:48.820475 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP
(17), length 77)
CLIENT > SERVER.syslog: SYSLOG, length: 49
Facility auth (4), Severity info (6)
Msg: sshd[23402]: Invalid user x from...
11:41:48.822525 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP
(17), length 109)
CLIENT > SERVER.syslog: SYSLOG, length: 81
Facility auth (4), Severity info (6)
Msg: sshd[23402]: Failed none for invalid user x ...
11:42:42.772426 IP (tos 0x0, ttl 64, id 17382, offset 0, flags [DF], proto
UDP (17), length 285)
ind-dslbd1p.olympus.local.42292 > 10.1.120.225.1514: UDP, length 257
0x0000: 4500 011d 43e6 4000 4011 c556 ac10 01a1 e.....@.@..V....
0x0010: 0a01 78e1 a534 05ea 0109 31ae 3a3d f5c6 ..x..4....1.:=..
0x0020: 5b9f 4023 9549 4437 cc98 445f 597f f237 [...@#.id7..d_y..7
0x0030: 0741 a3d2 1620 f511 6536 3472 4d79 c035 .A......e64rMy.5
0x0040: 95ca 9467 59d5 fd6c cc98 52da ...gY..l..R.
11:44:52.901304 IP (tos 0x0, ttl 64, id 17383, offset 0, flags [DF], proto
UDP (17), length 429)
ind-dslbd1p.olympus.local.42292 > 10.1.120.225.1514: UDP, length 401
0x0000: 4500 01ad 43e7 4000 4011 c4c5 ac10 01a1 e.....@.@.......
0x0010: 0a01 78e1 a534 05ea 0199 323e 3a78 f9ce ..x..4....2>:x..
0x0020: ba2c faba c1d9 53fb 4444 b689 a2b5 63f5 .,....S.DD....c.
0x0030: 50e5 6d09 d1d0 260b 94c5 ad34 dff9 0b78 P.m...&....4...x
0x0040: a294 9f2c 81a7 a5c9 3cf0 246f ...,....<.$o
11:44:52.902141 IP (tos 0x0, ttl 64, id 17384, offset 0, flags [DF], proto
UDP (17), length 213)
ind-dslbd1p.olympus.local.42292 > 10.1.120.225.1514: UDP, length 185
0x0000: 4500 00d5 43e8 4000 4011 c59c ac10 01a1 e.....@.@.......
0x0010: 0a01 78e1 a534 05ea 00c1 3166 3ace 621c ..x..4....1f:.b.
0x0020: e156 071c 09a1 f466 6ac5 3943 32d0 10b7 .V.....fj.9C2...
0x0030: c7ae b4a5 d8c8 6dd4 fe27 6101 03bc 24b0 ......m..'a...$.
0x0040: 07ca 0d2d 07cf 0a8c ad97 e104 ...-........
11:44:52.903626 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP
(17), length 101)
10.1.120.225.1514 > ind-dslbd1p.olympus.local.42292: UDP, length 73
0x0000: 4500 0065 0000 4000 3f11 0af5 0a01 78e1 e.....@.?.....x.
0x0010: ac10 01a1 05ea a534 0051 5873 3aae d28b .......4.QXs:...
0x0020: a4c3 bbfa 3d2d f0cb bb03 c82f 959a cf76 ....=-...../...v
0x0030: 1877 8172 80d1 3722 467d 71f9 b8e7 7078 .w.r..7"F}q...px
0x0040: a037 2b74 9b74 0500 ab4e 25c2 .7+t.t...N%.
On Thu, Nov 4, 2010 at 3:28 PM, Chad Robertson <chadro...@gmail.com> wrote:
> On the server:
>
> ossec.conf
>
> <active-response>
> <command>host-deny</command>
> <location>local</location>
> <rules_id>100055</rules_id>
> <timeout>600</timeout>
> </active-response>
>
> local_rules.xml
>
> <rule id="100055" level="14">
> <decoded_as>ssh-invalid_user</decoded_as>
> <match>none</match>
> <description>SSHD invalid username detected.</description>
> </rule>
>
> local_decoder.xml
>
> <decoder name="ssh-invalid_user">
> <prematch>Failed \S+ for invalid user </prematch>
> <regex>(\S+) from (\S+) </regex>
> <order>user, srcip</order>
> </decoder>
>
Make sure AR isn't disabled on the agent. Double check the agent's AR log to
make sure it hasn't fired.
Also, try running the AR command on the agent by hand to make sure it
actually works.
