I am baffled -- Below is an alert - which triggered an active response. It should have executed a block on my pix, but for some reason the IP was lost in translation so to speak. The Src IP shows up correctly in the alert, and in the script, it is set via $3, but if I output the string with a simple echo $0 $1 $2 $3 etc, it shows $3 as being "-". Any idea what might cause this? What am I missing.. The active response triggered but because it tried to block an IP of "-" of course the command choked. Hmm...
-------------------------------------- ** Alert 172472951.705506: mail - syslog,sshd,authentication_failures, 2011 Nov 17 21:23:39 (myhost.xyzzy.com) 192.168.10.2->/var/log/secure Rule: 5720 (level 10) -> 'Multiple SSHD authentication failures.' Src IP: 140.215.10.133 User: root Nov 17 21:23:20 myhost sshd[21204]: Failed password for root from 140.215.10.133 port 54076 ssh2 Nov 17 21:23:04 myhost sshd[21180]: Failed password for root from 140.215.10.133 port 51929 ssh2 Nov 17 21:21:31 myhost sshd[25927]: Failed password for root from 140.215.10.133 port 44496 ssh2 Nov 17 21:20:52 myhost sshd[25882]: Failed password for root from 140.215.10.133 port 39281 ssh2 Nov 17 21:20:22 myhost sshd[20922]: Failed password for games from 140.215.10.133 port 58637 ssh2 Nov 17 21:19:22 myhost sshd[25729]: Failed password for root from 140.215.10.133 port 50943 ssh2 Nov 17 21:17:57 myhost sshd[20693]: Failed password for bin from 140.215.10.133 port 41115 ssh2 Nov 17 21:17:53 myhost sshd[25611]: Failed password for bin from 140.215.10.133 port 39299 ssh2 /var/ossec/active-response/bin/fw-shun.sh add - - 1324351419.705506 5720 (myhost.xyzzy.com) 192.168.10.2->/var/log/secure The argument settings in the script -- ACTION=$1 USER=$2 IP=$3 ALERTID=$4 RULEID=$5