Is <expect>srcip</expect> set in the command definition?
On Tue, Dec 20, 2011 at 11:01 AM, Kat <uncommon...@gmail.com> wrote: > I am baffled -- > > Below is an alert - which triggered an active response. It should have > executed a block on my pix, but for some reason the IP was lost in > translation so to speak. The Src IP shows up correctly in the alert, > and in the script, it is set via $3, but if I output the string with a > simple echo $0 $1 $2 $3 etc, it shows $3 as being "-". Any idea what > might cause this? What am I missing.. The active response triggered > but because it tried to block an IP of "-" of course the command > choked. Hmm... > > > -------------------------------------- > > ** Alert 172472951.705506: mail - > syslog,sshd,authentication_failures, > 2011 Nov 17 21:23:39 (myhost.xyzzy.com) 192.168.10.2->/var/log/secure > Rule: 5720 (level 10) -> 'Multiple SSHD authentication failures.' > Src IP: 140.215.10.133 > User: root > Nov 17 21:23:20 myhost sshd[21204]: Failed password for root from > 140.215.10.133 port 54076 ssh2 > Nov 17 21:23:04 myhost sshd[21180]: Failed password for root from > 140.215.10.133 port 51929 ssh2 > Nov 17 21:21:31 myhost sshd[25927]: Failed password for root from > 140.215.10.133 port 44496 ssh2 > Nov 17 21:20:52 myhost sshd[25882]: Failed password for root from > 140.215.10.133 port 39281 ssh2 > Nov 17 21:20:22 myhost sshd[20922]: Failed password for games from > 140.215.10.133 port 58637 ssh2 > Nov 17 21:19:22 myhost sshd[25729]: Failed password for root from > 140.215.10.133 port 50943 ssh2 > Nov 17 21:17:57 myhost sshd[20693]: Failed password for bin from > 140.215.10.133 port 41115 ssh2 > Nov 17 21:17:53 myhost sshd[25611]: Failed password for bin from > 140.215.10.133 port 39299 ssh2 > > > /var/ossec/active-response/bin/fw-shun.sh add - - 1324351419.705506 > 5720 (myhost.xyzzy.com) 192.168.10.2->/var/log/secure > > The argument settings in the script -- > > ACTION=$1 > USER=$2 > IP=$3 > ALERTID=$4 > RULEID=$5