On Mar 6, 2013 11:31 PM, "TWAD" <higd...@gmail.com> wrote: > > Hey Dan, I took your advice and created a CDB with over 10k IPs and then I added one of my local IPs to test for an alert. However, the alert does not fire when one of my local hosts trys to connect or when I change the blacklists file. I am running tcpdump and I can see the host trying to connect, but nothing in the alert.log. The active response log is still at 0 as well. What am I doing wrong? >
Please provide a log sample. > Blacklist format for CDB: > IP1: 192.168.1.8 > IP2: 10.10.1.200 > etc > > In ossec.conf I have > <rules> > ... > > <list>lists/blacklist.txt</list> > > <include>local_rules.xml</include> > > </rules> > > > > I added this to execute ossec-makelist when the blacklist changes. I do not believe it worked because I ran it manuallyy and it showed an update was needed > > <command> > > <name>makelists</name> > > <executable>makelists.sh</executable> > > <expect></expect> > > </command> > > > > <active-response> > > <disabled>no</disabled> > > <command>makelists</command> > > <location>server</location> > > <rules_id>105001</rules_id> > > </active-response> > > > Here is my blacklist file with the new CDB created from Makelists > > [root@RHEL6-4 lists]# ls -la > > total 712 > > drwxr-xr-x. 2 ossec ossec 4096 Mar 6 22:03 . > > dr-xr-x---. 15 root ossec 4096 Mar 6 16:49 .. > > -rw-r--r--. 1 ossec ossec 239574 Mar 6 22:03 blacklist.txt > > -rw-r--r--. 1 ossec ossec 478742 Mar 6 17:09 blacklist.txt.cdb > > > > My local_rules.xml addition for the alert > > > > <rule id="101003" level="0" noalert="1"> > > <decoded_as>unbound</decoded_as> > > <description>Grouping for unbound.</description> > > </rule> > > > > <rule id="101004" level="10"> > > <if_sid>101003</if_sid> > > <list field="srcip" lookup="address_match_key">lists/blacklist.txt.cdb</list> > > <description>DNS query on a potentially malicious domain.</description> </rule> > > <rule id="101005" level="10"> > > <if_sid>550</if_sid> > Did you get a 550 with the path you defined below? > <match>/var/ossec/lists/blacklist.txt</match> > > <description>blacklist.txt has been modified</description> > > </rule> > > > > > > > > > > > On Tuesday, March 5, 2013 5:45:10 PM UTC-6, dan (ddpbsd) wrote: >> >> On Mon, Mar 4, 2013 at 4:45 PM, TWAD <hig...@gmail.com> wrote: >> > Hey everybody, >> > I have a task that I'm struggling with; could you help? >> > >> > Task: I need to have a blacklist capability on all of my agents ( to alert, >> > not block) >> > >> >> Alerts are only created by the server, not the agents. >> >> > Issue 1: The blacklist contains over 700 IPs (currently) so creating a rule >> > for each would (to me) seem taxing on the agent and server >> > >> >> Using a cdb seems like a decent option. I had a cdb of over 100k >> domains at one point. >> >> > Issue 2: The white list will contain over 200 IPs or 10 domains/subnets >> > >> > Questions: >> > >> > Should I use a white list instead of the blacklist? >> > Has anybody on this list done this? >> > What is the most practical method? >> > >> > Reasearch: >> > >> > I found an excellent example written by Anthony Kasza >> > (anthonykasza.webs.com/docs/honeyports.pdf) but none of my agents will be >> > running nc. >> > I looked on this list and other great resources but do not have a good >> > answer >> > >> > Thank you in advance for your time! >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.