On Mon, Apr 8, 2013 at 10:29 AM, C. L. Martinez <carlopm...@gmail.com> wrote: > Ok, using pf.sh script, works as expected. Can I reconfigure agent.conf to > use pf.sh as active response instead firewall-drop.sh script only for > FreeBSD hosts ?? >
I don't think so. I'm pretty sure those are server side settings. The problem is that firewall-drop.sh should contain the contents of pf.sh. This should have been done during installation. What version of FreeBSD are you using? I don't like installing legacy OSes, but I installed solaris recently so I guess I can install FBSD as well for testing. > > On Mon, Apr 8, 2013 at 2:25 PM, dan (ddp) <ddp...@gmail.com> wrote: >> >> On Mon, Apr 8, 2013 at 10:19 AM, C. L. Martinez <carlopm...@gmail.com> >> wrote: >> > AFAIK, FreeBSD can use three different firewall types: ipf, ipfw and pf >> > ... >> > >> >> It looks like FreeBSD with pf enabled should be using pf.sh. Try >> running the same command you did previously, but with pf.sh instead. >> If that works, copying it over firewall-drop.sh should be the way to >> go. >> >> I'll have a look at the installer logic to see if I can figure out >> where this went wrong, so please report success failure of the above. >> >> > >> > On Mon, Apr 8, 2013 at 2:16 PM, dan (ddp) <ddp...@gmail.com> wrote: >> >> >> >> On Mon, Apr 8, 2013 at 10:12 AM, C. L. Martinez <carlopm...@gmail.com> >> >> wrote: >> >> > Correct, but for this reason, I ask the question ... >> >> > >> >> >> >> Does freebsd use ipf anymore? Is it still a knob? >> >> >> >> > >> >> > On Mon, Apr 8, 2013 at 2:09 PM, dan (ddp) <ddp...@gmail.com> wrote: >> >> >> >> >> >> On Mon, Apr 8, 2013 at 10:03 AM, C. L. Martinez >> >> >> <carlopm...@gmail.com> >> >> >> wrote: >> >> >> > Yep, it is searching ipf ... >> >> >> > >> >> >> > root@itafbsd01:/data/logs/plain# /bin/sh -x >> >> >> > /usr/local/ossec-hids/active-response/bin/firewall-drop.sh add - >> >> >> > 10.196.0.15 >> >> >> > + uname >> >> >> > + UNAME=FreeBSD >> >> >> > + ECHO=/bin/echo >> >> >> > + GREP=/bin/grep >> >> >> > + IPTABLES='' >> >> >> > + IP4TABLES=/sbin/iptables >> >> >> > + IP6TABLES=/sbin/ip6tables >> >> >> > + IPFILTER=/sbin/ipf >> >> >> > + [ XFreeBSD = XSunOS ] >> >> >> > + GENFILT=/usr/sbin/genfilt >> >> >> > + LSFILT=/usr/sbin/lsfilt >> >> >> > + MKFILT=/usr/sbin/mkfilt >> >> >> > + RMFILT=/usr/sbin/rmfilt >> >> >> > + ARG1='' >> >> >> > + ARG2='' >> >> >> > + RULEID='' >> >> >> > + ACTION=add >> >> >> > + USER=- >> >> >> > + IP=10.196.0.15 >> >> >> > + dirname >> >> >> > /usr/local/ossec-hids/active-response/bin/firewall-drop.sh >> >> >> > + LOCAL=/usr/local/ossec-hids/active-response/bin >> >> >> > + cd /usr/local/ossec-hids/active-response/bin >> >> >> > + cd ../ >> >> >> > + pwd >> >> >> > + PWD=/usr/local/ossec-hids/active-response >> >> >> > + basename >> >> >> > /usr/local/ossec-hids/active-response/bin/firewall-drop.sh >> >> >> > + filename=firewall-drop.sh >> >> >> > + LOCK=/usr/local/ossec-hids/active-response/fw-drop >> >> >> > + LOCK_PID=/usr/local/ossec-hids/active-response/fw-drop/pid >> >> >> > + >> >> >> > >> >> >> > >> >> >> > >> >> >> > LOG_FILE=/usr/local/ossec-hids/active-response/../logs/active-responses.log >> >> >> > + date >> >> >> > + echo 'Mon Apr 8 14:02:35 UTC 2013 >> >> >> > /usr/local/ossec-hids/active-response/bin/firewall-drop.sh add - >> >> >> > 10.196.0.15 >> >> >> > ' >> >> >> > + [ x10.196.0.15 = x ] >> >> >> > + IPTABLES=/sbin/iptables >> >> >> > + MAX_ITERATION=50 >> >> >> > + [ xadd != xadd -a xadd != xdelete ] >> >> >> > + [ XFreeBSD = XLinux ] >> >> >> > + [ XFreeBSD = XFreeBSD -o XFreeBSD = XSunOS -o XFreeBSD = XNetBSD >> >> >> > ] >> >> >> > + ls /sbin/ipf >> >> >> > + [ 0 != 0 ] >> >> >> > + ls /bin/echo >> >> >> > + [ 0 != 0 ] >> >> >> > + [ xadd = xadd ] >> >> >> > + ARG1='"@1 block out quick from any to 10.196.0.15"' >> >> >> > + ARG2='"@1 block in quick from 10.196.0.15 to any"' >> >> >> > + IPFARG='/sbin/ipf -f -' >> >> >> >> >> >> It's trying to use ipf, not pf. >> >> >> >> >> >> > + eval /bin/echo '"@1' block out quick from any to '10.196.0.15"' >> >> >> > + /sbin/ipf -f - >> >> >> > + /bin/echo '@1 block out quick from any to 10.196.0.15' >> >> >> > open device: No such file or directory >> >> >> > User/kernel version check failed >> >> >> > 1:ioctl(add/insert rule): Bad file descriptor >> >> >> > + eval /bin/echo '"@1' block in quick from 10.196.0.15 to 'any"' >> >> >> > + /sbin/ipf -f - >> >> >> > + /bin/echo '@1 block in quick from 10.196.0.15 to any' >> >> >> > open device: No such file or directory >> >> >> > User/kernel version check failed >> >> >> > 1:ioctl(add/insert rule): Bad file descriptor >> >> >> > + exit 0 >> >> >> > root@itafbsd01:/data/logs/plain >> >> >> > >> >> >> > >> >> >> > On Mon, Apr 8, 2013 at 1:53 PM, dan (ddp) <ddp...@gmail.com> >> >> >> > wrote: >> >> >> >> >> >> >> >> On Mon, Apr 8, 2013 at 9:50 AM, C. L. Martinez >> >> >> >> <carlopm...@gmail.com> >> >> >> >> wrote: >> >> >> >> > works: >> >> >> >> > >> >> >> >> > root@itafbsd01:/data/logs/plain# pfctl -t ossec_fwtable -T add >> >> >> >> > 10.196.0.15 >> >> >> >> > No ALTQ support in kernel >> >> >> >> > ALTQ related functions disabled >> >> >> >> > 1/1 addresses added. >> >> >> >> > root@itafbsd01:/data/logs/plain# pfctl -t ossec_fwtable -T show >> >> >> >> > No ALTQ support in kernel >> >> >> >> > ALTQ related functions disabled >> >> >> >> > 10.196.0.15 >> >> >> >> > root@plzfsiem02:/data/logs/plain >> >> >> >> > >> >> >> >> >> >> >> >> Ok, now try to find out what pfctl command firewall-drop.sh is >> >> >> >> using. >> >> >> >> >> >> >> >> /bin/sh -x /var/ossec/active-response/bin/firewall-drop.sh >> >> >> >> blahblahblah >> >> >> >> >> >> >> >> > >> >> >> >> > On Mon, Apr 8, 2013 at 1:48 PM, dan (ddp) <ddp...@gmail.com> >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> On Mon, Apr 8, 2013 at 9:45 AM, C. L. Martinez >> >> >> >> >> <carlopm...@gmail.com> >> >> >> >> >> wrote: >> >> >> >> >> > Executing active response manually: >> >> >> >> >> > >> >> >> >> >> > root@itafbsd01:/usr/local/ossec-hids/bin# >> >> >> >> >> > /usr/local/ossec-hids/active-response/bin/firewall-drop.sh >> >> >> >> >> > add >> >> >> >> >> > - >> >> >> >> >> > 10.196.0.15 >> >> >> >> >> > open device: No such file or directory >> >> >> >> >> > User/kernel version check failed >> >> >> >> >> > 1:ioctl(add/insert rule): Bad file descriptor >> >> >> >> >> > open device: No such file or directory >> >> >> >> >> > User/kernel version check failed >> >> >> >> >> > 1:ioctl(add/insert rule): Bad file descriptor >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> pfctl -t ossec_fwtable -T add IP_ADDRESS >> >> >> >> >> >> >> >> >> >> > >> >> >> >> >> > On Mon, Apr 8, 2013 at 1:42 PM, C. L. Martinez >> >> >> >> >> > <carlopm...@gmail.com> >> >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> >> >> Hi all, >> >> >> >> >> >> >> >> >> >> >> >> Could active response not work for servers based on >> >> >> >> >> >> FreeBSD >> >> >> >> >> >> using >> >> >> >> >> >> pf >> >> >> >> >> >> as a >> >> >> >> >> >> firewall? I have three FreeBSD hosts and it doesn't seems >> >> >> >> >> >> it >> >> >> >> >> >> is >> >> >> >> >> >> working: >> >> >> >> >> >> >> >> >> >> >> >> root@itafbsd01:/usr/local/ossec-hids/bin# pfctl -sr >> >> >> >> >> >> No ALTQ support in kernel >> >> >> >> >> >> ALTQ related functions disabled >> >> >> >> >> >> block drop in log quick on ! lo0 inet from 127.0.0.0/8 to >> >> >> >> >> >> any >> >> >> >> >> >> block drop in log quick on ! em0 inet from 10.196.0.0/24 to >> >> >> >> >> >> any >> >> >> >> >> >> block drop in log quick inet from 10.196.0.104 to any >> >> >> >> >> >> block drop in log quick inet from 10.196.0.93 to any >> >> >> >> >> >> block drop in log quick on ! em1 inet from 172.17.22.0/29 >> >> >> >> >> >> to >> >> >> >> >> >> any >> >> >> >> >> >> block drop in log quick inet from 172.17.22.2 to any >> >> >> >> >> >> block drop in log quick on ! em2 inet from 172.17.23.0/29 >> >> >> >> >> >> to >> >> >> >> >> >> any >> >> >> >> >> >> block drop in log quick inet from 172.17.23.2 to any >> >> >> >> >> >> block drop in log quick on ! lo0 inet6 from ::1 to any >> >> >> >> >> >> block drop in log quick on em0 inet6 from >> >> >> >> >> >> fe80::250:56ff:fe38:c2bf >> >> >> >> >> >> to >> >> >> >> >> >> any >> >> >> >> >> >> block drop in log quick on em1 inet6 from >> >> >> >> >> >> fe80::250:56ff:fe22:be36 >> >> >> >> >> >> to >> >> >> >> >> >> any >> >> >> >> >> >> block drop in log quick on em2 inet6 from >> >> >> >> >> >> fe80::250:56ff:fe03:5d90 >> >> >> >> >> >> to >> >> >> >> >> >> any >> >> >> >> >> >> block drop in log all >> >> >> >> >> >> block drop in log quick from <ossec_fwtable> to any >> >> >> >> >> >> block drop out log quick from any to <ossec_fwtable> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> root@itafbsd01:/usr/local/ossec-hids/bin# cat >> >> >> >> >> >> /usr/local/ossec-hids/logs/active-responses.log >> >> >> >> >> >> Mon Apr 8 12:16:28 UTC 2013 >> >> >> >> >> >> /usr/local/ossec-hids/active-response/bin/firewall-drop.sh >> >> >> >> >> >> add >> >> >> >> >> >> - >> >> >> >> >> >> 10.196.0.15 >> >> >> >> >> >> 1365423388.106418930 100307 >> >> >> >> >> >> Mon Apr 8 12:33:22 UTC 2013 >> >> >> >> >> >> /usr/local/ossec-hids/active-response/bin/firewall-drop.sh >> >> >> >> >> >> add >> >> >> >> >> >> - >> >> >> >> >> >> 192.168.65.16 1365424402.107310243 100310 >> >> >> >> >> >> Mon Apr 8 12:56:32 UTC 2013 >> >> >> >> >> >> /usr/local/ossec-hids/active-response/bin/firewall-drop.sh >> >> >> >> >> >> add >> >> >> >> >> >> - >> >> >> >> >> >> 81.84.99.182 1365425792.109009489 100306 >> >> >> >> >> >> Mon Apr 8 12:59:06 UTC 2013 >> >> >> >> >> >> /usr/local/ossec-hids/active-response/bin/firewall-drop.sh >> >> >> >> >> >> add >> >> >> >> >> >> - >> >> >> >> >> >> 84.253.190.122 1365425946.109167068 100306 >> >> >> >> >> >> Mon Apr 8 13:11:25 UTC 2013 >> >> >> >> >> >> /usr/local/ossec-hids/active-response/bin/firewall-drop.sh >> >> >> >> >> >> add >> >> >> >> >> >> - >> >> >> >> >> >> 212.163.33.165 1365426685.109822795 100306 >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> ... but: >> >> >> >> >> >> >> >> >> >> >> >> root@itafbsd01:/usr/local/ossec-hids/bin# pfctl -t >> >> >> >> >> >> ossec_fwtable >> >> >> >> >> >> -T >> >> >> >> >> >> show >> >> >> >> >> >> No ALTQ support in kernel >> >> >> >> >> >> ALTQ related functions disabled >> >> >> >> >> >> root@itafbsd01:/usr/local/ossec-hids/bin >> >> >> >> >> >> >> >> >> >> >> >> Ossec server and these FreeBSD agents use 2.7 release ... >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > -- >> >> >> >> >> > >> >> >> >> >> > --- >> >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> >> > Google >> >> >> >> >> > Groups >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >> >> >> >> >> > from >> >> >> >> >> > it, >> >> >> >> >> > send >> >> >> >> >> > an >> >> >> >> >> > email to ossec-list+unsubscr...@googlegroups.com. >> >> >> >> >> > For more options, visit >> >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> -- >> >> >> >> >> >> >> >> >> >> --- >> >> >> >> >> You received this message because you are subscribed to the >> >> >> >> >> Google >> >> >> >> >> Groups >> >> >> >> >> "ossec-list" group. >> >> >> >> >> To unsubscribe from this group and stop receiving emails from >> >> >> >> >> it, >> >> >> >> >> send >> >> >> >> >> an >> >> >> >> >> email to ossec-list+unsubscr...@googlegroups.com. >> >> >> >> >> For more options, visit >> >> >> >> >> https://groups.google.com/groups/opt_out. >> >> >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to ossec-list+unsubscr...@googlegroups.com. >> >> >> >> > For more options, visit >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> > >> >> >> >> > >> >> >> >> >> >> >> >> -- >> >> >> >> >> >> >> >> --- >> >> >> >> You received this message because you are subscribed to the >> >> >> >> Google >> >> >> >> Groups >> >> >> >> "ossec-list" group. >> >> >> >> To unsubscribe from this group and stop receiving emails from it, >> >> >> >> send >> >> >> >> an >> >> >> >> email to ossec-list+unsubscr...@googlegroups.com. >> >> >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> >> >> >> >> >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to ossec-list+unsubscr...@googlegroups.com. >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > >> >> >> > >> >> >> >> >> >> -- >> >> >> >> >> >> --- >> >> >> You received this message because you are subscribed to the Google >> >> >> Groups >> >> >> "ossec-list" group. >> >> >> To unsubscribe from this group and stop receiving emails from it, >> >> >> send >> >> >> an >> >> >> email to ossec-list+unsubscr...@googlegroups.com. >> >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> >> >> >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to ossec-list+unsubscr...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to ossec-list+unsubscr...@googlegroups.com. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+unsubscr...@googlegroups.com. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
