Hi Ben,
It's been a while since I messed with this but I eventually got the desired
result performing whitelisting against the hostname in the active response
itself rather than using ossec whitelisting directly. In some instances, I
didn't have control over setting rsyslog to lP rather than host so I have
rules that don't <expect> the srcIP but still perform whitelisting based on
what a hostname resolves too (via nslookup). The following function is part
of a set of common bash functions that is sourced each time an active
response is invoked and I can then call this and perform active response
based white listing on hostnames:
# usage <srcip>
checkWhitelist()
{
if [ "$1" != "" ]; then
WHITE_LIST=`grep "white_list" /var/ossec/etc/ossec.conf | \
cut -d">" -f2 | cut -d"<" -f1`
for ip in $WHITE_LIST; do
if [ "$1" == "$ip" ]; then
echo "checkWhitelist: IP is white listed, exitting"
exit 0
fi
done
fi
}
Probably not the most efficient way to do it but gave me the flexibility to
handle syslog messages than contain hostname. May not be what you wanted
but it worked for me.
Cheers,
Glen
On Fri, Sep 25, 2015 at 7:18 AM, Ben <ben2...@gmail.com> wrote:
> Glen,
>
> Any advice on changing rsyslog format from hostname to IP addresses? I am
> running on CentOS 6.5, and wanting to change the log hostname to IP
> address, so I can pass the variable to AR command, then I will get to your
> same problem:-) Thanks.
>
> On Monday, February 9, 2015 at 5:13:35 PM UTC-5, Glen Leeder wrote:
>>
>> Thanks Dan,
>>
>> I've changed my rsyslog format to IP addresses instead of hosts and all
>> is good.
>>
>> Do you know whether the <white_list> directive requires that
>> <expect>srcip</expect> is specified or will it work without that?
>>
>> Glen
>>
>> On Monday, February 9, 2015 at 11:08:11 PM UTC+10, dan (ddpbsd) wrote:
>>>
>>> On Mon, Feb 9, 2015 at 4:26 AM, Glen Leeder <glen....@gmail.com> wrote:
>>> > Hi,
>>> >
>>> > I using ossec 2.8.1 on Ubuntu 14.04 running locally only, no agents. I
>>> have
>>> > the following local_rules.xml defined to exercise syslog monitoring :
>>> > $ sudo more /var/ossec/rules/local_rules.xml
>>> > <group name="ossectester,local">
>>> > <rule id="100000" level="5">
>>> > <match>OSSEC-TESTER-RULE</match>
>>> > <description>OSSEC Test Alert</description>
>>> > </rule>
>>> > </group>
>>> >
>>> > When this rule triggers (by running 'logger "OSSEC-TESTER-RULE"), an
>>> active
>>> > response is executed due to this ossec.conf:
>>> > <command>
>>> > <name>post2slack</name>
>>> > <executable>ar_slack.sh</executable>
>>> > <expect></expect>
>>> > <timeout_allowed>no</timeout_allowed>
>>> > </command>
>>> >
>>> > <active-response>
>>> > <command>post2slack</command>
>>> > <location>local</location>
>>> > <level>4</level>
>>> > </active-response>
>>> >
>>> > This works as expected provided I do not populate the command <expect>
>>> > field. If I specify <expect>srcip</expect> the alert still triggers,
>>> > however, the active response is no longer executed. the syslog entry
>>> ends up
>>> > as something like:
>>> > Feb 9 19:19:53 myhostname gleeder: OSSEC-TESTER-RULE
>>> >
>>>
>>> There is no IP in this log message to be decoded, so it makes sense
>>> that AR won't be triggered if it expects there to be a source ip.
>>>
>>> > I can't determine from the documentation whether this should work or
>>> not.
>>> > myhostname resolves to 127.0.0.1 but I haven't got any white_list IPs
>>> > specified anyway (my end goal is a to have some white_listing which is
>>> why I
>>> > specified srcip).
>>> >
>>> > Is there an implicit white_list default or another reason why
>>> specifying
>>> > srcip causes the response to no longer execute?
>>> > Is <expect>srcip</expect> required for white_list to work?
>>> >
>>> > Best regards,
>>> > Glen
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> an
>>> > email to ossec-list+...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/b_OeK6W6lPw/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
