Now i haven't any whitelist.
#ossec.log
2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response initialized ...
2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response Init completed.
#Test active response:
root@serv-10244 [/var/ossec/active-response/bin]# ./testar.sh action user
src_ip alert_id rule_id agent_host filename
root@serv-10244 [/var/ossec/active-response/bin]# cat
../../logs/active-responses.log
Tue Feb 23 07:28:03 EST 2016 ./testar.sh action user src_ip alert_id
rule_id agent_host filename
Let's go from start.
I need to execute active responcss on the same server, so, i run
ossec-configure and select there installation type "local" and active
responses enabled "yes"
Next i add active response
<command>
<name>testar</name>
<expect></expect>
<executable>testar.sh</executable>
</command>
<active-response>
<command>testar</command>
<location>all</location>
<level>6</level>
</active-response>
But active responces still not executed.
Hi,
>
> The daemon in charge of executing active-response scripts is
> *"ossec-execd",* I think your conf is good*,* active-response should be
> active and working, try to force some response and check
> active-response.log.
>
> Check ossec.log for entires like:
>
> 2016/02/23 03:48:19 ossec-analysisd: INFO: 2 IPs in the white list for
> active response.
> 2016/02/23 03:48:19 ossec-analysisd: INFO: 1 Hostname(s) in the white list
> for active response.
>
>
>
> If you really want to check if active-response is active, try this:
>
> Enable debug mode:
> /var/ossec/bin/ossec-control enable debug
>
> Restart OSSEC and check for line:
>
> 2016/02/23 11:40:57 ossec-analysisd: DEBUG: Active response initialized ...
>
> The scripts should be placed on /var/ossec/active-response/bin with
> execution permissions.
>
> Regards,
>
> Pedro S.
>
>
> On Tuesday, February 23, 2016 at 11:21:13 AM UTC+1, ba...@x-cart.com
> wrote:
>>
>> Why active-responces is not working ?
>> I receive email notification, but active responce had not started.
>> What may caused a problem?
>>
>> #etc/shared/ar.conf:
>> restart-ossec0 - restart-ossec.sh - 0
>> restart-ossec0 - restart-ossec.cmd - 0
>> testar0 - testar.sh - 0
>> slack0 - slack.py - 0
>>
>>
>> #alert.log
>> ** Alert 1456222573.17132: mail - syslog,sshdauthentication_success,
>> 2016 Feb 23 05:16:13 serv-10244->/var/log/secure
>> Rule: 5715 (level 7) -> 'SSHD authentication success.'
>> Src IP: 104.131.225.112
>> User: root
>> Feb 23 05:16:12 serv-10244 sshd[16530]: Accepted password for root from
>> 104.131.225.112 port 47280 ssh2
>>
>> #ossec.conf
>> <command>
>> <name>testar</name>
>> <expect></expect>
>> <executable>testar.sh</executable>
>> </command>
>>
>> <command>
>> <name>slack</name>
>> <expect>user,srcip</expect>
>> <executable>slack.py</executable>
>> </command>
>>
>> <active-response>
>> <command>testar</command>
>> <location>local</location>
>> <rules_id>5715,11309</rules_id>
>> </active-response>
>>
>>
>> <active-response>
>> <command>slack</command>
>> <location>local</location>
>> <rules_id>5715,11309</rules_id>
>> </active-response>
>>
>>
>> #ossec.log:
>> 2016/02/23 05:11:04 ossec-monitord(1225): INFO: SIGNAL Received. Exit
>> Cleaning...
>> 2016/02/23 05:11:04 ossec-logcollector(1225): INFO: SIGNAL Received. Exit
>> Cleaning...
>> 2016/02/23 05:11:04 ossec-remoted(1225): INFO: SIGNAL Received. Exit
>> Cleaning...
>> 2016/02/23 05:11:04 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit
>> Cleaning...
>> 2016/02/23 05:11:04 ossec-analysisd(1225): INFO: SIGNAL Received. Exit
>> Cleaning...
>> 2016/02/23 05:11:04 ossec-maild(1225): INFO: SIGNAL Received. Exit
>> Cleaning...
>> 2016/02/23 05:11:04 ossec-execd(1314): INFO: Shutdown received. Deleting
>> responses.
>> 2016/02/23 05:11:04 ossec-execd(1225): INFO: SIGNAL Received. Exit
>> Cleaning...
>> 2016/02/23 05:11:14 ossec-testrule: INFO: Reading local decoder file.
>> 2016/02/23 05:11:14 ossec-testrule: INFO: Started (pid: 15157).
>> 2016/02/23 05:11:14 ossec-maild: INFO: Started (pid: 15176).
>> 2016/02/23 05:11:15 ossec-execd: INFO: Started (pid: 15180).
>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading local decoder file.
>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file:
>> 'sshd_rules.xml'
>> 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15192).
>> 2016/02/23 05:11:15 ossec-rootcheck: System audit file not configured.
>> 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15193).
>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file:
>> 'local_rules.xml'
>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Total rules enabled: '1258'
>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Started (pid: 15184).
>> 2016/02/23 05:11:16 ossec-monitord: INFO: Started (pid: 15219).
>> 2016/02/23 05:11:16 ossec-remoted(4111): INFO: Maximum number of agents
>> allowed: '256'.
>> 2016/02/23 05:11:16 ossec-remoted(1410): INFO: Reading authentication
>> keys file.
>> 2016/02/23 05:11:16 ossec-remoted: INFO: No previous counter available
>> for 'local'.
>> 2016/02/23 05:11:16 ossec-remoted: INFO: Assigning counter for agent
>> local: '0:0'.
>> 2016/02/23 05:11:16 ossec-remoted: INFO: No previous sender counter.
>> 2016/02/23 05:11:16 ossec-remoted: INFO: Assigning sender counter: 0:0
>> 2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file:
>> '/var/log/messages'.
>> 2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file:
>> '/var/log/secure'.
>> 2016/02/23 05:11:21 ossec-logcollector: INFO: Started (pid: 15188).
>> 2016/02/23 05:11:22 ossec-syscheckd: INFO: Started (pid: 15215).
>> 2016/02/23 05:11:22 ossec-rootcheck: INFO: Started (pid: 15215).
>> 2016/02/23 05:11:22 ossec-syscheckd: INFO: Monitoring directory:
>> '/home/woodwork/public_html'.
>>
>>
>> # ps ax | grep ossec
>> 15176 ? S 0:00 /var/ossec/bin/ossec-maild
>> 15180 ? S 0:00 /var/ossec/bin/ossec-execd
>> 15184 ? S 0:00 /var/ossec/bin/ossec-analysisd
>> 15188 ? S 0:00 /var/ossec/bin/ossec-logcollector
>> 15193 ? Sl 0:00 /var/ossec/bin/ossec-remoted
>> 15215 ? S 0:00 /var/ossec/bin/ossec-syscheckd
>> 15219 ? S 0:00 /var/ossec/bin/ossec-monitord
>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
