Hi Ralph, You are welcome.
Yes, I did, I can confirm I was seeing entries on active-response.log and the *firewall-dns-query-drop.sh* was triggering. Let me see if I can keep helping you, by "stand-alone" you mean you only have an OSSEC Manager running isn't it? Just to be sure, at active-response block, "*local*" means "agents", and " *server*" means that the AR will work for the OSSEC Manager, you could check the documentation here <http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.active-response.html#element-location> which probably explain everything better than myself :D Copy-pasting from OSSEC Docs: > *location*Where the command should be executed. You have four options: > Allowed: > local: on the agent that generated the event > server: on the OSSEC server > defined-agent: on a specific agent (when using this option, you need to > set the agent_id to use) > all: or everywhere. "local" setting will run the command only on agent side, never on Manager side. Hope it helps. Cheers, Pedro. On Tue, Mar 14, 2017 at 2:04 PM, Ralph Durkee <ralph.dur...@gmail.com> wrote: > Thanks for trying it. > > - Permissions on the script are good. > > # ll active-response/bin/firewall-dns-query-drop.sh > -rwxr-x--- 1 root ossec 5758 Mar 10 07:58 active-response/bin/firewall- > dns-query-drop.sh* > > - I removed the <level> 8 tag. > - This is a stand-alone install so I don't think the server tag is > needed. > > Just to confirm that when you say it worked, the active-response.log shows > an attempt to run the script active-response/bin/firewall- > dns-query-drop.sh? > > I did a test where I copied firewall-drop.sh to firewall-dns-query-drop.sh > just to eliminate any concern that the issue might be with the script, but > the script did not get invoked. It would generate an error, because an IP > address isn't passed, but I'm convinced it's something in the > ossec-server.conf file. I'm going to try it out on a clean Cent-OS 7 > system next. > > Thanks for the help, > > -- Ralph > > > On Tuesday, March 14, 2017 at 8:13:31 AM UTC-4, Pedro Sanchez wrote: >> >> Hi Ralph, >> >> I have been testing your configuration, everything works great on my >> environment (using standard firewall-drop.sh). >> >> Few tips which may help you: >> >> >> - Active-response block: you are using *rules_id *and *level*, since >> your rule will have same level no matter what, maybe you could remove >> <level> >> - Active-response block: You defined "local" which will only trigger >> active-response to remote agents, in case you want to trigger >> active-response at the manager, you could use "*server*", or both, " >> *server,local*" ("*all*" option is not working on my environment) >> - Ruleset: I did verify your decoders and rules, still, you could use >> bin/ossec-logtest tool and paste your event, just to confirm they are >> working properly on your installation >> - You could run the active-response manually by running: >> *bin/agent_control >> -b ip_address_to_block -f firewall-dns-query-drop5400 -u agent_id* >> - Permissions: Confirm your scripts have permissions to root:ossec >> and rwxr-x--- >> >> >> Hope it helps, best regards, >> Pedro Sanchez. >> >> >> >> >> >> >> >> >> On Monday, March 13, 2017 at 3:11:50 PM UTC+1, Ralph Durkee wrote: >>> >>> >>> I’m getting heavy flurries of bogus DNS queries to non-recursive, >>> authoritative DNS server. The traffic comes from a large spread of src ip >>> address, so it’s obviously mostly spoofed. The queries are all denied, so >>> it’s almost no risk, except that it heavily overloads the log management, >>> it’s annoying, and could cause some more serious logs to get missed in the >>> flurry. The rate of traffic is about 3 – 20 queries per second, and a >>> flurry often runs for several hours. The host name is random, but the >>> domain names are pretty static within a single flurry. So I’ve written a >>> named decoder to extract the host name as ‘user’, and rules to alert on the >>> flurry of denied queries. The decoder and alerts are working fine. I also >>> have an active response script which adds an iptable rule to drop queries >>> for a specific denied domain name. The script works fine when run by hand. >>> Its based on the existing active-response/bin/firewall-drop.sh so that >>> it uses the same locking directory, so that the two scripts will co-operate >>> on locking, The one thing that’s not working that when the alert is >>> generated the script doesn't get run. The script is in the >>> active-response/bin with rx permissions. There’s no error log in the >>> ossec.log and there’s not even an indication that it started to run in the >>> active-responses.log. The first thing the script does is generate a log to >>> active-response.log similar to the script it’s based on. However the script >>> is not run when the alert is generated for rule 100002. >>> >>> >>> *Sample traffic:* >>> >>> >>> Mar 13 01:42:45 net19 named[6147]: client 31.150.218.239#6173 ( >>> odcdavcxkvin.games.yuanyou8.com): query (cache) ' >>> odcdavcxkvin.games.yuanyou8.com/A/IN' denied >>> >>> Mar 13 01:42:45 net19 named[6147]: client 29.153.55.216#28938 ( >>> qbwrypybuhuv.games.yuanyou8.com): query (cache) ' >>> qbwrypybuhuv.games.yuanyou8.com/A/IN' denied >>> >>> Mar 13 01:42:46 net19 named[6147]: client 126.122.141.86#34892 ( >>> azkhczkxcpgh.games.yuanyou8.com): query (cache) ' >>> azkhczkxcpgh.games.yuanyou8.com/A/IN' denied >>> >>> Mar 13 01:42:46 net19 named[6147]: client 72.226.226.185#29311 ( >>> wfgdglqlqbwd.games.yuanyou8.com): query (cache) ' >>> wfgdglqlqbwd.games.yuanyou8.com/A/IN' denied >>> >>> >>> *Sample alerts:* >>> >>> >>> ** Alert 1489383774.343817: - local,syslog, >>> >>> 2017 Mar 13 01:42:54 net19->/var/log/named.log >>> >>> Rule: 12108 (level 4) -> 'Invalid Query cache denied.' >>> >>> Src IP: 60.50.34.62 >>> >>> Mar 13 01:42:53 net19 named[6147]: client 60.50.34.62#39074 ( >>> uburatmbgrov.games.yuanyou8.com): query (cache) ' >>> uburatmbgrov.games.yuanyou8.com/A/IN' denied >>> >>> >>> ** Alert 1489383774.344139: - local,syslog, >>> >>> 2017 Mar 13 01:42:54 net19->/var/log/named.log >>> >>> Rule: 12108 (level 4) -> 'Invalid Query cache denied.' >>> >>> Src IP: 42.76.121.217 >>> >>> Mar 13 01:42:54 net19 named[6147]: client 42.76.121.217#52337 ( >>> eropovspwfyl.games.yuanyou8.com): query (cache) ' >>> eropovspwfyl.games.yuanyou8.com/A/IN' denied >>> >>> >>> ** Alert 1489383774.344465: - local,syslog, >>> >>> 2017 Mar 13 01:42:54 net19->/var/log/named.log >>> >>> Rule: 100002 (level 8) -> 'Multiple denied DNS queries in a short time.' >>> >>> Src IP: 96.174.127.167 >>> >>> Mar 13 01:42:54 net19 named[6147]: client 96.174.127.167#16133 ( >>> qtoncngdqvcv.games.yuanyou8.com): query (cache) ' >>> qtoncngdqvcv.games.yuanyou8.com/A/IN' denied >>> >>> Mar 13 01:42:54 net19 named[6147]: client 42.76.121.217#52337 ( >>> eropovspwfyl.games.yuanyou8.com): query (cache) ' >>> eropovspwfyl.games.yuanyou8.com/A/IN' denied >>> >>> Mar 13 01:42:53 net19 named[6147]: client 60.50.34.62#39074 ( >>> uburatmbgrov.games.yuanyou8.com): query (cache) ' >>> uburatmbgrov.games.yuanyou8.com/A/IN' denied >>> >>> Mar 13 01:42:53 net19 named[6147]: client 31.138.210.77#3939 ( >>> izilszqtqvav.games.yuanyou8.com): query (cache) ' >>> izilszqtqvav.games.yuanyou8.com/A/IN' denied >>> >>> Mar 13 01:42:53 net19 named[6147]: client 44.157.160.105#63395 ( >>> afmxgjqfelwj.games.yuanyou8.com): query (cache) ' >>> afmxgjqfelwj.games.yuanyou8.com/A/IN' denied >>> >>> Mar 13 01:42:53 net19 named[6147]: client 1.58.85.178#22054 ( >>> olshwnafqhihgvkn.games.yuanyou8.com): query (cache) ' >>> olshwnafqhihgvkn.games.yuanyou8.com/A/IN' denied >>> >>> Mar 13 01:42:53 net19 named[6147]: client 103.7.105.111#13695 ( >>> yzunwbizupyr.games.yuanyou8.com): query (cache) ' >>> yzunwbizupyr.games.yuanyou8.com/A/IN' denied >>> >>> Mar 13 01:42:52 net19 named[6147]: client 34.96.205.55#4089 ( >>> atkdwdixmfkl.games.yuanyou8.com): query (cache) ' >>> atkdwdixmfkl.games.yuanyou8.com/A/IN' denied >>> >>> Mar 13 01:42:52 net19 named[6147]: client 70.94.229.18#28624 ( >>> oletkhwbodyn.games.yuanyou8.com): query (cache) ' >>> oletkhwbodyn.games.yuanyou8.com/A/IN' denied >>> >>> Mar 13 01:42:51 net19 named[6147]: client 47.224.195.250#8636 ( >>> axcpajunsfoj.games.yuanyou8.com): query (cache) ' >>> axcpajunsfoj.games.yuanyou8.com/A/IN' denied >>> >>> Mar 13 01:42:51 net19 named[6147]: client 96.243.170.64#27176 ( >>> ahefilwzohgb.games.yuanyou8.com): query (cache) ' >>> ahefilwzohgb.games.yuanyou8.com/A/IN' denied >>> >>> >>> *Active response configuration. * >>> >>> >>> <!-- RALPH: Customized script based on firewall-drop.sh >>> >>> uses same locking, drops DNS queries with specific domain name. >>> >>> --> >>> >>> <command> >>> >>> <name>firewall-dns-query-drop</name> >>> >>> <executable>firewall-dns-query-drop.sh</executable> >>> >>> <expect>user</expect> >>> >>> <timeout_allowed>yes</timeout_allowed> >>> >>> </command> >>> >>> >>> . . . >>> >>> <active-response> >>> >>> <command>firewall-dns-query-drop</command> >>> >>> <location>local</location> >>> >>> <rules_id>100002</rules_id> >>> >>> <level>8</level> >>> >>> <timeout>5400</timeout> >>> >>> </active-response> >>> >>> >>> >>> >>> *The decoder:* >>> >>> >>> # *cat etc/decoders.d/local_named.xml* >>> >>> >>> >>> <!--- RALPH: Adjust decoder to catch domain name. >>> >>> SAMPLES: >>> >>> >>> Mar 7 09:43:19 net19 named[6147]: client 53.144.157.215#61687 ( >>> qhctgjulipqfchyv.qiyering.com): query (cache) ' >>> qhctgjulipqfchyv.qiyering.com/A/IN' denied >>> >>> >>> Doesn't make sense to put the domain name in "user", except only srcip >>> and user >>> >>> are passed to active scripts, and have a <same_xxx> capability. >>> >>> --> >>> >>> >>> <decoder name="named-query-denied"> >>> >>> <parent>named</parent> >>> >>> <prematch>denied$</prematch> >>> >>> <regex>client (\S+)#\d+\s+\((\S+)\): query </regex> >>> >>> <order>srcip,user</order> >>> >>> </decoder> >>> >>> >>> *new rules in rules/local_rules.xml* >>> >>> >>> <!-- Was level 0, now it needs to aggregate to an automated response. >>> >>> --> >>> >>> <rule id="12108" level="4" overwrite="yes"> >>> >>> <if_sid>12100</if_sid> >>> >>> <match>query (cache) denied|: query (cache)</match> >>> >>> <description>Invalid Query cache denied.</description> >>> >>> </rule> >>> >>> >>> <rule id="100002" level="8" frequency="10" timeframe="60" > >>> >>> <if_matched_sid>12108</if_matched_sid> >>> >>> <description>Multiple denied DNS queries in a short time.</description> >>> >>> <info></info> >>> >>> </rule> >>> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.