On Sun, Jan 13, 2019 at 1:44 PM Giorgio Biondi <biondi.gior...@gmail.com> wrote: > > Hi, > > I have some experience with ossec server but few with ossim. > My target is replace ossim-server and replace it with ossim.. > > But Ossim come with this configuration (and have AR disabled) - follow > ossec.conf on ossim.. > > <ossec_config> [snip lots of config] > </ossec_config> > <!-- rules global entry --> > > ********************** > But I want AR enabled so I have added this at configuration, and have put on > disable=no in Active Response > ********************** > <command> > <name>host-deny</name> > <executable>host-deny.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>firewall-drop</name> > <executable>firewall-drop.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>disable-account</name> > <executable>disable-account.sh</executable> > <expect>user</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>restart-ossec</name> > <executable>restart-ossec.sh</executable> > <expect></expect> > </command> > > > <command> > <name>route-null</name> > <executable>route-null.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > > <!-- Active Response Config --> > <active-response> > <!-- This response is going to execute the host-deny > - command for every event that fires a rule with > - level (severity) >= 6. > - The IP is going to be blocked for 600 seconds. > --> > <command>host-deny</command> > <location>all</location> > <level>6</level> > <timeout>600</timeout> > <repeated_offenders>60,120,480</repeated_offenders> > </active-response> > > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>all</location> > <level>6</level> > <timeout>600</timeout> > <repeated_offenders>60,120,480</repeated_offenders> > </active-response> >
If what you posted is accurate, all of the active response stuff is outside of the <ossec_config></ossec_config> stuff. So if you remove the </ossec_config> after the <agentless> stuff, and add it at the end of the file, I think it will work. > > > <command> > <name>win_nullroute</name> > <executable>route-null.cmd</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <active-response> > <command>win_nullroute</command> > <location>all</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > With this modify, Ossec on Ossim don't start and have error writed before in > ossec.log > > Thanks for your time. > > gb > > > Il giorno domenica 13 gennaio 2019 17:48:44 UTC+1, Brian Candler ha scritto: >> >> Well, I'd guess you have a configuration error - maybe some missing options >> in the active response configuration. >> >> Would you care to post any configuration files you have created or changed, >> e.g. ossec.conf and local_internal_options.conf ? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.