Re: [ossec-list] AR command executing when it should not be
On Tue, Jun 30, 2015 at 3:14 PM, Jeff Blaine cjbla...@gmail.com wrote: On Tuesday, June 30, 2015 at 5:27:58 AM UTC-4, secuc...@free.fr wrote: i see it like a feature, and it works like a cluster of information. We discover it on in very bad case! It's a feature and a design flaw, IMO. The feature part is as you described. The design flaw is that Active Response doesn't allow one to generically act only on the host where the problem was found. In the case of, for example, one host's /var/www/html directory contents changes (syscheck sees a new file added), an action should be able to be configured (generically) to act only on that host. Perhaps send the file to an alert team. We enjoy receiving patches for new features in the form of pull requests to the github repo: https://github.com/ossec/ossec-hids when an ip is triggering an alert, all the servers block this ip. It protects more the datacenter, but it could really go wrong and the second problem is if you put a lot of servers/ rules in AR you could have performance problem with a thousands of ip blocked each seconds. - Mail original - De: Jeff Blaine cjbl...@gmail.com À: ossec...@googlegroups.com Envoyé: Vendredi 26 Juin 2015 18:22:46 Objet: [ossec-list] AR command executing when it should not be When rule 550 or 554 is hit with ANY agent as the source, the command below is executing on agent 19. As I understand AR, the command should only be executing on agent 19 when rule 550 or 554 is hit *with agent 19 as the origin* Is this a bug or a misunderstanding on my part somewhere? Config piece: active-response commandtest-it/command locationdefined-agent/location agent_id019/agent_id rules_id550,554/rules_id /active-response -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] AR command executing when it should not be
good idea for a test - Mail original - De: LostInTheTubez lostinthetu...@gmail.com À: ossec-list@googlegroups.com Envoyé: Mardi 30 Juin 2015 21:57:43 Objet: RE: [ossec-list] AR command executing when it should not be Could you add a custom rule to achieve what you’re looking for? Something like: rule id=”10” level=”7” if_sid550,554/if_sid hostnamehostnameexample|hostnameexample2/hostname description550 or 554 event that occurred on hostnameexample or hostnameexampmle2/description /rule …Then trigger your active response off of 10 instead of 550 or 554? This is untested and I just manually typed out the rule, so beware typos if you are copy/pasting. From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Jeff Blaine Sent: Tuesday, June 30, 2015 12:14 PM To: ossec-list@googlegroups.com Cc: secucatc...@free.fr Subject: Re: [ossec-list] AR command executing when it should not be On Tuesday, June 30, 2015 at 5:27:58 AM UTC-4, secuc...@free.fr wrote: i see it like a feature, and it works like a cluster of information. We discover it on in very bad case! It's a feature and a design flaw, IMO. The feature part is as you described. The design flaw is that Active Response doesn't allow one to generically act only on the host where the problem was found. In the case of, for example, one host's /var/www/html directory contents changes (syscheck sees a new file added), an action should be able to be configured (generically) to act only on that host . Perhaps send the file to an alert team. when an ip is triggering an alert, all the servers block this ip. It protects more the datacenter, but it could really go wrong and the second problem is if you put a lot of servers/ rules in AR you could have performance problem with a thousands of ip blocked each seconds. - Mail original - De: Jeff Blaine cjbl...@gmail.com À: ossec...@googlegroups.com Envoyé: Vendredi 26 Juin 2015 18:22:46 Objet: [ossec-list] AR command executing when it should not be When rule 550 or 554 is hit with ANY agent as the source, the command below is executing on agent 19. As I understand AR, the command should only be executing on agent 19 when rule 550 or 554 is hit *with agent 19 as the origin* Is this a bug or a misunderstanding on my part somewhere? Config piece: active-response commandtest-it/command locationdefined-agent/location agent_id019/agent_id rules_id550,554/rules_id /active-response -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com . For more options, visit https://groups.google.com/d/optout . -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com . For more options, visit https://groups.google.com/d/optout . -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com . For more options, visit https://groups.google.com/d/optout . -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
RE: [ossec-list] AR command executing when it should not be
Could you add a custom rule to achieve what you’re looking for? Something like: rule id=”10” level=”7” if_sid550,554/if_sid hostnamehostnameexample|hostnameexample2/hostname description550 or 554 event that occurred on hostnameexample or hostnameexampmle2/description /rule …Then trigger your active response off of 10 instead of 550 or 554? This is untested and I just manually typed out the rule, so beware typos if you are copy/pasting. From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Jeff Blaine Sent: Tuesday, June 30, 2015 12:14 PM To: ossec-list@googlegroups.com Cc: secucatc...@free.fr Subject: Re: [ossec-list] AR command executing when it should not be On Tuesday, June 30, 2015 at 5:27:58 AM UTC-4, secuc...@free.fr mailto:secuc...@free.fr wrote: i see it like a feature, and it works like a cluster of information. We discover it on in very bad case! It's a feature and a design flaw, IMO. The feature part is as you described. The design flaw is that Active Response doesn't allow one to generically act only on the host where the problem was found. In the case of, for example, one host's /var/www/html directory contents changes (syscheck sees a new file added), an action should be able to be configured (generically) to act only on that host. Perhaps send the file to an alert team. when an ip is triggering an alert, all the servers block this ip. It protects more the datacenter, but it could really go wrong and the second problem is if you put a lot of servers/ rules in AR you could have performance problem with a thousands of ip blocked each seconds. - Mail original - De: Jeff Blaine cjbl...@gmail.com javascript: À: ossec...@googlegroups.com javascript: Envoyé: Vendredi 26 Juin 2015 18:22:46 Objet: [ossec-list] AR command executing when it should not be When rule 550 or 554 is hit with ANY agent as the source, the command below is executing on agent 19. As I understand AR, the command should only be executing on agent 19 when rule 550 or 554 is hit *with agent 19 as the origin* Is this a bug or a misunderstanding on my part somewhere? Config piece: active-response commandtest-it/command locationdefined-agent/location agent_id019/agent_id rules_id550,554/rules_id /active-response -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript: . For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com mailto:ossec-list+unsubscr...@googlegroups.com . For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] AR command executing when it should not be
On Tuesday, June 30, 2015 at 5:27:58 AM UTC-4, secuc...@free.fr wrote: i see it like a feature, and it works like a cluster of information. We discover it on in very bad case! It's a feature and a design flaw, IMO. The feature part is as you described. The design flaw is that Active Response doesn't allow one to generically act only on the host where the problem was found. In the case of, for example, *one host's* /var/www/html directory contents changes (syscheck sees a new file added), an action should be able to be configured (generically) to act only *on that host*. Perhaps send the file to an alert team. when an ip is triggering an alert, all the servers block this ip. It protects more the datacenter, but it could really go wrong and the second problem is if you put a lot of servers/ rules in AR you could have performance problem with a thousands of ip blocked each seconds. - Mail original - De: Jeff Blaine cjbl...@gmail.com javascript: À: ossec...@googlegroups.com javascript: Envoyé: Vendredi 26 Juin 2015 18:22:46 Objet: [ossec-list] AR command executing when it should not be When rule 550 or 554 is hit with ANY agent as the source, the command below is executing on agent 19. As I understand AR, the command should only be executing on agent 19 when rule 550 or 554 is hit *with agent 19 as the origin* Is this a bug or a misunderstanding on my part somewhere? Config piece: active-response commandtest-it/command locationdefined-agent/location agent_id019/agent_id rules_id550,554/rules_id /active-response -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] AR command executing when it should not be
On Jun 26, 2015 12:23 PM, Jeff Blaine cjbla...@gmail.com wrote: When rule 550 or 554 is hit with ANY agent as the source, the command below is executing on agent 19. As I understand AR, the command should only be executing on agent 19 when rule 550 or 554 is hit *with agent 19 as the origin* Is this a bug or a misunderstanding on my part somewhere? Yes, I think it's a misunderstanding. Defining agent 19 below only configures AR to run on that agent. It does not in any way specify that alerts must come from that agent. Config piece: active-response commandtest-it/command locationdefined-agent/location agent_id019/agent_id rules_id550,554/rules_id /active-response -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.