Re: [ossec-list] Re: ACTIVE-RESPONSE NOT WORKING

Can you guide me how to turn on active response on my ossec, mine is not even working even I added the code block like you in my ossec.conf On Friday, September 25, 2020 at 2:40:45 PM UTC+7 lê danh wrote: > oh i did it and it works great, it can block me before i get my password, > thank you so

Re: [ossec-list] Re: Active response not working for rule_id 554 with "filename" as expect

Hi again and sorry for the late response, In the last comment I posted, I showed you an example where I used manager and agent with Wazuh version 4.1.5. In order to replicate your issue, I need to know the Wazuh versions you are using in the implicated manager and agents. I have also seen som

Re: [ossec-list] Re: Active response not working for rule_id 554 with "filename" as expect

Hi, Thank you for your detailed explanation. I would like to discuss my scenario in detail so we could have a good understanding on our issue. *Case1*: I will be creating a new file(march4.txt) generating rule ID 554 and also editing an existing file(march.txt) generating rule ID 551. This is the

Re: [ossec-list] Re: Active response not working for rule_id 554 with "filename" as expect

Hi again, Which Wazuh version are you using? I suppose that you are using *4.1* or a previous version as from *4.2*, active response custom scripts work differently. I have been testing your active response configuration and scripts are being executed properly, as you said. As you can see in

Re: [ossec-list] Re: Active response not working for rule_id 554 with "filename" as expect

Hi, We are using AlienVault Version: OSSIM 5.7.4 For scripts we are referring to : https://github.com/jonschipp/nsm-tools/ The script is getting executed but we are not receiving FILENAME parameter when RULE ID 554 is getting triggered. Thanks in advance. On Thu, Mar 3, 2022 at 5:45 PM Manuel Cam

[ossec-list] Re: Active response not working for rule_id 554 with "filename" as expect

Hi Aksha and sorry for the late response, I will try to help you solve this issue. I need some information to test your use case and see what is happening. First of all, could you tell me which Wazuh version you are using? Also, it would be fine if you send the active response script you are t

[ossec-list] Re: Active response not working for rule_id 554 with "filename" as expect

Hi Aksha and sorry for the late response, I will try to help you solve this issue. I need some information to test your use case and see what is happening. First of all, could you tell me which Wazuh version you are using? Also, it would be fine if you send the active response script you are t

[ossec-list] Re: Active response not working for rule_id 554 with "filename" as expect

Hi Ossec Team, Can anyone please review this and help. Thanks in Advance. Aksha On Friday, February 25, 2022 at 7:17:18 PM UTC+5:30 AKSHA GANDHI wrote: > Hi, > 1. Active response is getting triggered for both Rule ID 550,554 if > parameter is kept blank. 2.If parameter is given value > FI

Re: [ossec-list] Re: ACTIVE-RESPONSE NOT WORKING

I don't know about stopping it completely but you can slow it substantially by using progressively larger penalty times for repeat offenders. Natassia On Fri, Sep 25, 2020 at 12:41 AM lê danh wrote: > oh i did it and it works great, it can block me before i get my password, > thank you so much

Re: [ossec-list] Re: ACTIVE-RESPONSE NOT WORKING

oh i did it and it works great, it can block me before i get my password, thank you so much Vào Th 4, 23 thg 9, 2020 vào lúc 18:21 Daniel Folch < daniel.fo...@wazuh.com> đã viết: > Hello, > > First, let us start with the active response configuration of the manager > and agent, the configuratio

Re: [EXTERNAL MSG:][ossec-list] Re: ACTIVE-RESPONSE NOT WORKING

t; > > Sent from my T-Mobile 4G LTE Device > > > > Original message > From: Daniel Folch > > Date: 9/23/20 7:21 AM (GMT-05:00) > To: ossec-list > > Subject: [EXTERNAL MSG:][ossec-list] Re: ACTIVE-RESPONSE NOT WORKING > > WARNING: This ema

RE: [EXTERNAL MSG:][ossec-list] Re: ACTIVE-RESPONSE NOT WORKING

(GMT-05:00) To: ossec-list Subject: [EXTERNAL MSG:][ossec-list] Re: ACTIVE-RESPONSE NOT WORKING WARNING: This email originated from outside of Sensato. Do not click links or open attachments unless you verify by phone with the sender. Hello, First, let us start with the active response

[ossec-list] Re: ACTIVE-RESPONSE NOT WORKING

Hello, First, let us start with the active response configuration of the manager and agent, the configuration you shared should be used on the manager side, and for the agent you just need to set it like this: no /var/ossec/etc/wpk_root.pem yes As a side note, the rule 5720

[ossec-list] Re: Active-Response will cause a zombie process

Hi EXP, Is the process execd still running when the zombie process is detected? In high concurrency environments, the system might drop the return signal of some child processes. In that case, the child sent his signal but execd did not receive it, so the child process gets converted into a zomb

Re: [ossec-list] Re: active-response is not working :(

On Wed, Jan 10, 2018 at 6:15 AM, HairLoss2018 wrote: > OK, I have resolved this issue by re-installing OSSEC and setting > active-response to live during setup. > > I notice that values entered during setup are added to ossec.mc and not > ossec.conf and in ossec.conf it says > > Do I need to echo

[ossec-list] Re: Active Response on Agents - Filename

I just added no To ossec.conf on the agent and it triggered the same active response (I guess I should remove rules_group? it was rule 550, file changed) and was able to see the filename (currently the script just echoes all the parameters it receives) On Wednesday, December 27, 2017 at 4:

[ossec-list] Re: Active response responding to other agent's alerts

On Friday, November 10, 2017 at 3:00:36 PM UTC-5, Josmell Chavarri wrote: > > Hi, can you help me with a problem? > > I have a ossec-wazuh Server with 20 agents connected with active response > for agent id 001. > > > Ossec.conf --- the server > > > > firewall-drop > def

Re: [ossec-list] Re: Active response with multiple rules_group

On Mon, Oct 31, 2016 at 2:02 PM, Brad wrote: > Nice find Pedro! That was the problem. I wish the documentation had said > that it was regex based. Lol. At least it's working now. :) Many thanks > I've created a pull request to hopefully fix the documentation: https://github.com/ossec/ossec-

[ossec-list] Re: Active response with multiple rules_group

Nice find Pedro! That was the problem. I wish the documentation had said that it was regex based. Lol. At least it's working now. :) Many thanks On Saturday, October 29, 2016 at 3:53:53 PM UTC-5, Brad wrote: > > Hi all, > > I'm setting up an AR and it works if I only use 1 rules_group or if

[ossec-list] Re: Active response command not present

Hi, if it is a linux agent, the restart-ossec.cmd will not work. You must use restart-ossec.sh. Check out the documentation: - http://ossec-docs.readthedocs.io/en/latest/manual/ar/index.html - http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.active-response.html

[ossec-list] Re: Active response command not present

I also see the above on a Linux box (Ubuntu 14). On Tuesday, April 21, 2015 at 10:07:28 AM UTC-4, Bob Jolliffe wrote: > > I am seeing the following in my ossec.log on a linux agent: > > ossec-execd: INFO: Active response command not present: > '/var/ossec/active-response/bin/restart-ossec.cmd'.

Re: [ossec-list] Re: active-response alerts?

Decoder and rules for active-response are the same in both Wazuh and OSSEC. I meant that rules 601-606 are for a specific sh (check tag *action*), so if you are using a custom sh you will not see the alert. Also, alert 600 is generic (for all active responses) but level is 0. Regards. Jesus Lin

Re: [ossec-list] Re: active-response alerts?

Seems that wazuh already has a decoder and rules for active-response. (Not sure if these are also in ossec proper) https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/rules/ossec_rules.xml -- --- You received this message because you are subscribed to the Google Groups "oss

Re: [ossec-list] Re: active-response alerts?

On Feb 23, 2016 12:42 AM, "Barry Kaplan" wrote: > > So I'm confused then. The server decided to initiate these actions on the client, no? The server rules are what decided those actions. Should the server not log that it took this action, given the elevated level of the rules? I feel I am missing

Re: [ossec-list] Re: active-response alerts?

Hi Barry, if you want to see the rules generated by active response you must watch the active response log (as it said Dan): syslog /var/ossec/logs/active-responses.log Now, you will see in archives.log (with option yes) the log received: 2016 Feb 23 10:59:06 LinMV->/var/ossec/log

Re: [ossec-list] Re: active-response alerts?

So I'm confused then. The server decided to initiate these actions on the client, no? The server rules are what decided those actions. Should the server not log that it took this action, given the elevated level of the rules? I feel I am missing something understanding. -barry -- --- You re

Re: [ossec-list] Re: active-response alerts?

On Feb 22, 2016 6:18 AM, "Barry Kaplan" wrote: > > Hmm, ok. On clients there are entries in active-response.log (eg, firewall-drop.sh). But on the server alerts.log there is no trace of those. If I understand the rules correctly they should be there. I don't see any errors in the ossec.log on clie

[ossec-list] Re: active-response alerts?

Hmm, ok. On clients there are entries in active-response.log (eg, firewall-drop.sh). But on the server alerts.log there is no trace of those. If I understand the rules correctly they should be there. I don't see any errors in the ossec.log on client or server. What's the best way to debug this

[ossec-list] Re: active-response alerts?

Hi Barry, There are decoders and rules

[ossec-list] Re: Active response on windows agent

I if possible I want to know the step to be follow for create a new script in windows and use it by the manager as active response. Andrea Il giorno lunedì 19 ottobre 2015 09:27:37 UTC+2, Andrea Garbeglio ha scritto: > Dear all, > > I'm working to configure ab active response on a windows work

[ossec-list] Re: Active-Response and Fortinet firewall?

https://groups.google.com/forum/#!topic/ossec-list/_0fqn9fU8WA I've done something similar in the past with an ASA. I have no experience with a Fortinet firewall, but if you can manage it via SSH, you should be able to crawl into the ASA's example fairly easily. On Monday, May 4, 2015 at 4:40

[ossec-list] Re: Active response eject USB

Hey dan, I have a question, when I plug in USB in agent, I receive 1 alert. Then, I eject USB and plug in again, I won't receive alert again, that true or false Vào 18:15:41 UTC+7 Thứ Tư, ngày 06 tháng 5 năm 2015, CraigL đã viết: > > What would you like your agent to do when a user ejects a

[ossec-list] Re: Active response eject USB

Yeah, this is my essay. I'll eject USB when user plug in it into my agent. Vào 18:15:41 UTC+7 Thứ Tư, ngày 06 tháng 5 năm 2015, CraigL đã viết: > > What would you like your agent to do when a user ejects a USB device? > > > On Wednesday, 6 May 2015 11:06:31 UTC+1, Bùi Viết Hướng wrote: >> >> I nee

[ossec-list] Re: Active response eject USB

What would you like your agent to do when a user ejects a USB device? On Wednesday, 6 May 2015 11:06:31 UTC+1, Bùi Viết Hướng wrote: > > I need active respond file.sh . Anyone can give me? > \ > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" gro

Re: [ossec-list] Re: Active response didn't work anymore since 1 month !

On Tue, Jan 27, 2015 at 9:07 AM, Thomas Vidal wrote: > Hi, > > Well, I hope to find another way to solve my problem I'm not a > programmer ! Neither am I, but I muddle through. Learning new things is one of the great joys in life! > I will try to install an older version, just for test ! >

Re: [ossec-list] Re: Active response didn't work anymore since 1 month !

Hi, Well, I hope to find another way to solve my problem I'm not a programmer ! I will try to install an older version, just for test ! Thanks for your help. Best regards Thomas Le jeudi 22 janvier 2015 17:13:56 UTC+1, dan (ddpbsd) a écrit : > > On Thu, Jan 22, 2015 at 11:01 AM, Thoma

Re: [ossec-list] Re: Active response didn't work anymore since 1 month !

On Thu, Jan 22, 2015 at 11:01 AM, Thomas Vidal wrote: >> Dear Dan, >> >> Where do you think the bug is? >> Are you sure ossec-execd is running on the agent? > > YES ! >> >> Is AR disabled on the agent or manager? > > There is no YES both in ossec.conf and agent.conf (and > normaly following the do

Re: [ossec-list] Re: Active response didn't work anymore since 1 month !

> > *Dear Dan,* > > Where do you think the bug is? > Are you sure ossec-execd is running on the agent? > *YES ! * > Is AR disabled on the agent or manager? > *There is no YES both in ossec.conf and agent.conf (and normaly following the documentation AR is enable by default) * > Can you add

Re: [ossec-list] Re: Active response didn't work anymore since 1 month !

On Thu, Jan 22, 2015 at 8:44 AM, Thomas Vidal wrote: > Dear OSSEC team, > > I am using both on Ossec server&clients the last 2.8.1 Ossec version on > debian Wheezy. > Copy and Paste event in ossec-logtest give me good output. > When agent.conf is modified the active response to restart all client

[ossec-list] Re: Active response didn't work anymore since 1 month !

Dear OSSEC team, I am using both on Ossec server&clients the last 2.8.1 Ossec version on debian Wheezy. Copy and Paste event in ossec-logtest give me good output. When agent.conf is modified the active response to restart all client is working fine. Server and clients are using up to date and sa

[ossec-list] Re: Active response didn't work anymore since 1 month !

Dear Janelle, Thanks for your answer. I checked again this morning and yes and more than yes : I made changes (just add a comment) in ossec.conf and agent.conf on the server. I wait some minutes and merge.mg was not updated on the server (and of course also on clients) I restart the server (osse

[ossec-list] Re: Active response didn't work anymore since 1 month !

I would make sure ar.conf is getting passed back to the agents. At the same time, is merged.mg being updated? That was always the problem I found when AR stopped working. ~J On Tuesday, January 20, 2015 at 1:47:30 AM UTC-8, Thomas Vidal wrote: > > Dear all, > > Active response stop working one

Re: [ossec-list] Re: Active response

On Wed, Jul 2, 2014 at 2:59 PM, Nguyễn Văn Hớn wrote: > thank Dan. but how to config active response in window. i want to run script > restart computer when i attach usb in window > It should work the same way as running active response scripts on any other agent. > Vào 01:24:55 UTC+7 Thứ năm,

[ossec-list] Re: Active response

thank Dan. but how to config active response in window. i want to run script restart computer when i attach usb in window Vào 01:24:55 UTC+7 Thứ năm, ngày 03 tháng bảy năm 2014, Nguyễn Văn Hớn đã viết: > > This is my config acitve response in Agent > > > no > > > > restart > res

Re: [ossec-list] Re: active response

Thanks everyone for the reply. My purpose is to stem a software agent inside windows 7. several weeks but had I can not figure out how to implement it. Can you help me? 2014-06-02 19:42 GMT+07:00 Jeremy Rossi : > It's wonderful that you guys are talking about OSSEC. But for the > others from ar

Re: [ossec-list] Re: active response

It's wonderful that you guys are talking about OSSEC. But for the others from around the world that don't understand vietnamese could you please use English? Thank you. I have not used active response for editing the registry, but I am sure it oculd be done in a script. How you do this fo

Re: [ossec-list] Re: active response

hi vậy mình nói tiếng việt cho dể ha. bạn hiểu nhiều về active response không? như câu hỏi phía trên mình muốn thực hiện lệnh này: REG ADD HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ DisallowRun để thêm một mục vào registry bên agent windows bạn có thể giúp mình k

[ossec-list] Re: active response

Hi. I come from Vietnam. And i have project for OSSEC. we can talk to each other about OSSEC? Vào 09:37:56 UTC+7 Thứ hai, ngày 02 tháng sáu năm 2014, Trieu Ngo Duy đã viết: > > help me about active response. how to execute this command: REG ADD HKCU \ > Software \ Microsoft \ Windows \ CurrentV

Re: [ossec-list] Re: Active Response broken in 2.7?

On Fri, Jan 24, 2014 at 12:47 PM, Jeremiah Brock wrote: > > Hello Dan, > > Yes, fresh install of 2.7 server mode. > > I confirmed this again this am on another ubuntu 12.04 system doing the > following : > > su root > cd /root/installs > wget http://www.ossec.net/files/ossec-hids-2.7.tar.

Re: [ossec-list] Re: Active Response broken in 2.7?

Hello Dan, Yes, fresh install of 2.7 server mode. I confirmed this again this am on another ubuntu 12.04 system doing the following : su root cd /root/installs wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz tar -zxvf ossec-hids-2.7.tar.gz cd ossec-hids-2.7 ./install.sh In

Re: [ossec-list] Re: Active Response broken in 2.7?

On Thu, Jan 23, 2014 at 8:10 PM, Jeremiah Brock wrote: > Hi All, > > Just a follow up, I was able to get around this strange issue by doing > the following : > Was this a new install? > On the Server : > chown root:ossec ar.conf > service ossec restart > > On the Agent : > service ossec rest

[ossec-list] Re: Active Response broken in 2.7?

Hi All, Just a follow up, I was able to get around this strange issue by doing the following : *On the Server : * chown root:ossec ar.conf service ossec restart *On the Agent :* service ossec restart *The Agent /var/ossec/etc/shared now magically downloaded the proper ar.conf file : *

Re: [ossec-list] Re: active-response to multiple agents

On Monday, April 15, 2013 11:27:41 AM UTC-7, dan (ddpbsd) wrote: > > > Does the server retry sending if the agent doesn't receive the request? > > > > Like I said I tried updating to the newest code but it was buggy and > things > > weren't working correctly. I think syscheck was segfaulting

Re: [ossec-list] Re: active-response to multiple agents

On Mon, Apr 15, 2013 at 1:51 PM, William Taylor wrote: > I _think_ all of the blocks are happening. I'm not 100% sure though. > Even when I use "all" things are slightly delayed at times. > There's no guarantee that the blocks will happen immediately. I generally don't see much delay, but don't r

[ossec-list] Re: active-response to multiple agents

I _think_ all of the blocks are happening. I'm not 100% sure though. Even when I use "all" things are slightly delayed at times. Does the server retry sending if the agent doesn't receive the request? Like I said I tried updating to the newest code but it was buggy and things weren't working cor

Re: [ossec-list] Re: Active response for FreeBSD

Ok, I have installed -devel branch in this agent and all works as expected ... Really strange ... I will install another FreeBSD host tomorrow and I will see ... On Wed, Apr 10, 2013 at 12:36 PM, dan (ddp) wrote: > On Wed, Apr 10, 2013 at 1:51 AM, C. L. Martinez > wrote: > > Here it is: > > >

Re: [ossec-list] Re: Active response for FreeBSD

On Wed, Apr 10, 2013 at 1:51 AM, C. L. Martinez wrote: > Here it is: > I put this rc.conf in place (/etc/rc.conf) on my FreeBSD 9.1 system, deleted all previous remnants of OSSEC, and ran install.sh from a fresh untarring of the latest source. Everything worked as expected. Can you please provid

Re: [ossec-list] Re: Active response for FreeBSD

Here it is: root@plzfsiem02:/etc/mail# more /etc/rc.conf ## ### Important initial Boot-time options ## rc_conf_files="/etc/rc.conf /etc/rc.conf.local" dum

Re: [ossec-list] Re: Active response for FreeBSD

Thanks Dan. Sure, I will send you tomorrow ... On Tue, Apr 9, 2013 at 3:56 PM, dan (ddp) wrote: > On Tue, Apr 9, 2013 at 8:13 AM, dan (ddp) wrote: > > On Tue, Apr 9, 2013 at 2:39 AM, C. L. Martinez > wrote: > >> Ok, I have reinstalled ossec client and same problem ... It is searching > >> ipf

Re: [ossec-list] Re: Active response for FreeBSD

On Tue, Apr 9, 2013 at 8:13 AM, dan (ddp) wrote: > On Tue, Apr 9, 2013 at 2:39 AM, C. L. Martinez wrote: >> Ok, I have reinstalled ossec client and same problem ... It is searching >> ipfilter ... >> >> > > All right. I'm downloading FreeBSD now. > > I was unable to reproduce this issue. I inst

Re: [ossec-list] Re: Active response for FreeBSD

On Tue, Apr 9, 2013 at 2:39 AM, C. L. Martinez wrote: > Ok, I have reinstalled ossec client and same problem ... It is searching > ipfilter ... > > All right. I'm downloading FreeBSD now. > On Mon, Apr 8, 2013 at 7:18 PM, dan (ddp) wrote: >> >> On Mon, Apr 8, 2013 at 3:17 PM, C. L. Martinez >

Re: [ossec-list] Re: Active response for FreeBSD

Ok, I have reinstalled ossec client and same problem ... It is searching ipfilter ... On Mon, Apr 8, 2013 at 7:18 PM, dan (ddp) wrote: > On Mon, Apr 8, 2013 at 3:17 PM, C. L. Martinez > wrote: > > Uhmm ... I do not remember but maybe can be the problem. I will try it > > tomorrow > > > > Thank

Re: [ossec-list] Re: Active response for FreeBSD

On Mon, Apr 8, 2013 at 3:17 PM, C. L. Martinez wrote: > Uhmm ... I do not remember but maybe can be the problem. I will try it > tomorrow > Thanks. I'll be working on the documentation to make this clearer and to provide clear instructions on how to fix these types of issues. > > On Monday, Apri

[ossec-list] Re: Active response for FreeBSD

Uhmm ... I do not remember but maybe can be the problem. I will try it tomorrow On Monday, April 8, 2013, dan (ddp) wrote: > On Mon, Apr 8, 2013 at 10:36 AM, C. L. Martinez wrote: >> I am using FreeBSD 9.1 amd64 .. >> > > Did you have 'pf_enable="YES"' in your rc.conf when you installed > OSSEC?

Re: [ossec-list] Re: Active response for FreeBSD

On Mon, Apr 8, 2013 at 10:36 AM, C. L. Martinez wrote: > I am using FreeBSD 9.1 amd64 .. > Did you have 'pf_enable="YES"' in your rc.conf when you installed OSSEC? Not having that set it the only way I can see for the ipf script to be put in place instead of the pf one. > > On Mon, Apr 8, 2013 a

Re: [ossec-list] Re: Active response for FreeBSD

I am using FreeBSD 9.1 amd64 .. On Mon, Apr 8, 2013 at 2:34 PM, dan (ddp) wrote: > On Mon, Apr 8, 2013 at 10:29 AM, C. L. Martinez > wrote: > > Ok, using pf.sh script, works as expected. Can I reconfigure agent.conf > to > > use pf.sh as active response instead firewall-drop.sh script only for

Re: [ossec-list] Re: Active response for FreeBSD

On Mon, Apr 8, 2013 at 10:29 AM, C. L. Martinez wrote: > Ok, using pf.sh script, works as expected. Can I reconfigure agent.conf to > use pf.sh as active response instead firewall-drop.sh script only for > FreeBSD hosts ?? > I don't think so. I'm pretty sure those are server side settings. The pr

Re: [ossec-list] Re: Active response for FreeBSD

Ok, using pf.sh script, works as expected. Can I reconfigure agent.conf to use pf.sh as active response instead firewall-drop.sh script only for FreeBSD hosts ?? On Mon, Apr 8, 2013 at 2:25 PM, dan (ddp) wrote: > On Mon, Apr 8, 2013 at 10:19 AM, C. L. Martinez > wrote: > > AFAIK, FreeBSD can u

Re: [ossec-list] Re: Active response for FreeBSD

On Mon, Apr 8, 2013 at 10:19 AM, C. L. Martinez wrote: > AFAIK, FreeBSD can use three different firewall types: ipf, ipfw and pf ... > It looks like FreeBSD with pf enabled should be using pf.sh. Try running the same command you did previously, but with pf.sh instead. If that works, copying it ov

Re: [ossec-list] Re: Active response for FreeBSD

AFAIK, FreeBSD can use three different firewall types: ipf, ipfw and pf ... On Mon, Apr 8, 2013 at 2:16 PM, dan (ddp) wrote: > On Mon, Apr 8, 2013 at 10:12 AM, C. L. Martinez > wrote: > > Correct, but for this reason, I ask the question ... > > > > Does freebsd use ipf anymore? Is it still a k

Re: [ossec-list] Re: Active response for FreeBSD

On Mon, Apr 8, 2013 at 10:12 AM, C. L. Martinez wrote: > Correct, but for this reason, I ask the question ... > Does freebsd use ipf anymore? Is it still a knob? > > On Mon, Apr 8, 2013 at 2:09 PM, dan (ddp) wrote: >> >> On Mon, Apr 8, 2013 at 10:03 AM, C. L. Martinez >> wrote: >> > Yep, it is

Re: [ossec-list] Re: Active response for FreeBSD

Correct, but for this reason, I ask the question ... On Mon, Apr 8, 2013 at 2:09 PM, dan (ddp) wrote: > On Mon, Apr 8, 2013 at 10:03 AM, C. L. Martinez > wrote: > > Yep, it is searching ipf ... > > > > root@itafbsd01:/data/logs/plain# /bin/sh -x > > /usr/local/ossec-hids/active-response/bin/fi

Re: [ossec-list] Re: Active response for FreeBSD

On Mon, Apr 8, 2013 at 10:03 AM, C. L. Martinez wrote: > Yep, it is searching ipf ... > > root@itafbsd01:/data/logs/plain# /bin/sh -x > /usr/local/ossec-hids/active-response/bin/firewall-drop.sh add - 10.196.0.15 > + uname > + UNAME=FreeBSD > + ECHO=/bin/echo > + GREP=/bin/grep > + IPTABLES='' > +

Re: [ossec-list] Re: Active response for FreeBSD

Yep, it is searching ipf ... root@itafbsd01:/data/logs/plain# /bin/sh -x /usr/local/ossec-hids/active-response/bin/firewall-drop.sh add - 10.196.0.15 + uname + UNAME=FreeBSD + ECHO=/bin/echo + GREP=/bin/grep + IPTABLES='' + IP4TABLES=/sbin/iptables + IP6TABLES=/sbin/ip6tables + IPFILTER=/sbin/ipf

Re: [ossec-list] Re: Active response for FreeBSD

On Mon, Apr 8, 2013 at 9:50 AM, C. L. Martinez wrote: > works: > > root@itafbsd01:/data/logs/plain# pfctl -t ossec_fwtable -T add 10.196.0.15 > No ALTQ support in kernel > ALTQ related functions disabled > 1/1 addresses added. > root@itafbsd01:/data/logs/plain# pfctl -t ossec_fwtable -T show > No

Re: [ossec-list] Re: Active response for FreeBSD

works: root@itafbsd01:/data/logs/plain# pfctl -t ossec_fwtable -T add 10.196.0.15 No ALTQ support in kernel ALTQ related functions disabled 1/1 addresses added. root@itafbsd01:/data/logs/plain# pfctl -t ossec_fwtable -T show No ALTQ support in kernel ALTQ related functions disabled 10.196.0.15

Re: [ossec-list] Re: Active response for FreeBSD

On Mon, Apr 8, 2013 at 9:45 AM, C. L. Martinez wrote: > Executing active response manually: > > root@itafbsd01:/usr/local/ossec-hids/bin# > /usr/local/ossec-hids/active-response/bin/firewall-drop.sh add - 10.196.0.15 > open device: No such file or directory > User/kernel version check failed > 1:i

[ossec-list] Re: Active response for FreeBSD

Executing active response manually: root@itafbsd01:/usr/local/ossec-hids/bin# /usr/local/ossec-hids/active-response/bin/firewall-drop.sh add - 10.196.0.15 open device: No such file or directory User/kernel version check failed 1:ioctl(add/insert rule): Bad file descriptor open device: No such file

Re: [ossec-list] Re: Active response to email abuse contact of IP block owner?

This is great! I will try it as soon as time permits. - Original Message - From: "Iraklis Mathiopoulos" To: ossec-list@googlegroups.com Sent: Saturday, January 26, 2013 12:42:22 PM Subject: [ossec-list] Re: Active response to email abuse contact of IP block owner? Cou

[ossec-list] Re: Active response to email abuse contact of IP block owner?

Couldn't find anything so I coded up something. https://github.com/iam1980/ossec-email-abuse I'm testing it in OSSEC ver. 2.7 and it seems to be working. Feel free to make any modifications Cheers On Saturday, January 26, 2013 12:22:55 PM UTC+2, Iraklis Mathiopoulos wrote: > > Hey guys, > > Any

[ossec-list] Re: Active response to email abuse contact of IP block owner?

Hey guys, Any progress on this? Cheers, Iraklis On Monday, June 4, 2012 8:00:59 PM UTC+3, Ryan Schulze wrote: > > Hi Chris, > > sorry to dig up this old mail, just wanted to ask if you stumbled across > anything interesting since I was also thinking about automatic generation > of abuse mail

[ossec-list] Re: Active response to email abuse contact of IP block owner?

Hi Chris, sorry to dig up this old mail, just wanted to ask if you stumbled across anything interesting since I was also thinking about automatic generation of abuse mails with OSSEC? Ryan On Wednesday, December 21, 2011 10:32:41 AM UTC-6, Chris Warren wrote: > > Hi all, > Has anyone attempte

[ossec-list] Re: active response not triggered on management server

Hi all, Just following up for others who might be seeing this as well. Adding the following did work around the issue. Active Response is now triggered on the ossec server as well as all agents. Aaron firewall-drop server 6 6000 On Fri, Apr 6, 2012 at 1:05 PM, Aaron Bliss

Re: [ossec-list] Re: Active-response doesn't seem to work for some rules (ipop3 specifically but some ssh and other auth failures as well)

On Thu, Feb 2, 2012 at 10:34 AM, Jon Bayless wrote: > Well with that custom decoder it matches the decoder now. I will try it and > see if it actually catches and blocks the source IPs now. > > Is there any way to test whether it is decoding that source IP and will be > able to use it properly?

[ossec-list] Re: Active-response doesn't seem to work for some rules (ipop3 specifically but some ssh and other auth failures as well)

Well with that custom decoder it matches the decoder now. I will try it and see if it actually catches and blocks the source IPs now. Is there any way to test whether it is decoding that source IP and will be able to use it properly? Thanks for all your help.

Re: [ossec-list] Re: Active-response doesn't seem to work for some rules (ipop3 specifically but some ssh and other auth failures as well)

On Thu, Feb 2, 2012 at 9:34 AM, Jon Bayless wrote: > How can i determine if the IP is properly decoded? With the ossec-logtest > program? > > Here is the output I get from that: > > ossec-testrule: Type one log per line. > > Feb  1 09:02:41 server1 ipop3d[39710]: Login failed user=stud...@hammer.

[ossec-list] Re: Active-response doesn't seem to work for some rules (ipop3 specifically but some ssh and other auth failures as well)

How can i determine if the IP is properly decoded? With the ossec-logtest program? Here is the output I get from that: ossec-testrule: Type one log per line. Feb 1 09:02:41 server1 ipop3d[39710]: Login failed user=stud...@hammer.net auth=stud...@hammer.net host=ipx21117.ipxserver.de [212.112.

[ossec-list] Re: active-response on Windows - ERROR

I think I resolved it. Sorry for so many emails. So, it goes like this. if everything as far as the connection is al right, one has to check also the "ar.conf" In my case I had there entries like: host-deny2147483647 - host-deny.sh - 2147483647 firewall-drop2147483647 - firewall-drop.sh - 2147483

[ossec-list] Re: active-response on Windows - ERROR

One more (maybe crucial) information. My installation (and also system) drive is E, hence the agent is installed under: E:\Program Files\ossec-agent\ On Dec 22, 9:45 pm, Peter Skurczak wrote: > On the agent, in ossec.conf I've got the following section: > > (...) > > no > > > > > I actually

Re: [ossec-list] Re: Active response arguments - clarification

It does sound like a bug to me. On Tue, Dec 20, 2011 at 2:02 PM, Kat wrote: > Something to ponder however -- I thought it was in there - instead > there was an unmatched on a line within the command > definition - and no error was generated, that is how I missed it. > > A bug perhaps? > > On Dec

[ossec-list] Re: Active response arguments - clarification

Something to ponder however -- I thought it was in there - instead there was an unmatched on a line within the command definition - and no error was generated, that is how I missed it. A bug perhaps? On Dec 20, 10:21 am, Kat wrote: > A! ... um, No. :-( > > On Dec 20, 10:14 am, "dan (ddp)"

[ossec-list] Re: Active response arguments - clarification

A! ... um, No. :-( On Dec 20, 10:14 am, "dan (ddp)" wrote: > Is srcip set in the command definition?

Re: [ossec-list] Re: active-response question on the ossec server Options

What OS are your agents running on? On Sun, Jun 19, 2011 at 6:09 PM, pierz wrote: > Yes exactly, regarding the manual, this is the purpose of the > all statement. > > But agents doesn't block IP if the attack occur on the server. > > On 17 juin, 02:09, Jason Frisvold wrote: > > -BEGIN PGP

Re: [ossec-list] Re: active-response question on the ossec server Options

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jun 19, 2011, at 6:09 PM, pierz wrote: > Yes exactly, regarding the manual, this is the purpose of the > all statement. > > But agents doesn't block IP if the attack occur on the server. That seems to be correct. I haven't tried this myself as of

[ossec-list] Re: active-response question on the ossec server Options

Yes exactly, regarding the manual, this is the purpose of the all statement. But agents doesn't block IP if the attack occur on the server. On 17 juin, 02:09, Jason Frisvold wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Jun 16, 2011, at 1:59 PM, pierz wrote: > > > previous thre

Re: [ossec-list] Re: active response log monitoring

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On May 23, 2011, at 10:44 AM, Michael Starks wrote: > I have added this (with some modifications) to my fork and am about to commit > it for consideration into release. Trey and Jason, do I have your permission? > I will list the contributors as "Jas

Re: [ossec-list] Re: active response log monitoring

You can do it now. Filter based on: rule_id group event_location So your example should work.. Link: http://www.ossec.net/doc/manual/output/granular-email-output.html Thanks, On Wed, May 25, 2011 at 12:15 PM, Michael Starks wrote: > On 05/24/2011 09:33 PM, treydock wrote: >> >> With those acti

Re: [ossec-list] Re: active response log monitoring

On 05/24/2011 09:33 PM, treydock wrote: With those active response rules built in, would this be the preferred method for enabling alerts specifically for those rules? (for example in case the alert threshold is above Level 3) u...@example.com 601, 602, 603, 604, 605, 606 It woul

[ossec-list] Re: active response log monitoring

With those active response rules built in, would this be the preferred method for enabling alerts specifically for those rules? (for example in case the alert threshold is above Level 3) u...@example.com 601, 602, 603, 604, 605, 606 Secondly, how far from the current stable release is

Re: [ossec-list] Re: active response log monitoring

On 05/23/2011 08:39 PM, treydock wrote: That's fine by me, though use "Trey Dockendorf". Thanks! - Trey Supported added here:https://bitbucket.org/mstarks01/ossec-hids-mstarks/changeset/67e4be778491 It should set up log monitoring on install, but won't actually work the first time because

  1   2   3   >