'Re: [ossec-list] Unintended Active Response'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    Re: [ossec-list] Unintended Active Response
From:       "dan (ddp)" <ddpbsd () gmail ! com>
Date:       2013-09-26 14:03:04
Message-ID: CAMyQvMrE3B-x9siC4+19LLjyVQ5ya9=ecpPwjBwGR21UMO0kqw () mail ! gmail ! com
[Download RAW message or body]

On Wed, Sep 25, 2013 at 2:35 PM, Blake Johnson <blake@forwardadv.com> wrote:
> My use case for OSSEC has excluded active response from the beginning. In
> managing our roll out to servers that are supported by other parts of the
> organization I wanted to strictly let OSSEC be a tool in our detection
> processes. Last night I had Active Response rules fire on four production
> web servers based on a local rule. Copy of active-responses.log from one
> server:
> 
> Tue Sep 24 19:18:01 CDT 2013 /var/ossec/active-response/bin/host-deny.sh add
> - xx.xx.255.91 1380067966.11411291 100300
> Tue Sep 24 19:18:01 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
> add - xx.xx.255.91 1380067966.11411291 100300
> Tue Sep 24 19:28:31 CDT 2013 /var/ossec/active-response/bin/host-deny.sh
> delete - xx.xx.255.91 1380067966.11411291 100300
> Tue Sep 24 19:28:31 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
> delete - xx.xx.255.91 1380067966.11411291 100300
> Tue Sep 24 19:48:00 CDT 2013 /var/ossec/active-response/bin/host-deny.sh add
> - xx.xx.255.91 1380069765.11921039 100300
> Tue Sep 24 19:48:00 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
> add - xx.xx.255.91 1380069765.11921039 100300
> Tue Sep 24 19:58:30 CDT 2013 /var/ossec/active-response/bin/host-deny.sh
> delete - xx.xx.255.91 1380069765.11921039 100300
> Tue Sep 24 19:58:30 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
> delete - xx.xx.255.91 1380069765.11921039 100300
> Tue Sep 24 20:13:49 CDT 2013 /var/ossec/active-response/bin/host-deny.sh add
> - xx.xx.255.91 1380071313.12357928 100300
> Tue Sep 24 20:13:49 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
> add - xx.xx.255.91 1380071313.12357928 100300
> Tue Sep 24 20:24:19 CDT 2013 /var/ossec/active-response/bin/host-deny.sh
> delete - xx.xx.255.91 1380071313.12357928 100300
> Tue Sep 24 20:24:19 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
> delete - xx.xx.255.91 1380071313.12357928 100300
> Tue Sep 24 20:43:47 CDT 2013 /var/ossec/active-response/bin/host-deny.sh add
> - xx.xx.255.91 1380073112.12876411 100300
> Tue Sep 24 20:43:47 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
> add - xx.xx.255.91 1380073112.12876411 100300
> Tue Sep 24 20:54:17 CDT 2013 /var/ossec/active-response/bin/host-deny.sh
> delete - xx.xx.255.91 1380073112.12876411 100300
> Tue Sep 24 20:54:17 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
> delete - xx.xx.255.91 1380073112.12876411 100300
> Tue Sep 24 21:02:49 CDT 2013 /var/ossec/active-response/bin/host-deny.sh add
> - xx.xx.50.89 1380074254.13146850 100300
> Tue Sep 24 21:02:49 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
> add - xx.xx.50.89 1380074254.13146850 100300
> Tue Sep 24 21:04:00 CDT 2013 /var/ossec/active-response/bin/host-deny.sh
> delete - xx.xx.50.89 1380074254.13146850 100300
> Tue Sep 24 21:04:00 CDT 2013 /var/ossec/active-response/bin/firewall-drop.sh
> delete - xx.xx.50.89 1380074254.13146850 100300
> 
> My issue is that the Active Response Config section of ossec.conf on the
> manager server is commented out. This was intentional as I don't want AR
> firing at all:
> 
> <!--
> <!-- Active Response Config -->

I don't think nested comments should work.

> <active-response>
> <!-- This response is going to execute the host-deny
> - command for every event that fires a rule with
> - level (severity) >= 6.
> - The IP is going to be blocked for  600 seconds.
> -->
> <command>host-deny</command>
> <location>local</location>
> <level>6</level>
> <timeout>600</timeout>
> </active-response>
> 
> <active-response>
> <!-- Firewall Drop response. Block the IP for
> - 600 seconds on the firewall (iptables,
> - ipfilter, etc).
> -->
> <command>firewall-drop</command>
> <location>local</location>
> <level>6</level>
> <timeout>600</timeout>
> </active-response>
> -->
> 
> Any ideas on what might have happened here? My immediate remediation is to
> remove all of the active response scripts to prevent unintentional
> operation.
> 
> Blake
> 
> --
> 
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

-- 

--- 
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/groups/opt_out.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic