[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] Re: bug(s) in active response?

To: ossec-dev@xxxxxxxxxxxxxxxx
Subject: [ossec-dev] Re: bug(s) in active response?
From: John Ives <jives@xxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 31 Jul 2007 13:10:15 -0700

Daniel Cid wrote:
> Hi John,
>
> That's what happens:
>
> -When you don't expect the user name or srcip and it is present, ossec
> will not send them
> (but send dashes instead).
>
> -If you expect user names or src ips, ossec will only call your script
> if they are present.
>
> -Also, that might be your problem. If the ip is in the while list,
> ossec will not send them
> to the active response scripts.
>   
This is a nice run down of the scenario's in which the alert will not be 
triggered.  In my initial test, the one I sent the email about below, 
this does explain why I wasn't seeing a username and ip when I stopped 
expecting them (while trying to debug).  After further testing, it also 
turns out that when as long as I only expect username, the script is 
called, but if I expect the srcip, it doesn't seem to get called, even 
though the alert has that information:

** Alert 1185911773.1173094: - local
2007 Jul 31 12:56:13 server->/var/log/auth.log
Rule: 666012 (level 3) -> 'Login to secure server.'
Src IP: <my ip>
User: <username>
Jul 31 12:56:11 server sshd[65280]: Accepted keyboard-interactive/pam 
for <username> from <my ip> port 50107 ssh2.

While I would like the IP address in the email, I don't truly need it, 
because that information would be on my log server.  One of my other 
scripts will need it but for now I can make do with the username.

> I just sent in the other e-mail a link to an article that explains a
> bit more about
> active responses:
>
> http://www.ossec.net/wiki/index.php/Know_How:CustomActiveResponses
>
>
>  * What are the arguments passed to the script?
>
>    1. action (delete or add)
>    2. user name (or - if not set)
>    3. src ip (or - if not set)
>    4. Alert id (uniq for every alert)
>    5. Rule id
>    6. Agent name/host/filename
>
>
> Since you have the alert id, you can grep the alert you want or even
> the whole rule
> information (in the example at the link above I do it).
>
>
> Hope it helps.
>   
Actually that script was very helpful because I hadn't seen any 
references to that 6th argument in the scripts deployed with ossec and 
its one I can use.

Thanks,

John


-- 
-------------------------------------------------------------------------
John Ives                                           Phone (510) 642-7773
System & Network Security			     Cell (510) 229-8676
University of California, Berkeley
-------------------------------------------------------------------------

Next by Date: [ossec-dev] A few feature requests
Next by thread: [ossec-dev] A few feature requests
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.