[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] bug(s) in active response?

To: ossec-dev@xxxxxxxxx
Subject: [ossec-dev] bug(s) in active response?
From: John Ives <jives@xxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 27 Jul 2007 16:14:07 -0700
Content-transfer-encoding: 7bit

After banging my head against a wall about why an active response scriptthat sent emails was not working as expected, I added code to loginformation to the log/active-response.log and discovered that it didn'tappear the script was being called at all. When I went back and changedthe <expects> option to not expect anything (it had previously expectedsrcip and username), I started to get logs and emails (I had alwaysgotten alerts for the event that caused it), I noticed that the scriptwas not being passed the ip and username at all. Below are the logsboth from the active-response.log and alerts.log files. One one testsystem I am getting username and srcip most of the time, on another I amgetting them occasionally, and on the 'production' system I don't seemto ever get them. The script itself works, I just don't get theinformation I am expecting at the other end without these two pieces ofinformation.

One thing to note is that there seems to be a discrepancy in times.When you look at the times in the active-response log, the `date`information is the same as the one in the alert log, however, the epochtimes are different. Specifically, the epoch times in the alert.log arethe times seen for the previous alert in the active-response logs.


active-response.log

Fri Jul 27 15:28:19 PDT 2007/var/ossec/active-response/bin/login-alert.pl add - - 1185575299.2386412666012Fri Jul 27 15:28:47 PDT 2007/var/ossec/active-response/bin/login-alert.pl add - - 1185575327.2386707666012Fri Jul 27 15:28:47 PDT 2007/var/ossec/active-response/bin/login-alert.pl add - - 1185575327.2386985666012Fri Jul 27 15:29:11 PDT 2007/var/ossec/active-response/bin/login-alert.pl add - - 1185575351.2388825666012Fri Jul 27 15:34:32 PDT 2007/var/ossec/active-response/bin/login-alert.pl add - - 1185575672.2396850666012Fri Jul 27 15:35:00 PDT 2007/var/ossec/active-response/bin/login-alert.pl add - - 1185575700.2397152666012


alert.log
** Alert 1185575299.2386136: - local
2007 Jul 27 15:28:19 system1->/var/log/auth.log
Rule: 666012 (level 3) -> 'Login to secure server.'
Src IP: <IP Address>
User: jives

Jul 27 15:28:19 system1 sshd[33190]: Accepted keyboard-interactive/pamfor jives from <IP Address> port 51085 ssh2


** Alert 1185575327.2386412: - local
2007 Jul 27 15:28:47 (system2) <system2 IP>->/var/log/auth.log
Rule: 666012 (level 3) -> 'Login to secure server.'
Src IP: <IP Address>
User: jives

Jul 27 15:28:47 system2 sshd[13989]: Accepted keyboard-interactive/pamfor jives from <IP Address> port 51086 ssh2


** Alert 1185575327.2386707: - local
2007 Jul 27 15:28:47 system2->/var/log/auth.log
Rule: 666012 (level 3) -> 'Login to secure server.'
Src IP: <IP Address>
User: jives

Jul 27 15:28:47 system2 sshd[13989]: Accepted keyboard-interactive/pamfor jives from <IP Address> port 51086 ssh2


--
** Alert 1185575351.2388541: - local
2007 Jul 27 15:29:11 system3->/var/log/auth.log
Rule: 666012 (level 3) -> 'Login to secure server.'
Src IP: <IP Address>
User: jives

Jul 27 15:29:11 system3 sshd[36667]: Accepted keyboard-interactive/pamfor jives from <IP Address> port 51088 ssh2


--
** Alert 1185575672.2396551: - local
2007 Jul 27 15:34:32 (system4) <system4 IP>->/var/log/auth.log
Rule: 666012 (level 3) -> 'Login to secure server.'
Src IP: <IP Address>
User: jives

Jul 27 15:34:31 system4 sshd[32699]: Accepted keyboard-interactive/pamfor jives from <IP Address> port 51093 ssh2


** Alert 1185575700.2396850: - local
2007 Jul 27 15:35:00 (system5) <system5 IP>->/var/log/auth.log
Rule: 666012 (level 3) -> 'Login to secure server.'
Src IP: <IP Address>
User: jives

Jul 27 15:34:59 system5 sshd[8464]: Accepted keyboard-interactive/pamfor jives from <IP Address> port 51094 ssh2



Thanks for all the hard work,

John

--
-------------------------------------------------------------------------
John Ives                                           Phone (510) 642-7773
System & Network Security			     Cell (510) 229-8676
University of California, Berkeley
-------------------------------------------------------------------------

Follow-Ups:
- [ossec-dev] Re: bug(s) in active response?
  - From: Daniel Cid

Prev by Date: [ossec-dev] active response development
Next by Date: [ossec-dev] Re: active response development
Previous by thread: [ossec-dev] Re: active response development
Next by thread: [ossec-dev] Re: bug(s) in active response?
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.