[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] Active-response

Subject: [Ossec-list] Active-response
From: daniel.cid at gmail.com (Daniel Cid)
Date: Tue, 4 Apr 2006 23:32:38 -0300

Hi Pedro,

I will try to explain how the rules/active responses work.

Every rule has an "id", a "level" and they can also be part of a "group"
(or many groups).

For example, in the following rule (that matches for invalid users on
ssh), the id is "404", the level is "5" and it is part of the "syslog,
accesscontrol and connection_attempt" groups.

<group name="syslog,accesscontrol,connection_attempt">
..
  <rule id="404" level="5">
    <if_sid>400</if_sid>
    <match>illegal user|invalid user</match>
    <description>Attempt to login using a non-existent user</description>
  </rule>
..

Knowing that, if you look at the active-response config (inside
ossec.conf), you
have the "command" entry, where you specify which commands are available.
The following is the example for the firewall-drop:

<command>
  <name>firewall-drop</name>
   <executable>firewall-drop.sh</executable>
   <expect>srcip</expect>
   <timeout_allowed>yes</timeout_allowed>
</command>

After you specify all the commands that you want to execute, you need to
link each command with a specific active-response. It is in THIS AREA
where you specify in which rules to execute. You can provide the rule
ID, the rule level or a specific group to fire the response. The following
example would fire the firewall-drop response for any rule with a level >= 9:

<active-response>
    <command>firewall-drop</command>
    <location>local</location>
    <level>9</level>
    <timeout>120</timeout>
</active-response>

You could also specify the "rules_id", giving a specific ID or the "rules_group"
element to block on specific groups:

<active-response>
    <command>firewall-drop</command>
    <location>local</location>
    <rules_id>404,405,406</rules_id>
    <timeout>120</timeout>
</active-response>

Hope I was clear enough :) Let me know if you have more questions..

Thanks,

--
Daniel B. Cid,
dcid @ ( at ) ossec.net
http://www.ossec.net

On 4/4/06, Pedro Drimel Neto <pedrodrimel at gmail.com> wrote:
> Hi all,
>
> I would to know when the active-response is called...
>
> I unsertood that an active-responde is relative with a command but when this
> active-response is called ? from the rules ? what rules ?
>
> Where do I specify that when a rule id number 'x' in syslog_rules.xml match
> I will tell active-responde 'x'.
>
> Thanks a lot...
>
> Congratulations for the project, I hope to help as possible.
>
> []'s
>
> Pedro.
>
> _______________________________________________
> ossec-list mailing list
> ossec-list at ossec.net
> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
>

References:
- [Ossec-list] Active-response
  - From: Pedro Drimel Neto

Prev by Date: [Ossec-list] Active-response
Next by Date: [Ossec-list] ossec can't send e-mail
Previous by thread: [Ossec-list] Active-response
Next by thread: [Ossec-list] ossec can't send e-mail
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.