[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] Fw: Active response

Subject: [Ossec-list] Fw: Active response
From: peter at ifup.de (Peter Ahlert)
Date: Wed, 8 Mar 2006 17:47:05 +0100

Hi everybody,

thanks for your fast responses!

On Tue, 7 Mar 2006 11:15:13 -0800
"Tim Slighter" <tcslighter at gmail.com> wrote:

> check in the file firewall-drop.sh in /var/ossec/active-response/bin and
> make sure the paths to iptables or ipf are correct.  Also, what are you
> matching to the active response?  Are you attempting an attack that OSSEC
> will detect with its own engine or is it an attack that relies upon snort to
> pick up?

if i execute the fw-drop script manually there are entries in /tmp/ossec-hids-responses.log 
and the iptables entries are created.


"Daniel Cid" <daniel.cid at gmail.com> wrote:

> Are you attempting an attack that OSSEC will detect with its own engine or 
> is it an attack that relies upon snort to pick up?
ossec-list at ossec.net 
I'm using vanilla OSSEC and set the level to 6 to test active response.

I assume this alert should trigger a response:

-------------------------------------------
Received From: /var/log/auth.log
Rule: 404 fired (level 9) -> "Attempt to login using a non-existent user"
Portion of the log(s):

"sshd[21576]: Illegal user web14 from ::ffff:212.227.60.55
"
-------------------------------------------

Peter

Follow-Ups:
- [Ossec-list] Fw: Active response
  - From: Daniel Cid

Prev by Date: [Ossec-list] Active response
Next by Date: [Ossec-list] Interesting information about SSH scans
Previous by thread: [Ossec-list] Active response
Next by thread: [Ossec-list] Fw: Active response
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.