[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] No response from server to agent

Subject: [Ossec-list] No response from server to agent
From: oahmet at metu.edu.tr (ahmet ozturk)
Date: Tue, 23 May 2006 14:00:52 +0300

Hi Alberto,

"TCP_DENIED/407" is matched with rule 5007 in squid rules,
and it's alert level is 5. However, in ossec.conf, it's defined
that the active-response is used if alert level >= 6. (Please see below
for the related configuration file part)
Btw, there's another rule (5052), which is fired if rule 5007 was fired
8 times in 2 minutes for the same source IP address and it's alert level is 10.

I mean, if you just get "TCP_DENIED/407" once, ossec-hids will generate an alert with level 5,
(5007) and default configuration won't use active-response because it's configured for rules
with level >=6.
If you get the same "TCP_DENIED/407" for the same ip at least 8 times in a 2 min. timeframe,
ossec-hids will generate an alert with level 10 (5052), and now active-response will be used.

Now you have chance to change this behaviour:
* you may edit ossec.conf file, and decrease the level at which active-respnse is used.
   (Please read docs/rules.txt in source directory for alert levels)
* you may also edit squid_rules.xml file and increase level for rule 5007
* and also you may change the SQUID_FREQ(=8) in rule 5052 in order to decrease the
   required number of entries for the same source ip to fire this rule.

related part
----
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>001</agent_id>
<level>6</level>                     <----change this------
<timeout>60</timeout>
</active-response>
----

I hope this helps.

Regards,

Ahmet Ozturk.

alberto.avi at gmail.com wrote:
> Hello,
> 
>     I'm tryng to use the client/server approach for OSSEC HIDS v0.8 .
> On the client (agent ID 001) I defined a single squid log file to monitor:
> 
>     <ossec_config>
>       <client>
>         <server-ip>10.182.32.10</server-ip>
>       </client>
>       <localfile>
>         <log_format>squid</log_format>
>         
> <location>/usr/local/prod/squid-2.5.STABLE12/var/logs/access.log</location>
>       </localfile>
>     </ossec_config>
> 
> On the server I have configured a single activer-response for the agent 
> ID 001.
> In the future I'll have many agents so it's very important for me to try 
> this case.
> 
>     <ossec_config>
>       <global>
>         <email_notification>yes</email_notification>
>         <email_to>alberto.avi at ugis.unicredit.it</email_to>
>         <smtp_server>10.182.35.244</smtp_server>
>         <email_from>ossecm at usmgml201.usinet.it</email_from>
>       </global>
> 
>       <rules>
>         <include>rules_config.xml</include>
>         <include>squid_rules.xml</include>
>       </rules>
> 
>       <global>
>         <white_list>127.0.0.1</white_list>
>       </global>
> 
>       <remote>
>         <connection>syslog</connection>
>       </remote>
>       <remote>
>         <connection>secure</connection>
>       </remote>
> 
>       <alerts>
>         <log_alert_level>1</log_alert_level>
>         <email_alert_level>7</email_alert_level>
>       </alerts>
> 
>       <command>
>         <name>host-deny</name>
>         <executable>host-deny.sh</executable>
>         <expect>srcip</expect>
>         <timeout_allowed>yes</timeout_allowed>
>       </command>
>       <command>
>         <name>firewall-drop</name>
>         <executable>firewall-drop.sh</executable>
>         <expect>srcip</expect>
>         <timeout_allowed>yes</timeout_allowed>
>       </command>
> 
>       <active-response>
>         <command>host-deny</command>
>         <location>defined-agent</location>
>         <agent_id>001</agent_id>
>         <level>6</level>
>         <timeout>60</timeout>
>       </active-response>
>       <active-response>
>         <command>firewall-drop</command>
>         <location>defined-agent</location>
>         <agent_id>001</agent_id>
>         <level>6</level>
>         <timeout>60</timeout>
>       </active-response>
> 
>       <localfile>
>         <log_format>syslog</log_format>
>         <location>/var/log/messages</location>
>       </localfile>
> 
>     </ossec_config>
> 
> 'tcpdump -X -s 1500 -v udp port 1514' on the server say me that the 
> agent is speaking to the server when I generate some "TCP_DENIED/407" on 
> my proxy.
> 
> The problem is that I never see the active-response network traffic from 
> server to agent to drop the srcip at iptables level on the agent machine.
> 
> In the log file I don't found any useful information (for me).
> 
> server side:
> 2006/05/23 09:58:25 ossec-maild: Started (pid: 14825).
> 2006/05/23 09:58:25 ossec-execd: Started (pid: 14829).
> 2006/05/23 09:58:25 ossec-analysisd: Reading rules file: 'rules_config.xml'
> 2006/05/23 09:58:25 ossec-analysisd: Reading rules file: 'squid_rules.xml'
> 2006/05/23 09:58:25 ossec-analysisd: Total rules enabled: '23'
> 2006/05/23 09:58:25 ossec-analysisd: 1 IPs in the white list for active 
> response.
> 2006/05/23 09:58:25 ossec-analysisd: Started (pid: 14833).
> 2006/05/23 09:58:25 ossec-remoted: Started (pid: 14841).
> 2006/05/23 09:58:25 ossec-remoted(1501): No IP or network allowed in the 
> access list for syslog. No reason for running it. Exiting.
> 2006/05/23 09:58:25 ossec-remoted: Started (pid: 14844).
> 2006/05/23 09:58:28 ossec-analysisd: Connected to '/queue/alerts/ar' 
> (active-response queue)
> 2006/05/23 09:58:28 ossec-syscheckd: Started (pid: 14849).
> 2006/05/23 09:58:28 ossec-syscheckd: No directories to check.
> 2006/05/23 09:58:31 ossec-logcollector(1950): Analyzing file: 
> '/var/log/messages'.
> 2006/05/23 09:58:31 ossec-logcollector: Started (pid: 14837).
> 
> agent side:
> 2006/05/23 09:33:00 ossec-execd: Started (pid: 15555).
> 2006/05/23 09:33:00 ossec-agentd: Started (pid: 15559).
> 2006/05/23 09:33:04 ossec-syscheckd: Started (pid: 15572).
> 2006/05/23 09:33:04 ossec-syscheckd: No directories to check.
> 2006/05/23 09:33:06 ossec-logcollector(1950): Analyzing file: 
> '/usr/local/prod/squid-2.5.STABLE12/var/logs/access.log'.
> 2006/05/23 09:33:06 ossec-logcollector: Started (pid: 15563).
> 2006/05/23 09:34:06 ossec-rootcheck: No rootcheck_files file configured.
> 2006/05/23 09:34:06 ossec-rootcheck: No rootcheck_trojans file configured.
> 
> 
> Can you help me ? Thanks.
> 
> 
> In the past I used local-installation and I think that OSSEC HIDS is a 
> very very intersting and intelligent software product.
> Many thanks to Daniel Cid who first speak me about it !
> Thank you for your incredible job and for your time.
> 
> Alberto Avi
> 
> _______________________________________________
> ossec-list mailing list
> ossec-list at ossec.net
> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list

Follow-Ups:
- [Ossec-list] No response from server to agent
  - From: alberto.avi at gmail.com

References:
- [Ossec-list] No response from server to agent
  - From: alberto.avi at gmail.com

Prev by Date: [Ossec-list] No response from server to agent
Next by Date: [Ossec-list] FIFO files and Agent/Server updates
Previous by thread: [Ossec-list] No response from server to agent
Next by thread: [Ossec-list] No response from server to agent
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.