[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: granular email

To: Daniel Cid <daniel.cid@xxxxxxxxx>
Subject: [ossec-list] Re: granular email
From: John Ives <jives@xxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 25 Jul 2007 00:05:09 -0700 (PDT)
Cc: ossec-list@xxxxxxxxxxxxxxxx


Daniel,

Thanks for the information.  This did cause emails to go out as 
appropriate, but they went to everyone. What I am trying to devise is a 
system by which only the person who logged in gets the email.  The idea 
being that if I should ever get an email when I am not on the system, I 
will be able to react in near realtime .  I have written a basic 
active-response that takes input similar to the firewall scripts, eg. 
action (which has no use) username and IP address and is supposed to send 
an email.  When testing by passing arguments directly to the script it 
works, but when run by ossec nothing seems to happen (just finished it so 
I haven't had much debugging time yet).

Has enyone put together a tutorial on developing active response scripts 
or detailed discussion of what gets passed to scripts?  For me it would 
also be helpful if there were more perl examples running about.

Also, as long as I am discussing active-response I should note that I am 
getting the following error:

Invalid active response location: 'analysis-server'.

When I have the following:

   <command>
     <name>loginAlert</name>
     <executable>loginAlert.pl</executable>
     <expect>username,srcip</expect>
   </command>

   <active-response>
     <disabled>no</disabled>
     <command>loginAlert</command>
     <location>analysis-server</location>
     <rules_id>666012</rules_id>
   </active-response>


Yours,

John

-------------------------------------------------------------------------
John Ives                                           Phone (510) 642-7773
System & Network Security                            Cell (510) 229-8676
University of California, Berkeley
-------------------------------------------------------------------------

On Tue, 24 Jul 2007, Daniel Cid wrote:

> Hi John,
>
> When using the granular email option, you need to raise the rule level above 
> the
> e-mail_alert_level or use the "alert_by_email" option to set it for a
> specific rule.
>
> Basically, on the header of the alert you need to have the "mail" in
> there for it
> to be evaluated by maild:
>
> ** Alert 1185249260.298: mail  - xx,
>
>
> Anyway, in my opinion, the best way to accomplish what you are trying
> to do is by
> creating a local rule that is going to alert on any successful login
> to this host:
>
> <rule id="100200" level="3">
>   <if_group>authentication_success</if_group>
>   <hostname>system1</hostname>
>   <options>alert_by_email</options>
>   <description>Login to secure server.</description>
> </rule>
>
> After that, you can create your granular config:
>
> <email_alerts>
>  <email_to>jives@xxxxxxxxxxxxxxxxxxxxx</email_to>
>  <rule_id>100200</rule_id>
>  <do_not_delay />
> </email_alerts>
>
> hope it helps...
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 7/24/07, John Ives <jives@xxxxxxxxxxxxxxxxxxxxx> wrote:
>> 
>> If we are using the granular email option to send out email on selected
>> items, do we need to raise the rule level to above the email_alert_level
>> setting?
>> 
>> I have a few systems, that have access to particularly important data
>> and which are actually logged into only a couple times a day (when I
>> need to access some of the stored data, for example).  I would like to
>> devise a system whereby I am notified whenever I log in.  While I may
>> eventually do this as a active response script (the idea being that if
>> anyone ever gets a page when they did not log in they would know to
>> initiate emergency response procedures), I am interested in seeing if
>> there is a simpler way of accomplishing this.
>> 
>> I have written the appropriate rule to isolate my login (this is a
>> viable, though ugly, option for me since there are fewer than 5 accounts
>> that will have access to the important systems), and there is an
>> appropriate event in alerts.log file, but no email.
>> 
>> The email alert in the ossec.conf file is (I have also tried this as an
>> sms alert with no luck):
>>
>>   <email_alerts>
>>     <email_to>jives@xxxxxxxxxxxxxxxxxxxxx</email_to>
>>     <rule_id>666011</rule_id>
>>     <do_not_delay />
>>   </email_alerts>
>> 
>> and the alert in the log file looks like:
>> 
>> ** Alert 1185311433.1585718: - localauthentication_success,
>> 2007 Jul 24 14:10:33 <SYSTEM>->/var/log/auth.log
>> Rule: 666011 (level 3) -> 'SSHD authentication success.'
>> Src IP: XXX.XXX.XXX.XXX
>> User: jives
>> Jul 24 14:10:33 <SYSTEM> sshd[55220]: Accepted keyboard-interactive/pam
>> for jives from XXX.XXX.XXX.XXX port 62398 ssh2
>> 
>> Thanks.
>> 
>> John
>> 
>> 
>> --
>> 
>> -------------------------------------------------------------------------
>> John Ives                                           Phone (510) 642-7773
>> System & Network Security                            Cell (510) 229-8676
>> University of California, Berkeley
>> -------------------------------------------------------------------------
>> 
>> 
>> 
>

References:
- [ossec-list] granular email
  - From: John Ives
- [ossec-list] Re: granular email
  - From: Daniel Cid

Prev by Date: [ossec-list] Solariz 10 SMF
Next by Date: [ossec-list] Syslog and static compilation
Previous by thread: [ossec-list] Re: granular email
Next by thread: [ossec-list] Fortigate log samples
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.