[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] iptables firewall issues
- To: ossec-list@xxxxxxxxx
- Subject: [ossec-list] iptables firewall issues
- From: "Ray Lassiter" <rlassiter@xxxxxxxxx>
- Date: Sat, 9 Jun 2007 15:44:50 -0400
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=oRXsIrUkIPrNxLbrXgZm6BuQLdLvanoXOz7PYuq31kfhhxrG8naeFywUHs1abU43mcf+11qzdKiw4lABkXEyrW2oAXn0ZP7tfu1scoxIFwuOYAktiQKDbBnClvwlxlj0BfyBlsfPh3/eG5mRu2ZME4+Th7wSSF17ZR5dRVs5Bh8=
First, I just want to say this is a great program, and would be perfect if I could figure out what I am doing wrong regarding ossec monitoring, logging, and reacting to iptables firewall entries.
I would like to have ossec block ips based on multiple drops(nothing outside of what is in firewall_rules.xml); however, it doesn't seem to be working properly. I changed the rule to look like the following:
<rule id="4151" level="10" frequency="5" timeframe="120" ignore="240">
only changed line included... Basically, just made it more sensitive.
I have firewall drops going to messages and ossec is monitoring syslog with the following in ossec.conf:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
Active response is setup like the following:
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>1200</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>1200</timeout>
</active-response>
Iptables is setup to write to messages with the following format:
Jun 9 15:37:27 host kernel: [608615.235372] Drop off input chain: IN=ppp0 OUT= MAC= SRC="" DST=<someip> LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=53574 DF PROTO=TCP SPT=11018 DPT=48265 WINDOW=0 RES=0x00 RST URGP=0
In the case of the snippet above, there are about 30 of these within a minute, same src and dst.
Now, based on my understanding ossec should be writing these to the ossec/logs/firewall/firewall.log and then envoking active response to enter an entry into iptables and
hosts.deny. None of these things are happening.
I hope that this all makes sense, and that someone on the list can provide some assistance.
Thanks!
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.