ossec-hids icon indicating copy to clipboard operation
ossec-hids copied to clipboard
verified publisher icon ossec

Active response not working on agents

Open pablobs2000 opened this issue 3 years ago • 1 comments

Hello, I'm using OSSEC 3.6.0 in Centos 7, and I'm having trouble running active response on my agent. I'm trying to monitor the output of the command "iptables -t nat -L -n" and then run an AR script. Here is the configuration I have in both manager and agent regarding AR: Manager: ossec.conf:

  <command>
    <name>iptables-nat</name>
    <executable>iptables-nat.sh</executable>
    <expect></expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

<active-response>
    <command>iptables-nat</command>
    <location>local</location>
    <rules_id>150002</rules_id>
  </active-response>

  <localfile>
    <log_format>full_command</log_format>
    <command>iptables -t nat -L -n</command>
    <frequency>5</frequency>
  </localfile>

local_rules.xml:

  <rule id="150002" level="10">
    <if_sid>530</if_sid>
    <match>ossec: output: 'iptables -t nat -L -n'</match>
    <check_diff />
    <description>iptables nat has been modified</description>
  </rule>

Agent: ossec.conf:

  <localfile>
    <log_format>full_command</log_format>
    <command>iptables -t nat -L -n</command>
    <frequency>5</frequency>
  </localfile>

In both manager and agent the ar.conf file contains:

restart-ossec0 - restart-ossec.sh - 0
restart-ossec0 - restart-ossec.cmd - 0
host-deny600 - host-deny.sh - 600
firewall-drop600 - firewall-drop.sh - 600
if-up0 - if-up.sh - 0
iptables-filter0 - iptables-filter.sh - 0
iptables-nat0 - iptables-nat.sh - 0

iptables-nat.sh is located at /var/ossec/active-response/bin/ with correct permissions and agent ossec-execd is running in both agent and manager.

The problem is that, when rule 150002 is triggered I receive the alert correctly on the server, and if the alert came from the server AR works fine, but if it came from the agent AR is not triggered. However, if I run agent-control -b -f iptables-nat0 -u <agent_id> or one of the default rules trigger a default AR script it works fine on the agent.

Another thing I tried when troubleshooting this is capture the traffic between manager and agent, and I saw that the manager wasn't sending the AR order to the agent when rule 150002 was triggered, however when running agent-control -b -f iptables-nat0 -u <agent_id> or a default AR script the manager did send the order, so it seems like a problem with custom AR scripts.

Thanks in advance.

pablobs2000 avatar Dec 29 '21 12:12 pablobs2000

Hello @pablobs2000 seems like your active response section is missing settings e.g. agent id etc. As far as I'm concered the active-response should look something like this on the OSSEC server:

<active-response>
  <!-- Firewall Drop response. Block the IP for
    - 600 seconds on the firewall (iptables,
    - ipfilter, etc).
    -->
  <disabled>no</disabled>
  <command>firewall-drop</command>
  <agent_id>001</agent_id>
  <location>local</location>
  <rules_id></rules_id>
  <level>6</level>
  <timeout>600</timeout>
</active-response>

Edit: making a revision of my own documentation as we speak. Will make sure to test it and comeback if my answer is differently.

libellux avatar Jun 01 '22 13:06 libellux