Can someone explain how does ossec agent in an active response config detects or responds to events (e.g scan attempt on web-server 404 status code).
I know that the below xml block at the server ends fire up the response on agent end. But all the rules are kept in /root dir not the usual installation dir for the agent. Apart from it monitoring the apache access logs it doesn't have a script or regex that tells us what status code to check.
Is it something that is shared on the fly between client and server using udp port 1514? Kindly help me understand it.
!-- Active response to block http scanning -->
<active-response>
<command>route-null</command>
<location>local</location>
<!-- Multiple web server 400 error codes from same source IP -->
<rules_id>31151</rules_id>
<timeout>600</timeout>
</active-response>
Best Answer
That is exactly how Ossec works. To quote the Ossec documentation:
So Ossec agents are "dumb" in a way that they make no decisions on blocking/unblocking by themselves. They feed all the data from specified log sources (defined in
etc/shared/agent.conf
) to the management server (defined inetc/ossec.conf
). The management server parses the log entries and takes action based on the rules defined underrules/
and, if required, orders the agents to take pre-defined action (usually block/unblock an IP address).To monitor the ossec management server log parsing you can, for instance, do a
tail -f logs/alerts/alerts.log
.If you wish to ignore all 400 errors from http logs, you can add the following to your
rules/local_rules.xml
on your Ossec server.You should always do your customizations in the
local_rules.xml
file and leave the provided decoders (for exampleweb_rules.xml
) alone. You should also keep the rule id for local rules between 100000-119999, as they are reserved for that use specifically.