OSSEC 2.6 Active Response email alerts

In a previous article I described how to add email alerts when active responses were triggered. Those steps were before those changes were added to the 2.6 release.

In the 2.6 release it is required to override the new built-in rules to explicitly enable email notifications if your email level is higher than 3.

A few things to note:

  • overwrite=”yes” – this addition tells OSSEC to overwrite the built in rule.

  • alert_by_email
    – OSSEC will always send emails on these events.
  • I’ve commented out the “delete” status as I prefer to only be notified upon a host being added to the active responses

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
<group name="local,syslog,">
  <rule id="600" level="0" overwrite="yes">
    <decoded_as>ar_log</decoded_as>
    <description>Active Response Custom Messages Grouped</description>
    <group>active_response,</group>
  </rule>

  <rule id="601" level="3" overwrite="yes">
    <if_sid>600</if_sid>
    <options>alert_by_email</options>
    <action>firewall-drop.sh</action>
    <status>add</status>
    <description>Host Blocked by firewall-drop.sh Active Response</description>
    <group>active_response,</group>
  </rule>

  <rule id="602" level="3" overwrite="yes">
    <if_sid>600</if_sid>
    <!--<options>alert_by_email</options>-->
    <action>firewall-drop.sh</action>
    <status>delete</status>
    <description>Host Unblocked by firewall-drop.sh Active Response</description>
    <group>active_response,</group>
  </rule>

  <rule id="603" level="3" overwrite="yes">
    <if_sid>600</if_sid>
    <options>alert_by_email</options>
    <action>host-deny.sh</action>
    <status>add</status>
    <description>Host Blocked by host-deny.sh Active Response</description>
    <group>active_response,</group>
  </rule>

  <rule id="604" level="3" overwrite="yes">
  <if_sid>600</if_sid>
  <!--<options>alert_by_email</options>-->
    <action>host-deny.sh</action>
    <status>delete</status>
    <description>Host Unblocked by host-deny.sh Active Response</description>
    <group>active_response,</group>
  </rule>

  <rule id="605" level="3" overwrite="yes">
    <if_sid>600</if_sid>
    <options>alert_by_email</options>
    <action>route-null.sh</action>
    <status>add</status>
    <description>Host Blocked by route-null.sh Active Response</description>
    <group>active_response,</group>
  </rule>

  <rule id="606" level="3" overwrite="yes">
    <if_sid>600</if_sid>
    <!--<options>alert_by_email</options>-->
    <action>route-null.sh</action>
    <status>delete</status>
    <description>Host Unblocked by route-null.sh Active Response</description>
    <group>active_response,</group>
  </rule>
</group>

Comments (0)

› No comments yet.

Leave a Reply


*

Allowed Tags - You may use these HTML tags and attributes in your comment.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Pingbacks (0)

› No pingbacks yet.