OSSEC Email Alerts on Active Responses

UPDATE: The code below is now included in the latest release of OSSEC 2.6.

As a follow-up to my recent post, Protecting Web Servers with OSSEC, I will show how to setup notifications upon active-responses being launched. A lot of what I use here was provided by author Jason on an OSSEC listserv post.

creating the decoder

/var/ossec/etc/local_decoder.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<!-- decoder for active responses as logged by an OSSEC agent or server
- Examples
Sat May  7 03:17:27 CDT 2011 /var/ossec/active-response/bin/host-deny.sh add - 120.101.70.54 1304756247.60385 31151
Sat May  7 03:17:27 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh add - 120.101.70.54 1304756247.60385 31151
Sat May  7 03:27:57 CDT 2011 /var/ossec/active-response/bin/host-deny.sh delete - 120.101.70.54 1304756247.60385 31151
Sat May  7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - 120.101.70.54 1304756247.60385 31151


-->

<decoder name="ar_log">
        <prematch>^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|^Sun \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+ /var/ossec/active-response</prematch>
        <regex offset="after_prematch">/bin/(\S+) (\S+) - (\S+) (\d+.\d+) (\d+)</regex>
        <order>action, status, srcip, id, extra_data</order>
</decoder>

I will do my best to briefly explain what the above does…

  • prematch – this is the portion of the regex that first catches a message. I wanted to make this as specific to active response to avoid false positives. This is accomplished by matching the static string /var/ossec/active-response along with matching the date / time format using the following…

    • \S+ – String, no space
    • \s+ – spaces
    • \d+ – digits
  • regex – this line is called after the prematch and is where we extract the information from the log. All items surrounded by parenthasis will be parsed by the decoder.
  • order – here we specify the fields each part of the log message should be assigned to. A list of available fields are at the top of the decoders.xml within OSSEC’s etc directory.

testing the decoder

OSSEC provides an amazing tool, ossec-logtest to test if decoders and rules will be triggered by log messages. Run bin/ossec-logtest and paste in an example log message when prompted…

$ bin/ossec-logtest
2011/05/12 04:16:11 ossec-testrule: INFO: Reading local decoder file.
2011/05/12 04:16:12 ossec-testrule: INFO: Started (pid: 28539).
ossec-testrule: Type one log per line.

Sat May  7 03:17:27 CDT 2011 /var/ossec/active-response/bin/host-deny.sh add - 120.101.70.54 1304756247.60385 31151


**Phase 1: Completed pre-decoding.
       full event: 'Sat May  7 03:17:27 CDT 2011 /var/ossec/active-response/bin/host-deny.sh add - 120.101.70.54 1304756247.60385 31151'
       hostname: 'localhsot'
       program_name: '(null)'
       log: 'Sat May  7 03:17:27 CDT 2011 /var/ossec/active-response/bin/host-deny.sh add - 120.101.70.54 1304756247.60385 31151'

**Phase 2: Completed decoding.
       decoder: 'ar_log'
       action: 'host-deny.sh'
       status: 'add'
       srcip: '120.101.70.54'
       id: '1304756247.60385'
       extra_data: '31151'

You see that this decoder correctly pulled each field that we specified.

the rule

These rules will be triggered by the above decoder based on the fields extracted. A few things to know…

  • options – this line specifies that these rules will generate emails. This overrides any limits in ossec.conf about email alerts and levels.
  • group – this can be a useful identifier for custom email notification recipients.

/var/ossec/rules/local_rules.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
<!-- rules to alert on active-responses
Example:
Sat May  7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - 120.101.70.54 1304756247.60385 31151
-->
<group name="local,syslog,">
        <rule id="100002" level="3">
        <decoded_as>ar_log</decoded_as>
        <options>alert_by_email</options>
        <group>active_response_notification</group>
        <action>firewall-drop.sh</action>
        <status>add</status>
        <description>Active response firewall-drop.sh was run, host blocked</description>
        </rule>
        <rule id="100003" level="3">
        <decoded_as>ar_log</decoded_as>
    <options>alert_by_email</options>
        <group>active_response_notification</group>
        <action>firewall-drop.sh</action>
        <status>delete</status>
        <description>Active response firewall-drop.sh was run, host unblocked</description>
        </rule>

        <rule id="100004" level="3">
        <decoded_as>ar_log</decoded_as>
    <options>alert_by_email</options>
        <group>active_response_notification</group>
        <action>host-deny.sh</action>
        <status>add</status>
        <description>Active response host-deny.sh was run, host added to hosts.deny</description>
        </rule>
        <rule id="100005" level="3">
        <decoded_as>ar_log</decoded_as>
    <options>alert_by_email</options>
        <group>active_response_notification</group>
        <action>host-deny.sh</action>
        <status>delete</status>
        <description>Active response host-deny.sh was run, host removed from hosts.deny</description>
        </rule>

        <rule id="100006" level="3">
        <decoded_as>ar_log</decoded_as>
    <options>alert_by_email</options>
        <group>active_response_notification</group>
        <action>route-null.sh</action>
        <status>add</status>
        <description>Active response route-null.sh was run, host added to route null</description>
        </rule>
        <rule id="100007" level="3">
        <decoded_as>ar_log</decoded_as>
    <options>alert_by_email</options>
        <group>active_response_notification</group>
        <action>route-null.sh</action>
        <status>delete</status>
        <description>Active response route-null.sh was run, host removed from route null</description>
        </rule>
</group>

testing the new rule

Just as with the decoder, the tool ossec-logtest can be used to verify the rules are being triggered by your desired log examples.

$ bin/ossec-logtest
2011/05/12 04:16:11 ossec-testrule: INFO: Reading local decoder file.
2011/05/12 04:16:12 ossec-testrule: INFO: Started (pid: 28539).
ossec-testrule: Type one log per line.

Sat May  7 03:17:27 CDT 2011 /var/ossec/active-response/bin/host-deny.sh add - 120.101.70.54 1304756247.60385 31151


**Phase 1: Completed pre-decoding.
       full event: 'Sat May  7 03:17:27 CDT 2011 /var/ossec/active-response/bin/host-deny.sh add - 120.101.70.54 1304756247.60385 31151'
       hostname: 'localhost'
       program_name: '(null)'
       log: 'Sat May  7 03:17:27 CDT 2011 /var/ossec/active-response/bin/host-deny.sh add - 120.101.70.54 1304756247.60385 31151'

**Phase 2: Completed decoding.
       decoder: 'ar_log'
       action: 'host-deny.sh'
       status: 'add'
       srcip: '120.101.70.54'
       id: '1304756247.60385'
       extra_data: '31151'

**Phase 3: Completed filtering (rules).
       Rule id: '100004'
       Level: '3'
       Description: 'Active response host-deny.sh was run, host added to hosts.deny'
**Alert to be generated.

ossec.conf additions

Add the lines below to your ossec.conf file to have OSSEC monitor that specific log file. When messages matching the decoder and rule are picked up you will be notified.

1
2
3
4
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>

Here’s an example of how to use the rules’ group key to send these notifications to a specific recipient…

1
2
3
4
    <email_alerts>
        <email_to>user@localhost.localdomain</email_to>
        <group>active_response_notification</group>
    </email_alerts>

You now will be emailed an alert upon active-responses being executed.

Comments (0)

› No comments yet.

Leave a Reply


*

Allowed Tags - You may use these HTML tags and attributes in your comment.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>