OSSEC Email Alerts on Active Responses

May 8, 2011 / treydock posted in OSSEC / No Comments

UPDATE: The code below is now included in the latest release of OSSEC 2.6.

As a follow-up to my recent post, Protecting Web Servers with OSSEC, I will show how to setup notifications upon active-responses being launched. A lot of what I use here was provided by author Jason on an OSSEC listserv post.

creating the decoder ∞

/var/ossec/etc/local_decoder.xml ∞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

<decoder name="ar_log">
<prematch>^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|^Sun \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+ /var/ossec/active-response</prematch>
<regex offset="after_prematch">/bin/(\S+) (\S+) - (\S+) (\d+.\d+) (\d+)</regex>
<order>action, status, srcip, id, extra_data</order>
</decoder>

I will do my best to briefly explain what the above does…

prematch – this is the portion of the regex that first catches a message. I wanted to make this as specific to active response to avoid false positives. This is accomplished by matching the static string /var/ossec/active-response along with matching the date / time format using the following…
- \S+ – String, no space
- \s+ – spaces
- \d+ – digits
regex – this line is called after the prematch and is where we extract the information from the log. All items surrounded by parenthasis will be parsed by the decoder.
order – here we specify the fields each part of the log message should be assigned to. A list of available fields are at the top of the decoders.xml within OSSEC’s etc directory.

testing the decoder ∞

OSSEC provides an amazing tool, ossec-logtest to test if decoders and rules will be triggered by log messages. Run bin/ossec-logtest and paste in an example log message when prompted…

$ bin/ossec-logtest
2011/05/12 04:16:11 ossec-testrule: INFO: Reading local decoder file.
2011/05/12 04:16:12 ossec-testrule: INFO: Started (pid: 28539).
ossec-testrule: Type one log per line.

Sat May 7 03:17:27 CDT 2011 /var/ossec/active-response/bin/host-deny.sh add - 120.101.70.54 1304756247.60385 31151

**Phase 1: Completed pre-decoding.
full event: 'Sat May 7 03:17:27 CDT 2011 /var/ossec/active-response/bin/host-deny.sh add - 120.101.70.54 1304756247.60385 31151'
hostname: 'localhsot'
program_name: '(null)'
log: 'Sat May 7 03:17:27 CDT 2011 /var/ossec/active-response/bin/host-deny.sh add - 120.101.70.54 1304756247.60385 31151'

**Phase 2: Completed decoding.
decoder: 'ar_log'
action: 'host-deny.sh'
status: 'add'
srcip: '120.101.70.54'
id: '1304756247.60385'
extra_data: '31151'

You see that this decoder correctly pulled each field that we specified.

the rule ∞

These rules will be triggered by the above decoder based on the fields extracted. A few things to know…

options – this line specifies that these rules will generate emails. This overrides any limits in ossec.conf about email alerts and levels.
group – this can be a useful identifier for custom email notification recipients.

/var/ossec/rules/local_rules.xml ∞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

<group name="local,syslog,">
<rule id="100002" level="3">
<decoded_as>ar_log</decoded_as>
<options>alert_by_email</options>
<group>active_response_notification</group>
<action>firewall-drop.sh</action>
<status>add</status>
<description>Active response firewall-drop.sh was run, host blocked</description>
</rule>
<rule id="100003" level="3">
<decoded_as>ar_log</decoded_as>
<options>alert_by_email</options>
<group>active_response_notification</group>
<action>firewall-drop.sh</action>
<status>delete</status>
<description>Active response firewall-drop.sh was run, host unblocked</description>
</rule>

<rule id="100004" level="3">
<decoded_as>ar_log</decoded_as>
<options>alert_by_email</options>
<group>active_response_notification</group>
<action>host-deny.sh</action>
<status>add</status>
<description>Active response host-deny.sh was run, host added to hosts.deny</description>
</rule>
<rule id="100005" level="3">
<decoded_as>ar_log</decoded_as>
<options>alert_by_email</options>
<group>active_response_notification</group>
<action>host-deny.sh</action>
<status>delete</status>
<description>Active response host-deny.sh was run, host removed from hosts.deny</description>
</rule>

<rule id="100006" level="3">
<decoded_as>ar_log</decoded_as>
<options>alert_by_email</options>
<group>active_response_notification</group>
<action>route-null.sh</action>
<status>add</status>
<description>Active response route-null.sh was run, host added to route null</description>
</rule>
<rule id="100007" level="3">
<decoded_as>ar_log</decoded_as>
<options>alert_by_email</options>
<group>active_response_notification</group>
<action>route-null.sh</action>
<status>delete</status>
<description>Active response route-null.sh was run, host removed from route null</description>
</rule>
</group>

testing the new rule ∞

Just as with the decoder, the tool ossec-logtest can be used to verify the rules are being triggered by your desired log examples.

$ bin/ossec-logtest
2011/05/12 04:16:11 ossec-testrule: INFO: Reading local decoder file.
2011/05/12 04:16:12 ossec-testrule: INFO: Started (pid: 28539).
ossec-testrule: Type one log per line.

Sat May 7 03:17:27 CDT 2011 /var/ossec/active-response/bin/host-deny.sh add - 120.101.70.54 1304756247.60385 31151

**Phase 1: Completed pre-decoding.
full event: 'Sat May 7 03:17:27 CDT 2011 /var/ossec/active-response/bin/host-deny.sh add - 120.101.70.54 1304756247.60385 31151'
hostname: 'localhost'
program_name: '(null)'
log: 'Sat May 7 03:17:27 CDT 2011 /var/ossec/active-response/bin/host-deny.sh add - 120.101.70.54 1304756247.60385 31151'

**Phase 2: Completed decoding.
decoder: 'ar_log'
action: 'host-deny.sh'
status: 'add'
srcip: '120.101.70.54'
id: '1304756247.60385'
extra_data: '31151'

**Phase 3: Completed filtering (rules).
Rule id: '100004'
Level: '3'
Description: 'Active response host-deny.sh was run, host added to hosts.deny'
**Alert to be generated.

ossec.conf additions ∞

Add the lines below to your ossec.conf file to have OSSEC monitor that specific log file. When messages matching the decoder and rule are picked up you will be notified.

1
2
3
4