Active-response of OSSEC Series

Another attraction of OSSEC is the active-response, which can automatically process rules. However, it is best to use this function with caution. Otherwise, it would be very serious if something should not be killed. Therefore, it is a good choice to use this function to automatically trigger an alarm.

Here, we will first provide a standard configuration to describe it:

<Command>

<Name> test </name> // name of the command, called after active-response

<Executable> test. sh </executable> // Script Name. Put the script under/var/ossec/active-response/bin and have the execution permission, belong to ossec group-r-xr-x-1 root ossec 445 11-09 test. sh

<Timeout_allowed> no </timeout_allowed> // time-out setting, for example, how long is the expiration time?

<CT> </CT> // exception, not set

</Command>

<Active-response> // put it below <command>. Otherwise, the command cannot be found.

<Command> test </command> // name of the response command, which is the one defined above

<Location> server </location> // location of the response. The server is the server response. For example, if a script is executed, the agent is the client response.

<Level> 1 </level> // response level. That is, the response is obtained at a level 1 or above.

</Active-response>

Finally, let's look at the script file. This script is used to add a user.

File Name: test. sh

Useradd lion

ACTION = $1

USER = $2

IP = $3

LOCAL = 'dirname $0 ';

Cd $ LOCAL

Cd ../

PWD = 'pwd'

# Logging the call

Echo 'date' $0 $1 $2 $3 $4 $5 ">$ {PWD}/../logs/active-responses.log

Reference http://www.ossec.net/doc/manual/ar/index.html