Active response with "firewall drop" Stop working properly after upgrade to 2.9RC3

[marcRBD]

hi
i upgrade on a debian Jessie from ossec 2.8 to 2.9RC3

server side:

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

<active-response>
    <command>firewall-drop</command>
    <location>defined-agent</location>
    <agent_id>130</agent_id>
    <rules_id>117154,31510,117159,117162</rules_id>
</active-response>

agent side:
  <active-response>
    <disabled>no</disabled>
<repeated_offenders>15</repeated_offenders>
  </active-response>

1. i removed an ip whitelisted from the configuration and send a brute force
   from this ip---> no AR

2. i come back in 2.8:

i test from this ip--> no AR

The configuration was working before upgrade !!

3. upgrade to 2.9Rc3

still not working, then i test from another ip and it works
from all ip source, even the first one again.

4. after this, i test from anoter ip ( a third one)
   and it is not working anymore from all ip.

There is no whitelisting and the log triggered:

Rule: 117154 (level 11) -> 'Active response: FTP brute force (multiple failed logins).'

We have a lot of agent so i need the active response to keep working
in the upgrade (agent 2.8--> server 2.9) and after the upgrade

Anyone test it ?
best regards
thanks

[ddpbsd]

With 2.9rc3, is execd running on the server and agent?
Do you know if the firewall-drop script runs at all?

[marcRBD]

With 2.9rc3, is execd running on the server and agent?
root 2393 0.0 0.1 20176 1440 ? S oct.13 0:00 /var/ossec/bin/ossec-execd
on the server side

on the agent i'm still in 2.8

root 23998 0.0 0.1 16692 488 ? S 10:06 0:00 /var/ossec/bin/ossec-execd

Do you know if the firewall-drop script runs at all?

on the server nothing in /var/ossec/logs/active-responses.log

but sometimes entries on the agent:

Thu Oct 13 14:16:27 CEST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - IP1 1476360987.532711 117154
Thu Oct 13 14:18:03 CEST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - IP2 1476361083.539214 117154
Thu Oct 13 23:05:37 CEST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - IP3 1476392737.18308284 117159

how can i debug more ?
thanks dan for all the things you do for ossec

[marcRBD]

This night i let a brute force going on, and when before it trigger in a few seconds
it made it in 6 hours...

[ddpbsd]

Can you upgrade the agent? Cross version compatibility isn't something we really test at all.

[marcRBD]

Worst :(
if i upgrade an agent i'v got this:

2016/10/14 14:04:36 ossec-logcollector(1226): ERROR: Error reading XML file '/var/ossec/etc/shared/agent.conf': XMLERR: File '/var/ossec/etc/shared/agent.conf' not found. (line 88).
Started ossec-logcollector...
2016/10/14 14:04:36 ossec-syscheckd(1226): ERROR: Error reading XML file '/var/ossec/etc/shared/agent.conf': XMLERR: File '/var/ossec/etc/shared/agent.conf' not found. (line 88).
2016/10/14 14:04:36 ossec-syscheckd(1226): ERROR: Error reading XML file '/var/ossec/etc/shared/agent.conf': XMLERR: File '/var/ossec/etc/shared/agent.conf' not found. (line 88)

[marcRBD]

Same as 👍 #652

[ddpbsd]

I don't think that error (should be a warning really) affects the agent's performance. It's mostly an informational message. Does the agent not run when you see those (/var/ossec/bin/ossec-control status)?

[marcRBD]

i saw in the link that it starts and i had the 4 demon:
/var/ossec/bin/ossec-control status
ossec-logcollector is running...
ossec-syscheckd is running...
ossec-agentd is running...
ossec-execd is running...

But active response still not working

[marcRBD]

and to be sure, the logs match in ossec-logtest

*_Phase 3: Completed filtering (rules).
Rule id: '117154'
Level: '11'
Description: 'Active response: FTP brute force (multiple failed logins).'
*_Alert to be generated.

[ddpbsd]

Can you post your active response configuration?

[marcRBD]

it is at the start of the issue, i changed it a bit now:

agent;

  <active-response>
    <disabled>no</disabled>
    <repeated_offenders>15,60,1440,86400</repeated_offenders>
  </active-response>

server:

<command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>


<active-response>
    <command>firewall-drop</command>
    <location>defined-agent</location>
    <agent_id>130</agent_id>
    <rules_id>117154,31510,117159,117162</rules_id>
</active-response>

thanks

[ddpbsd]

I haven't noticed any issues myself, but I don't have any systems using repeated_offenders. I'll add one shortly to see if anything changes.

[marcRBD]

i test without repeat offender, same problem.
what is your configuration ?
strange i have no problem in production with this setup
thanks

[ddpbsd]

I have:

  <command>
    <name>firewall-drop</name>
    <executable>pf.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <active-response>
    <command>firewall-drop</command>
    <location>all</location>
    <rules_id>5712,5718</rules_id>
  </active-response>

[marcRBD]

somenews
if i try this /var/ossec/bin/agent_control -b ip -f firewall-drop -u 130

in debug mode in the agent i have that:
2016/10/19 14:47:09 ossec-execd(1311): ERROR: Invalid command name 'firewall-drop' provided

even if i declare the command in the agent too

[ddpbsd]

What do you have in /var/ossec/etc/shared/ar.conf on the agent?

[marcRBD]

strange, strange:

less /var/ossec/etc/shared/ar.conf

restart-ossec0 - restart-ossec.sh - 0
restart-ossec0 - restart-ossec.cmd - 0
firewall-drop0 - firewall-drop.sh - 0

it works with

/var/ossec/bin/agent_control -b IP -f firewall-drop0 -u 130

jeudi 20 octobre 2016, 10:35:26 (UTC+0200) /var/ossec/active-response/bin/firewall-drop.sh add - IP (from_the_server) (no_rule_id)

is it normal ?
so the communication could work, but where is the problem ?

[ddpbsd]

Apparently that is normal, I get the same thing (and my AR works). You could try posting this to the mailing list to see if anyone else is experiencing the same sorts of issues.
I was hoping to not have to downgrade to 2.9rc3, but I guess I don't have much of a choice. I'll probably try it on linux as well.

[marcRBD]

or i upgrade to the version you have ? what version ?
i downgrade the server to 2.8 with agent in 2.9RC3 and it works

[ddpbsd]

I'm using the current MASTER from github on most of my systems.

[marcRBD]

just unzip and ./install.sh ?

[ddpbsd]

It's basically the same process.

[marcRBD]

i upgrade to master same problem.

This, is working:

/var/ossec/bin/agent_control -b  IP -f firewall-drop864000 -u 130

OSSEC HIDS agent_control: Running active response 'firewall-drop864000' on: 130

but active response doesn't working.

there is also a chance in geoip support ?
" Invalid element in the configuration: 'geoip_db_path'."
i remove it to start.

Thanks

[ddpbsd]

Yeah, I don't know what's going on with your setup. And I haven't had time to mess with my Linux instances to see what's what.

[marcRBD]

i will ask for help on the list

[ddpbsd]

Ok, so I setup 2 Ubuntu 14.04 lxc/lxd instances. One is a server, the second an agent. Both running 2.9rc3. I left all of the defaults that aren't silly (like listening to port 514 on the server).

I left the default AR config (well, I removed the stupid hosts-deny thing). Just tried to "brute force" a root login via ssh and managed to trigger AR.
#################### On the server:

  <command>
    <name>host-deny</name>
    <executable>host-deny.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>disable-account</name>
    <executable>disable-account.sh</executable>
    <expect>user</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>restart-ossec</name>
    <executable>restart-ossec.sh</executable>
    <expect></expect>
  </command>


  <command>
    <name>route-null</name>
    <executable>route-null.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>


  <!-- Active Response Config -->
  <active-response>
    <!-- Firewall Drop response. Block the IP for
       - 600 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
    <command>firewall-drop</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>

############ On the agent:

Also on the agent:

root@ar-agent:/var/ossec/logs# ls -l /var/ossec/active-response/bin/
total 56
-r-xr-x--- 1 root ossec 1711 Oct 20 11:17 disable-account.sh
-r-xr-x--- 1 root ossec 6738 Oct 20 11:17 firewall-drop.sh
-r-xr-x--- 1 root ossec 3951 Oct 20 11:17 firewalld-drop.sh
-r-xr-x--- 1 root ossec 3345 Oct 20 11:17 host-deny.sh
-r-xr-x--- 1 root ossec  800 Oct 20 11:17 ip-customblock.sh
-r-xr-x--- 1 root ossec 1385 Oct 20 11:17 ipfw.sh
-r-xr-x--- 1 root ossec 1617 Oct 20 11:17 ipfw_mac.sh
-r-xr-x--- 1 root ossec 1290 Oct 20 11:17 npf.sh
-r-xr-x--- 1 root ossec 1364 Oct 20 11:17 ossec-slack.sh
-r-xr-x--- 1 root ossec 1635 Oct 20 11:17 ossec-tweeter.sh
-r-xr-x--- 1 root ossec 1876 Oct 20 11:17 pf.sh
-r-xr-x--- 1 root ossec  542 Oct 20 11:17 restart-ossec.sh
-r-xr-x--- 1 root ossec 1353 Oct 20 11:17 route-null.sh

Also on the agent:

root@ar-agent:/var/ossec/logs# tail -f active-responses.log
Thu Oct 20 14:21:21 UTC 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 192.168.18.54 1476973281.5546 2502

No clue what else to look into.

[marcRBD]

With the same configuration, it works

in 2.8 as a server
``lundi 24 octobre 2016, 09:58:55 (UTC+0200) /var/ossec/active-response/bin/firewall-drop.sh add - 10.55.112.101 1477295935.223357 11451

in 2.8.3 as a server:

lundi 24 octobre 2016, 10:08:57 (UTC+0200) /var/ossec/active-response/bin/firewall-drop.sh add - 10.55.112.102 1477296537.266277 11451
in 2.9 master and 2.9RC3

it doesn't work and in debug mode i got this error, that i didn't have in other versions:
/var/ossec/bin/ossec-control enable debug

2016/10/24 09:50:52 ossec-analysisd(1271): WARN: Invalid IP Address '10.55.112.101"'. Possible logging attack.
2016/10/24 09:51:02 ossec-analysisd(1271): WARN: Invalid IP Address '10.55.112.101"'. Possible logging attack.

Please note the strange format: '10.55.112.101"' with the double quote

[marcRBD]

it broke at 2.9.0beta05 :/

[ddpbsd]

Can you provide the log message that the 10.55.112.101" came from? There's apparently a bug in a decoder.

[ddpbsd]

beta05 is older than rc3.

[marcRBD]

i try all versions to saw where it was put in the code (from the last master to beta05)
you are right looks like the decoder 👍

• Alert 1477301574.308151: mail - syslog,vsftpd,authentication_failures,
  2016 Oct 24 11:32:54 (host) 10.55.112.105->/var/log/vsftpd.log
  Rule: 11451 (level 10) -> 'FTP brute force (multiple failed logins).'
  Src IP: 10.55.112.101"
  User: $ALOC$
  Mon Oct 24 11:32:53 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "10.55.112.101"
  Mon Oct 24 11:32:52 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "10.55.112.101"
  Mon Oct 24 11:32:51 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "10.55.112.101"
  Mon Oct 24 11:32:50 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "10.55.112.101"
  Mon Oct 24 11:32:49 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "10.55.112.101"
  Mon Oct 24 11:32:48 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "10.55.112.101"
  Mon Oct 24 11:32:47 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "10.55.112.101"
  Mon Oct 24 11:32:46 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "10.55.112.101"

Décoding:

*Phase 1: Completed pre-decoding.
       full event: 'Mon Oct 24 11:32:48 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "10.55.112.101"'
       hostname: 'host'
       program_name: '(null)'
       log: 'Mon Oct 24 11:32:48 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "10.55.112.101"'

**Phase 2: Completed decoding.
       decoder: **'vsftpd**'
       dstuser: '$ALOC$'
       status: 'FAIL LOGIN'
       srcip: '10.55.112.101"'

**Phase 3: Completed filtering (rules).
       Rule id: '11403'
       Level: '5'
       Description: 'Login failed accessing the FTP server.'
**Alert to be generated.




**Phase 1: Completed pre-decoding.
       full event: 'Mon Oct 24 11:32:47 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "10.55.112.101"'
       hostname: 'host'
       program_name: '(null)'
       log: 'Mon Oct 24 11:32:47 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "10.55.112.101"'

**Phase 2: Completed decoding.
       decoder: 'vsftpd'
       dstuser: '$ALOC$'
       status: 'FAIL LOGIN'
       srcip: '10.55.112.101"'

**Phase 3: Completed filtering (rules).
       Rule id: '11403'
       Level: '5'
       Description: 'Login failed accessing the FTP server.'
**Alert to be generated.

Decoder: Attached to ticket old and new

decoder.xml-2.8.3.zip
decoder.xml-2.9rc3.zip

[marcRBD]

Old for srcip

<decoder name="vsftpd">
  <program_name>^vsftpd</program_name>
  <prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] </prematch>
  <regex offset="after_prematch">Client "(\d+.\d+.\d+.\d+)"$</regex>
  <order>srcip</order>
</decoder>

Newone:

<decoder name="vsftpd">
  <program_name>^vsftpd</program_name>
  <prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] </prematch>
  <regex offset="after_prematch">Client "(\S+)"$</regex>
  <order>srcip</order>
</decoder>

[ddpbsd]

I definitely see the offending deocder (vsftpd_login), but I can't figure out how to fix it. Limiting it to ipv4 is easy, but supporting v6 causes issues.

[ddpbsd]

This is dumb, but it seems to work:

<decoder name="vsftpd_login">
  <parent>vsftpd</parent>
  <prematch offset="after_parent"> LOGIN:</prematch>
  <regex offset="after_parent">[(\S+)] (\S+ LOGIN): Client "(\S+\w)"</regex>
  <order>user,status,srcip</order>
</decoder>

I assume the rest of the decoders would have to be similarly modified.

[marcRBD]

ok i better understand when you want ipv6 support, it is more difficult
i try , it works thanks

``lundi 24 octobre 2016, 14:27:20 (UTC+0200) /var/ossec/active-response/bin/firewall-drop.sh add - 10.55.112.102 1477312040.1133823 11451
you think all the decoders could go wrong ?

[marcRBD]

i happy we find the problem and there was a problem...and before the final release :)

[ddpbsd]

Thanks a lot for helping find that problem!

[marcRBD]

i will test a bit more cause my ossec start to be impressive ;)

[marcRBD]

hello
why my issue is not in the release ?
https://github.com/ossec/ossec-hids/releases/tag/2.9.0
thanks

[ddpbsd]

@marcRBD It looks like it was merged into master. I'm guessing I didn't push it into the RC branches.

[marcRBD]

too late now ?
thanks

[ddpbsd]

Submit a pull request against the v2.9.1 branch and I'll see what I can do.

[marcRBD]

i'm not familiar with github to do that