Sto configurando un OSSEC in modalità locale (su CentOS 7) per fungere da IPS per un comportamento specifico. Sto cercando di usare il firewall-drop ma non funziona (ho notato che lo script non può vedere srcip ). lascia che ti mostri alcune uscite:
comando:
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
attiva-risposta:
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>5701</rules_id>
<timeout>86400</timeout>
</active-response>
output ossec-logtest:
**Phase 1: Completed pre-decoding.
full event: 'Jul 11 16:15:50 cloud sshd[31119]: Bad protocol version identification 'POST http://muabannha.org/ HTTP/1.1' from 45.32.161.230 port 53595'
hostname: 'cloud'
program_name: 'sshd'
log: 'Bad protocol version identification 'POST http://muabannha.org/ HTTP/1.1' from 45.32.161.230 port 53595'
**Phase 2: Completed decoding.
decoder: 'sshd'
**Phase 3: Completed filtering (rules).
Rule id: '5701'
Level: '8'
Description: 'Possible attack on the ssh server (or version gathering).'
**Alert to be generated.
qualche indizio?
Grazie in anticipo, : Wq