OSSEC active response with linux: logging dropped packets
There are a number of risks in enabling active responses, more details on the active-responses page:
- Used by attackers as a denial of services attack (activating a response for a large number of legitimate IPs for instance using IP spoofing).
- False positive: the configuration needs to be well fined-tuned for what level and/or which rules will prompt an active response.
Any custom active responses can be written. OSSEC comes with a set of active responses scripts for Linux, one of them is
firewall-drop.shthat add new rules to the linux firewall (iptables) to drop the packets.
This entry is to describe how to enable logging of dropped packets. I find useful to know if the response is efficient. For instance: what packets are being blocked after the response is triggered, how long will the attack continue, etc. This information is useful to tune the active-response timeout.
I like me you want to have logging enabled, since there is no options for that, I propose a patch for
As showed on this Splunk chart above, it is possible to ensure that the active responses timeouts are correct for a majority of attacks scenarios. At the bottom, in yellow are the active responses: the first bar is when OSSEC started to block the IP the second one is when OSSEC removed the firewall rules hence unblocking the IP. At the top in blue are the packets being dropped by the attacker after the active response was enabled.
This patch works with OSSEC version 2.4.1