OSSEC is a great piece of software. When you understand well how it works, you can consider using active-responses so it acts really like a Host-based Intrusion Prevention System. 

There are a number of risks in enabling active responses, more details on the active-responses page:

  • Used by attackers as a denial of services attack (activating a response for a large number of legitimate IPs for instance using IP spoofing).
  • False positive: the configuration needs to be well fined-tuned for what level and/or which rules will prompt an active response.
But when the risks are understood, it can be just a great active defense tool, for example blocking in real-time brute-force attacks.

Any custom active responses can be written. OSSEC comes with a set of active responses scripts for Linux, one of them is firewall-drop.sh that add new rules to the linux firewall (iptables) to drop the packets.

This entry is to describe how to enable logging of dropped packets. I find useful to know if the response is efficient. For instance: what packets are being blocked after the response is triggered, how long will the attack continue, etc. This information is useful to tune the active-response timeout.

I like me you want to have logging enabled, since there is no options for that, I propose a patch for firewall-drop.sh:

As showed on this Splunk chart above, it is possible to ensure that the active responses timeouts are correct for a majority of attacks scenarios. At the bottom, in yellow are the active responses: the first bar is when OSSEC started to block the IP the second one is when OSSEC removed the firewall rules hence unblocking the IP. At the top in blue are the packets being dropped by the attacker after the active response was enabled.

This patch works with OSSEC version 2.4.1