how does OSSEC agent detects signature/alerts?

Question

Can someone explain how does ossec agent in an active response config detects or responds to events (e.g scan attempt on web-server 404 status code).

I know that the below xml block at the server ends fire up the response on agent end. But all the rules are kept in /root dir not the usual installation dir for the agent. Apart from it monitoring the apache access logs it doesn't have a script or regex that tells us what status code to check.

Is it something that is shared on the fly between client and server using udp port 1514? Kindly help me understand it.

!-- Active response to block http scanning -->
    <active-response>
        <command>route-null</command>
        <location>local</location>
    <!-- Multiple web server 400 error codes from same source IP -->
        <rules_id>31151</rules_id>
        <timeout>600</timeout>
    </active-response>

Answer 1

That is exactly how Ossec works. To quote the Ossec documentation:

OSSEC is composed of multiple pieces. It has a central manager monitoring everything and receiving information from agents, syslog, databases and from agentless devices.

So Ossec agents are "dumb" in a way that they make no decisions on blocking/unblocking by themselves. They feed all the data from specified log sources (defined in etc/shared/agent.conf) to the management server (defined in etc/ossec.conf). The management server parses the log entries and takes action based on the rules defined under rules/ and, if required, orders the agents to take pre-defined action (usually block/unblock an IP address).

To monitor the ossec management server log parsing you can, for instance, do a tail -f logs/alerts/alerts.log.

If you wish to ignore all 400 errors from http logs, you can add the following to your rules/local_rules.xml on your Ossec server.

<rule id="100010" level="2">
  <if_sid>31151</if_sid>
  <description>Don't care about 400 errors</description>
</rule>

You should always do your customizations in the local_rules.xml file and leave the provided decoders (for example web_rules.xml) alone. You should also keep the rule id for local rules between 100000-119999, as they are reserved for that use specifically.