Log Management: Introducing Active Response, Putting Logs to Work

Logs provide a plethora of insights, yet they are rarely fully leveraged. They're expensive, and building the logic for what to look at can be challenging. Yet, OSSEC HIDS ventured into this space long before modern SIEM technologies emerged.

One of the ways it did this was via a module known as "Active Response."

What is Active Response?

Active Response refers to the ability to detect suspicious activity and take immediate action to mitigate a threat. With OSSEC, we would analyze the logs, compare them against rules that were canned or defined by the administrator, and then, based on a threshold, integrate with a host's firewall to proactively block the activity.

This is different from what you find in log management or SIEM solutions today, but why?

Trunc and Active Response

As we moved OSSEC to the cloud with Trunc, we had to ensure we retained the same functionality, so we introduced an Active Response module.

Via this module, we offer users specific rules that can be tuned to create a consumable list of potential threat actors. This list can then be integrated via your Firewall application on the network or host device. We'll share a few examples of how this can be done in a later post.

The power of this module is that because of the affordability of the service, you can consume all your logs, which creates a more realistic picture of your threat landscape. With this new visibility, you can quickly see any probing/footprinting attempts and respond to them accordingly.
You can also see if the same device is attempting the same activity across any aspect of your network, allowing you to more confidently deploy defensive controls feeling a higher degree of confidence on the block and reducing the issues with false positives.

Trunc Active Response Options

The Active Response option is found in your dashboard. It currently offers the following predefined rules and controls:

Option Description Options
Response Timeout This dictates the frequency of the block. If you flag an IP do you want it blocked for 30 mins? 60 mins? 6 hours? 10 mins
30 mins
60 mins
6 hrs
1 day
Brute Force Frequency Frequency of requests to be considered a brute force attack (applies to ssh, remote desktop, web logins, etc) 5/min
10/min
15/min
30/min
60/min
Web Errors Frequency Frequency of HTTP request failures (500s) to be considered a high severity event. 5/min
10/min
15/min
30/min
60/min
Web 404's Frequency Frequency of HTTP 404 errors (file not found) to be considered a web recon scan. 5/min
10/min
15/min
30/min
60/min


A consumable list will be created via the options selected and from there you create your local agent to consume and deploy the controls. If you have recommendations on what other options we should include, let us know and we'll work to get them on the roadmap.

If you're curious how it works, feel free to give it a try it's a low-hassle trial that doesn't require a credit card to use.



Posted in   log-management     by Tony Perez (@perezbox)

Simple, affordable, log management and analysis.