Logs provide a plethora of insights, yet they are rarely fully leveraged. They're expensive, and building the logic for what to look at can be challenging. Yet, OSSEC HIDS ventured into this space long before modern SIEM technologies emerged.
One of the ways it did this was via a module known as "Active Response."
Active Response refers to the ability to detect suspicious activity and take immediate action to mitigate a threat. With OSSEC, we would analyze the logs, compare them against rules that were canned or defined by the administrator, and then, based on a threshold, integrate with a host's firewall to proactively block the activity.
This is different from what you find in log management or SIEM solutions today, but why?
As we moved OSSEC to the cloud with Trunc, we had to ensure we retained the same functionality, so we introduced an Active Response module.
Via this module, we offer users specific rules that can be tuned to create a consumable list of potential threat actors. This list can then be integrated via your Firewall application on the network or host device. We'll share a few examples of how this can be done in a later post.
The power of this module is that because of the affordability of the service, you can consume all your logs, which creates a more realistic picture of your threat landscape. With this new visibility, you can quickly see any probing/footprinting attempts and respond to them accordingly.
You can also see if the same device is attempting the same activity across any aspect of your network, allowing you to more confidently deploy defensive controls feeling a higher degree of confidence on the block and reducing the issues with false positives.
The Active Response option is found in your dashboard. It currently offers the following predefined rules and controls:
| Option | Description | Options |
|---|---|---|
| Response Timeout | This dictates the frequency of the block. If you flag an IP do you want it blocked for 30 mins? 60 mins? 6 hours? | 10 mins 30 mins 60 mins 6 hrs 1 day |
| Brute Force Frequency | Frequency of requests to be considered a brute force attack (applies to ssh, remote desktop, web logins, etc) | 5/min 10/min 15/min 30/min 60/min |
| Web Errors Frequency | Frequency of HTTP request failures (500s) to be considered a high severity event. | 5/min 10/min 15/min 30/min 60/min |
| Web 404's Frequency | Frequency of HTTP 404 errors (file not found) to be considered a web recon scan. | 5/min 10/min 15/min 30/min 60/min |
A consumable list will be created via the options selected and from there you create your local agent to consume and deploy the controls. If you have recommendations on what other options we should include, let us know and we'll work to get them on the roadmap.
If you're curious how it works, feel free to give it a try it's a low-hassle trial that doesn't require a credit card to use.