Hi David (and Tim),
When ossec parses a log, it will break down the message into multiple fields:
time -> Jun 3 15:34:33
hostname -> saratoga.denmantire.com
program_name -> snort
log -> [122:3:0] (portscan) TCP Portsweep {PROTO255} 192.168.0.150 ->
192.168.1.80
After the decoding (decoders.xml), you will also have:
srcip -> 192.168.0.150
id -> 122:3:0
And may have dstip, srcport, etc...
When you write a rule, you need to remember that the "regex" and "match" tag
only look at the log option, which from your logs would only start at
"[122:3:0 ..".
To look at the other parts of the message, you need to use "program_name" (as
David mentioned) or "hostname", etc.
I think that the best way to have your rule would be to look at the
snort id (122:),
instead of looking at the whole message for "portscan".
<rule id="1002020" level="0">
<if_sid>20151</if_sid>
<program_name>^snort</program_name>
<srcip>192.168.0.150</srcip>
<id>^122:</id>
<description>Portsweep from whatsup. It's OK.</description>
</rule>
These two links (one is my presentation at AusCERT) can explain a little more
how the rules work:
http://www.ossec.net/wiki/index.php/Know_How:CorrelateSnort
http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
hope it helps.
--
Daniel B. Cid, dcid ( at ) ossec.net
http://www.ossec.net
On 6/3/07, David Williams <[EMAIL PROTECTED]> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tim,
> I tried a similar regex without luck but then saw another way to do
> the same thing. You may want to try something like (I've not tried
> this, I'm just guessing...):
>
> <rule id="1002020" level="0">
> <if_sid>20151</if_sid>
> <program_name>snort</program_name>
> <srcip>192.168.0.150</srcip>
> <match>portscan</match>
> <description>Portsweep from whatsup. It's OK.</description>
> </rule>
>
> In theory OSSEC will already have parsed the program name and
> source IP for you so you can use options specific to those and then
> just a simple match on portscan in the log entry. I saw the match
> options when I was looking at the regex rules here:
> http://www.ossec.net/wiki/index.php/Know_How:Regex_Readme. I'm not
> sure srcip is valid that, but it sure seems likely to me.
> I don't know if it's the best approach, but a similar rule helped
> me out.
> -David
>
>
>
> Tim Boyer wrote:
> > OK, I've just started using this fine program, and I'm trying to eliminate a
> > false positive. I'm doing something wrong that I'm sure is obvious, but
> > after four days of staring at it I need more eyes.
> >
> > WhatsUp is doing portscans on my internal network, which is a Good Thing.
> > The logs say
> >
> > Received From: saratoga.denmantire.com->/var/log/messages
> > Rule: 20151 fired (level 11) -> "Multiple IDS events from same source ip."
> > Portion of the log(s):
> >
> > Jun 3 15:34:33 saratoga.denmantire.com snort[27016]: [122:3:0] (portscan)
> > TCP Portsweep {PROTO255} 192.168.0.150 -> 192.168.1.80
> > Jun 3 15:34:03 saratoga.denmantire.com snort[27022]: [122:19:0] (portscan)
> > UDP Portsweep {PROTO255} 192.168.0.150 -> 192.168.1.80
> > Jun 3 15:34:03 saratoga.denmantire.com snort[27016]: [122:19:0] (portscan)
> > UDP Portsweep {PROTO255} 192.168.0.150 -> 192.168.1.80
> > Jun 3 15:33:50 saratoga.denmantire.com snort[27016]: [122:25:0] (portscan)
> > ICMP Sweep {PROTO255} 192.168.0.150 -> 192.168.0.201
> >
> > so I want a generalized 'ignore this' for the portscans coming out of
> > 192.168.0.150. I thought that putting this into local_rules would take care
> > of it:
> >
> > <rule id="1002020" level="0">
> > <if_sid>20151</if_sid>
> > <regex>snort\.*(portscan)\.*{PROTO255} 192.168.0.150 -></regex>
> > <description>Portsweep from whatsup. It's OK.</description>
> > </rule>
> >
> > but it's obviously not doing what I wanted it to. What am I not seeing
> > here?
> >
> > Thanks,
> >
>
> - --
> _______________________________________________
> GPG (http://www.gnupg.org/) key available from:
> http://www.kayakero.net/per/david/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGY1P5CzuSgviBh00RAohyAJwMdOS5Iz0g1cGujMK5SIS8EftPbgCfYBVx
> qKb9rHxnOXnvZ7yEHsGsgTY=
> =26mR
> -----END PGP SIGNATURE-----
>
