>
> Hi David (and Tim),
>
> When ossec parses a log, it will break down the message into
> multiple fields:
>
> time -> Jun 3 15:34:33
> hostname -> saratoga.denmantire.com
> program_name -> snort
> log -> [122:3:0] (portscan) TCP Portsweep {PROTO255} 192.168.0.150 ->
> 192.168.1.80
>
> After the decoding (decoders.xml), you will also have:
>
> srcip -> 192.168.0.150
> id -> 122:3:0
>
> And may have dstip, srcport, etc...
>
> When you write a rule, you need to remember that the "regex"
> and "match" tag
> only look at the log option, which from your logs would only start at
> "[122:3:0 ..".
>
> To look at the other parts of the message, you need to use
> "program_name" (as
> David mentioned) or "hostname", etc.
>
> I think that the best way to have your rule would be to look at the
> snort id (122:),
> instead of looking at the whole message for "portscan".
>
> <rule id="1002020" level="0">
> <if_sid>20151</if_sid>
> <program_name>^snort</program_name>
> <srcip>192.168.0.150</srcip>
> <id>^122:</id>
> <description>Portsweep from whatsup. It's OK.</description>
> </rule>
>
> These two links (one is my presentation at AusCERT) can
> explain a little more
> how the rules work:
>
> http://www.ossec.net/wiki/index.php/Know_How:CorrelateSnort
> http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
>
> hope it helps.
>
_Big_ help. That de-mystifies everything. Thanks much!
--
Tim Boyer
Director
Information Systems and Engineering Projects
Denman Tire Corporation
[EMAIL PROTECTED]
