[ossec-list] Re: Help with converting sec rules to ossec rules

Mon, 26 Nov 2007 18:15:32 -0800 

Hi Peter,

This should be very easy to do. If you can show us a few log samples,
I can start a few rules
for you...

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On Nov 22, 2007 7:07 PM, Peter M. Abraham <[EMAIL PROTECTED]> wrote:
>
> Greetings:
>
> We use http://kodu.neti.ee/~risto/sec/ for real time monitoring on a
> server-by-server basis.
>
> It works well, but I like the agent/server approach with ossec.
>
> In terms of converting rules we have with S.E.C. how would I go about
> converting the following three rules into ossec rules?
>
> # Horizontal port scan -- attacker is scanning a rannge of IP
> addresses
> #
> ---------------------------------------------------------------------
> #
> # /var/log/kernel $1 is scanning IP, $2 is destination IP, and $3 is
> destination port
> #
> type=Single
> ptype=RegExp
> pattern=\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+PUB_IN\s+DROP\s+\S+\s+\S+\s+\S+\s
> +\S+\s+SRC=(\S+)\s+DST=(\S+)\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+
> \s+DPT=(\d+)
> context=!HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3
> continue=TakeNext
> desc=Horizontal port sweep started from source $1 to target port $3
> action=eval %o ( $portscans{"$1:$3"} = {} ); \
>        create HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3
> 60 \
>        eval %o ( delete $portscans{"$1:$3"} )
>
> type=Single
> ptype=RegExp
> pattern=\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+PUB_IN\s+DROP\s+\S+\s+\S+\s+\S+\s
> +\S+\s+SRC=(\S+)\s+DST=(\S+)\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+
> \s+DPT=(\d+)
> context=HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3
> continue=TakeNext
> desc=Scanned destination IP: $2
> action=eval %o ( $portscans{"$1:$3"}->{$2} = 1 ); \
>        add HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3
> %t: %s;\
>        set HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 60
> \
>        eval %o ( delete $portscans{"$1:$3"} )
>
> type=Single
> ptype=RegExp
> pattern=\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+PUB_IN\s+DROP\s+\S+\s+\S+\s+\S+\s
> +\S+\s+SRC=(\S+)\s+DST=(\S+)\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+
> \s+DPT=(\d+)
> context=HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 \
>         && =( scalar(keys(%{$portscans{"$1:$3"}})) > 10 )
> continue=DontCont
> desc=$1 has scanned more than 10 destinations
> action=shellcmd /admin/sec/sec_block.pl $1 /var/log/blocks/timed/
> horizon_scan.log "IP $1 scanned more than 10 IP's for port $3 in 60
> seconds or less" 2880 ; \
>        delete HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_
> $3; \
>
>
> Please note the action is very similar to the active response, so I'm
> more concerned the ossec rule base itself.
>
> Thank you.
>

Reply via email to