Hello,
i integrated iplog in my ossec configuration (debian lenny servers).
ossec-logtest is succesfull working (see end of the post).
But I am missing events on real scans I made. The test log is taken
from the running iplog-log file. I triggered the scan for myself with
nmap from another server.
With ossec-wui I searched for the scan and I looked in the logs/alerts/
alerts.log: No entry.
I read all manuals I found regarding rules and decoders and the
description from zaterio on ossec.net.
When logtest tells as last line "**Alert to be generated." an it will
be generated no alert in the case of a real scan, what can I check
else?
Here the report of ossec_logtest:
bin/ossec-logtest
2009/10/11 15:04:48 ossec-testrule: INFO: Started (pid: 22785).
ossec-testrule: Type one log per line.
Oct 11 15:00:37 TCP: port scan detected [ports
21,3389,443,1723,23,636,25,22,113,53,...] from tftp.labor.xx
(xx.xx.xx.xx) [ports 34564,51825,56977,50778,35869,...]
**Phase 1: Completed pre-decoding.
full event: 'Oct 11 15:00:37 TCP: port scan detected [ports
21,3389,443,1723,23,636,25,22,113,53,...] from tftp.labor.xx
(xx.xx.xx.xx) [ports 34564,51825,56977,50778,35869,...]'
hostname: 'labor2'
program_name: 'TCP'
log: 'port scan detected [ports
21,3389,443,1723,23,636,25,22,113,53,...] from tftp.labor.xx
(xx.xx.xx.xx) [ports 34564,51825,56977,50778,35869,...]'
**Phase 2: Completed decoding.
decoder: 'iplog-scan'
srcip: 'tftp.labor.xx'
**Phase 3: Completed filtering (rules).
Rule id: '99990'
Level: '6'
Description: 'iplog scan detect'
**Alert to be generated.
regards,
onurbi
