I don't need active response. I just want a rule to distinguish between ScanAlert and actual malicious scans all of which are being reported from mod_security. There are tons of IPs in the scan alert list and I was not sure if OSSEC rules were CIDR notation aware.
On Thu, May 13, 2010 at 7:31 PM, Michael Starks < [email protected]> wrote: > Nicholas Ritter wrote: > > I googled this question before posting and found not hits, I apologize > > in advance if I have missed this discussion on the list. I want to > > create rules that treat web application scans from McAfee ScanAlert > > differently in OSSEC. Because of the number of source IPs that ScanAlert > > uses, I was going to write a perl script that fetches the CSV of source > > IPs from McAfee and create OSSEC rules. Before I do any of this, are > > there already rules for ScanAlert, much less does anyone have comments > > on the subject regarding how they handle it? > > Hey Nicholas, > > I wrote the McAfee VSE support and, as far as I know, no other McAfee > products are currently supported. > > I'm a bit confused as to why a Perl script would be needed. Wouldn't you > just need to decode the IP and pass it to an Active Response script? > > -- > Michael Starks > [I] Immutable Security > http://www.immutablesecurity.com >
