On Apr 4, 2:34 pm, "dan (ddp)" <[email protected]> wrote:
> Can you provide a sample alert that this should match? It's been way
> too long since I've seen the format.
Sure thing. This is a 'snort-fast' formatted alert:
04/12-13:05:01.308776 [**] [123:10:1] (spp_frag3) Bogus fragmentation
packet. Possible BSD attack [**] [Classification: Attempted
Administrator Privilege Gain] [Priority: 1] {TCP}
2001:0000:06c1:0001:0000:0000:0000:1000 -> 2001:4860:06dc:1021:0$
I've munged the IP addresses.
I am sure there is a better way to do it but:
> Also, in the regex the "\p" matches a number of characters including
> the ":". So written out it could be "2001::4860"
> Is this your desired behaviour? (IPv6 is soooooo horrible when it
> comes to addressing...)
No, it isn't what I wanted.
I don't know what the best way of doing this will be, but until Snort
supports ipv6 src/dest addresses in their SQL schema and tools like
Base/Placid/Snorby et al can work with ipv6 alerts inside that
database, people are looking for ways to manage these events and I
believe OSSEC HIDS is a good place to do this until everyone catches
up with the times.
I'm open for suggestions on a good way to match these events with an
OSSEC regex. (Including my example below)
> > [1] i'm using a regex to match my range, e.g. if I were watching for
> > something in Google's address space: '<regex>^2001\p:4860'</regex>
> > <group name="sylog,snort,">
> > <rule id="100010" level="8">
> > <if_sid>20101</if_sid>
> > <decoded_as>snort</decoded_as>
> > <description>snort-ipv6</description>
> > <regex>^2001\p:4860</regex>
> > <description>ipv6 snort alert</description>
> > </rule>
Any insight or assistance would be appreciated.
