Add these to local_decoders.xml: <decoder name="portsentry-scan"> <parent>portsentry</parent> <prematch>^attackalert: TCP </prematch> <regex offset="after_prematch">scan from host: (\S+)/\S+ to \S+ port: (\d+)$</regex> <order>srcip, dstport</order> </decoder>
<decoder name="portsentry-host"> <parent>portsentry</parent> <prematch offset="after_parent">^attackalert: Host: </prematch> <regex offset="after_prematch">^(\S+)/\S+ </regex> <order>srcip</order> </decoder> On Fri, Jul 8, 2011 at 9:59 AM, Blauch Armand <[email protected]> wrote: > Hello, > > I'm new to ossec and I need help. I've spent a lot of time about > portsentry rules and ossec. > There is already a subjet about this here: > http://groups.google.com/group/ossec-list/browse_thread/thread/6718daf1f522773f/dfa124f7b868197e?lnk=gst&q=portsentry#dfa124f7b868197e > > I'm not exactly in the same situation. My logs (syslog) are different. > I haven't the same regular expressions. > I've tried to adapt the decoder and rules of the last subject, without > success. > > My portsentry logs are like this: > > ******************************************************* > Jul 8 09:47:11 pctest portsentry[14021]: attackalert: TCP XMAS scan > from host: 192.168.4.51/192.168.4.51 to TCP port: 648 > Jul 8 09:47:11 pctest portsentry[14021]: attackalert: Host: > 192.168.4.51/192.168.4.51 is already blocked Ignoring > Jul 8 09:48:09 pctest portsentry[14021]: attackalert: TCP FIN scan > from host: 192.168.4.51/192.168.4.51 to TCP port: 465 > Jul 8 09:48:09 pctest portsentry[14021]: attackalert: Host: > 192.168.4.51/192.168.4.51 is already blocked Ignoring > Jul 8 10:02:12 pctest portsentry[14021]: attackalert: TCP NULL scan > from host: 192.168.4.51/192.168.4.51 to TCP port: 808 > Jul 8 10:02:12 pctest portsentry[14021]: attackalert: Host: > 192.168.4.51/192.168.4.51 is already blocked Ignoring > Jul 8 15:14:19 pctest portsentry[14021]: attackalert: TCP SYN/Normal > scan from host: 192.168.4.52/192.168.4.52 to TCP port: 700 > Jul 8 15:14:19 pctest portsentry[14021]: attackalert: Host: > 192.168.4.52/192.168.4.52 is already blocked Ignoring > ******************************************************* > > The decoders are like this: > (I try first to alert for TCP SYN/Normal scans, but when this one > manage I want to alert for all scans) > ******************************************************* > <decoder name="portsentry"> > <program_name>^portsentry</program_name> > </decoder> > > <decoder name="portsentry-attackalert"> > <parent>portsentry</parent> > <prematch>attackalert: TCP SYN/Normal scan from host: </prematch> > <regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</ > regex> > <order>srcip,protocol,dstport</order> > </decoder> > > <decoder name="portsentry-blocked"> > <parent>portsentry</parent> > <prematch>is already blocked Ignoring$</prematch> > <regex>Host: (\S+)/\S+ is</regex> > <order>srcip</order> > </decoder> > ******************************************************* > > The rules are like this: > ******************************************************** > <group name="syslog,portsentry"> > <rule id="160000" level="0" noalert="1"> > <decoded_as>portsentry</decoded_as> > <description>Grouping for the PortSentry rules</description> > </rule> > > <rule id="160002" level="0"> > <if_sid>160000</if_sid> > <match>attackalert:</match> > <description>Connection from a host.</description> > </rule> > > <rule id="160003" level="10" frequency="4" timeframe="180" > ignore="60"> > <if_matched_sid>160002</if_matched_sid> > <description>Repeated connections from the same host.</ > description> > <same_source_ip /> > <group>recon,</group> > </rule> > > <rule id="160004" level="0"> > <if_sid>160000</if_sid> > <match>is already blocked Ignoring$</match> > <description>Host is still scanning.</description> > </rule> > > <rule id="160005" level="10" frequency="6" timeframe="180" > ignore="60"> > <if_sid>160004</if_sid> > <if_matched_sid>160002</if_matched_sid> > <description>Repeated connections from a blocked host.</ > description> > <same_source_ip /> > <group>recon,</group> > </rule> > </group> > ******************************************************** > > Does anybody can help me? > What is wrong in my decoders and rules? >
