Add these to local_decoders.xml:
<decoder name="portsentry-scan">
  <parent>portsentry</parent>
  <prematch>^attackalert: TCP </prematch>
  <regex offset="after_prematch">scan from host: (\S+)/\S+ to \S+
port: (\d+)$</regex>
  <order>srcip, dstport</order>
</decoder>

<decoder name="portsentry-host">
  <parent>portsentry</parent>
  <prematch offset="after_parent">^attackalert: Host: </prematch>
  <regex offset="after_prematch">^(\S+)/\S+ </regex>
  <order>srcip</order>
</decoder>


On Fri, Jul 8, 2011 at 9:59 AM, Blauch Armand <[email protected]> wrote:
> Hello,
>
> I'm new to ossec and I need help. I've spent a lot of time about
> portsentry rules and ossec.
> There is already a subjet about this here:
> http://groups.google.com/group/ossec-list/browse_thread/thread/6718daf1f522773f/dfa124f7b868197e?lnk=gst&q=portsentry#dfa124f7b868197e
>
> I'm not exactly in the same situation. My logs (syslog) are different.
> I haven't the same regular expressions.
> I've tried to adapt the decoder and rules of the last subject, without
> success.
>
> My portsentry logs are like this:
>
> *******************************************************
> Jul  8 09:47:11 pctest portsentry[14021]: attackalert: TCP XMAS scan
> from host: 192.168.4.51/192.168.4.51 to TCP port: 648
> Jul  8 09:47:11 pctest portsentry[14021]: attackalert: Host:
> 192.168.4.51/192.168.4.51 is already blocked Ignoring
> Jul  8 09:48:09 pctest portsentry[14021]: attackalert: TCP FIN scan
> from host: 192.168.4.51/192.168.4.51 to TCP port: 465
> Jul  8 09:48:09 pctest portsentry[14021]: attackalert: Host:
> 192.168.4.51/192.168.4.51 is already blocked Ignoring
> Jul  8 10:02:12 pctest portsentry[14021]: attackalert:  TCP NULL scan
> from host: 192.168.4.51/192.168.4.51 to TCP port: 808
> Jul  8 10:02:12 pctest portsentry[14021]: attackalert: Host:
> 192.168.4.51/192.168.4.51 is already blocked Ignoring
> Jul  8 15:14:19 pctest portsentry[14021]: attackalert: TCP SYN/Normal
> scan from host: 192.168.4.52/192.168.4.52 to TCP port: 700
> Jul  8 15:14:19 pctest portsentry[14021]: attackalert: Host:
> 192.168.4.52/192.168.4.52 is already blocked Ignoring
> *******************************************************
>
> The decoders are like this:
> (I try first to alert for TCP SYN/Normal scans, but when this one
> manage I want to alert for all scans)
> *******************************************************
> <decoder name="portsentry">
>  <program_name>^portsentry</program_name>
> </decoder>
>
> <decoder name="portsentry-attackalert">
>   <parent>portsentry</parent>
>   <prematch>attackalert: TCP SYN/Normal scan from host: </prematch>
>   <regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</
> regex>
>   <order>srcip,protocol,dstport</order>
> </decoder>
>
> <decoder name="portsentry-blocked">
>   <parent>portsentry</parent>
>   <prematch>is already blocked Ignoring$</prematch>
>   <regex>Host: (\S+)/\S+ is</regex>
>   <order>srcip</order>
> </decoder>
> *******************************************************
>
> The rules are like this:
> ********************************************************
> <group name="syslog,portsentry">
>  <rule id="160000" level="0" noalert="1">
>    <decoded_as>portsentry</decoded_as>
>    <description>Grouping for the PortSentry rules</description>
>  </rule>
>
>  <rule id="160002" level="0">
>    <if_sid>160000</if_sid>
>    <match>attackalert:</match>
>    <description>Connection from a host.</description>
>  </rule>
>
>  <rule id="160003" level="10" frequency="4" timeframe="180"
> ignore="60">
>    <if_matched_sid>160002</if_matched_sid>
>    <description>Repeated connections from the same host.</
> description>
>    <same_source_ip />
>    <group>recon,</group>
>  </rule>
>
>  <rule id="160004" level="0">
>    <if_sid>160000</if_sid>
>    <match>is already blocked Ignoring$</match>
>    <description>Host is still scanning.</description>
>  </rule>
>
>  <rule id="160005" level="10" frequency="6" timeframe="180"
> ignore="60">
>    <if_sid>160004</if_sid>
>    <if_matched_sid>160002</if_matched_sid>
>    <description>Repeated connections from a blocked host.</
> description>
>    <same_source_ip />
>    <group>recon,</group>
>  </rule>
> </group>
> ********************************************************
>
> Does anybody can help me?
> What is wrong in my decoders and rules?
>

Reply via email to