[ossec-list] Re: Portsentry decoders and rules issues

Mon, 11 Jul 2011 04:25:46 -0700 

Hello,

Thank you for your help. I've tried to add your decoders on the
decoder.xml files and it still doesn't work. Ossec doesn't log any
alerts about portsentry.

My decoder are now like this:
*******************************
<decoder name="portsentry">
 <program_name>^portsentry</program_name>
</decoder>

<decoder name="portsentry-attackalert">
   <parent>portsentry</parent>
   <prematch>attackalert: TCP SYN/Normal scan from host: </prematch>
   <regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</
regex>
   <order>srcip,protocol,dstport</order>
</decoder>

<decoder name="portsentry-blocked">
   <parent>portsentry</parent>
   <prematch>is already blocked Ignoring$</prematch>
   <regex>Host: (\S+)/\S+ is</regex>
   <order>srcip</order>
</decoder>

<decoder name="portsentry-scan">
  <parent>portsentry</parent>
  <prematch>^attackalert: TCP </prematch>
  <regex offset="after_prematch">scan from host: (\S+)/\S+ to \S+
port: (\d+)$</regex>
  <order>srcip, dstport</order>
</decoder>

<decoder name="portsentry-host">
  <parent>portsentry</parent>
  <prematch offset="after_parent">^attackalert: Host: </prematch>
  <regex offset="after_prematch">^(\S+)/\S+ </regex>
  <order>srcip</order>
</decoder>
************************************************
And my rules are like this:
************************************************
<group name="syslog,portsentry,">
  <rule id="160000" level="0" noalert="1">
    <decoded_as>portsentry</decoded_as>
    <description>Grouping for the PortSentry rules</description>
  </rule>

  <rule id="160002" level="0">
    <if_sid>160000</if_sid>
    <match>attackalert:</match>
    <description>Connection from a host.</description>
  </rule>

  <rule id="160003" level="10" frequency="4" timeframe="180"
ignore="60">
    <if_matched_sid>160002</if_matched_sid>
    <description>Repeated connections from the same host.</
description>
    <same_source_ip/>
    <group>recon,</group>
  </rule>

  <rule id="160004" level="0">
    <if_sid>160000</if_sid>
    <match>is already blocked Ignoring$</match>
    <description>Host is still scanning.</description>
  </rule>

  <rule id="160005" level="10" frequency="6" timeframe="180"
ignore="60">
   <if_matched_sid>160004</if_matched_sid>
    <description>Repeated connections from a blocked host.</
description>
    <same_source_ip />
    <group>recon,</group>
  </rule>
</group>
********************************************************

Do you know what is wrong?
How can I know if it's a decoder issue, or a rule issue, or both?

Reply via email to