Hi Blauch, On Mon, Jul 11, 2011 at 4:55 AM, Blauch Armand <[email protected]> wrote: > Hello, > > Thank you for your help. I've tried to add your decoders on the > decoder.xml files and it still doesn't work. Ossec doesn't log any > alerts about portsentry. >
Use ossec-logtest to check your rules and decoders. > My decoder are now like this: > ******************************* > <decoder name="portsentry"> > <program_name>^portsentry</program_name> > </decoder> > > <decoder name="portsentry-attackalert"> > <parent>portsentry</parent> > <prematch>attackalert: TCP SYN/Normal scan from host: </prematch> > <regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</ > regex> > <order>srcip,protocol,dstport</order> > </decoder> > > <decoder name="portsentry-blocked"> > <parent>portsentry</parent> > <prematch>is already blocked Ignoring$</prematch> > <regex>Host: (\S+)/\S+ is</regex> > <order>srcip</order> > </decoder> > > <decoder name="portsentry-scan"> > <parent>portsentry</parent> > <prematch>^attackalert: TCP </prematch> > <regex offset="after_prematch">scan from host: (\S+)/\S+ to \S+ > port: (\d+)$</regex> > <order>srcip, dstport</order> > </decoder> > > <decoder name="portsentry-host"> > <parent>portsentry</parent> > <prematch offset="after_parent">^attackalert: Host: </prematch> > <regex offset="after_prematch">^(\S+)/\S+ </regex> > <order>srcip</order> > </decoder> > ************************************************ > And my rules are like this: > ************************************************ > <group name="syslog,portsentry,"> > <rule id="160000" level="0" noalert="1"> > <decoded_as>portsentry</decoded_as> > <description>Grouping for the PortSentry rules</description> > </rule> > > <rule id="160002" level="0"> > <if_sid>160000</if_sid> > <match>attackalert:</match> > <description>Connection from a host.</description> > </rule> > Unless the following rules include <if_sid>160002</if_sid>, this will be the only rule alerting anything including "attackalert:" in the message. In fact, all of the log messages you sent previously are recorded as 160002 events. > <rule id="160003" level="10" frequency="4" timeframe="180" > ignore="60"> > <if_matched_sid>160002</if_matched_sid> > <description>Repeated connections from the same host.</ > description> > <same_source_ip/> > <group>recon,</group> > </rule> > This will require 6 events from the same IP within 3 minutes. > <rule id="160004" level="0"> > <if_sid>160000</if_sid> > <match>is already blocked Ignoring$</match> > <description>Host is still scanning.</description> > </rule> > This alert won't be triggered because of 160002. > <rule id="160005" level="10" frequency="6" timeframe="180" > ignore="60"> > <if_matched_sid>160004</if_matched_sid> > <description>Repeated connections from a blocked host.</ > description> > <same_source_ip /> > <group>recon,</group> > </rule> > </group> > ******************************************************** > > Do you know what is wrong? > How can I know if it's a decoder issue, or a rule issue, or both? > > > >
