[ossec-list] Re: Portsentry decoders and rules issues

Tue, 12 Jul 2011 06:09:42 -0700 

Hello,

Thank you very much for your help and explanations! I've tried ossec-
logtest, it's wonderful!
I think I haven't finish yet to custom the portsentry rules in my
local rules, but now I have this on my decoders:

**********************************************
<decoder name="portsentry">
 <program_name>^portsentry</program_name>
</decoder>

<decoder name="portsentry-attackalert">
   <parent>portsentry</parent>
   <prematch>attackalert: TCP SYN/Normal scan from host: </prematch>
   <regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</
regex>
   <order>srcip,protocol,dstport</order>
</decoder>

<decoder name="portsentry-blocked">
   <parent>portsentry</parent>
   <prematch>is already blocked Ignoring$</prematch>
   <regex>Host: (\S+)/\S+ is</regex>
   <order>srcip</order>
</decoder>

<decoder name="portsentry-scan">
  <parent>portsentry</parent>
  <prematch>^attackalert: </prematch>
  <regex offset="after_prematch">scan from host: (\S+)/\S+ to \S+
port: (\d+)$</regex>
  <order>srcip, dstport</order>
</decoder>

<decoder name="portsentry-host">
  <parent>portsentry</parent>
  <prematch offset="after_parent">^attackalert: Host: </prematch>
  <regex offset="after_prematch">^(\S+)/\S+ </regex>
 <order>srcip</order>
</decoder>
*****************************************************************

And in my rules:
******************************************************************
<group name="syslog,portsentry,">
  <rule id="160000" level="0" noalert="1">
    <decoded_as>portsentry</decoded_as>
    <description>Grouping for the PortSentry rules</description>
  </rule>

  <rule id="160002" level="3">
    <if_sid>160000</if_sid>
    <match>attackalert:</match>
    <description>Connection from a host.</description>
  </rule>

  <rule id="160003" level="8" frequency="4" timeframe="180"
ignore="60">
    <if_matched_sid>160002</if_matched_sid>
    <description>Repeated connections from the same host.</
description>
    <same_source_ip/>
    <group>recon,</group>
  </rule>

  <rule id="160004" level="10" frequency="8" timeframe="180"
ignore="60">
   <if_matched_sid>160002</if_matched_sid>
    <description>Host is still scanning</description>
    <same_source_ip />
    <group>recon,</group>
  </rule>
</group>
*****************************************************************
And it's work. I have alerts 160002, 160003 and 160004 on my ossec web
interface.

Reply via email to