Hello,
I've changed of "strategy", SEP 11 management console can log to an
external syslog server.
So I receive on my syslog server this kind of security logs when I run
a scan ports with nmap:
Aug 3 04:10:59 sep11srvtest sep11srvtest: testdev,"Somebody is
scanning your computer. Your computer's TCP ports: 1350, 993, 85,
1995 and 1004 have been scanned from 192.168.25.10.",Local:
192.168.25.70,Local: 005056B60036,Remote: ,Remote:
192.168.25.10,Remote: 005056B60007,Inbound,TCP,,Begin: 2011-08-03
04:05:41,End: 2011-08-03 04:06:32,Occurrences:
1653,Application: ,Location: Default,User: test,Domain: TEST
So I've created a decoder:
<decoder name="symantec-EndpointProtection-SP">
<program_name>sep11srvtest</program_name>
<prematch>"Somebody is scanning your computer. Your computer's TCP
ports: </prematch>
<regex offset="after_prematch">(\d+), (\d+), (\d+), (\d+) and (\d+)
have been scanned from (\S+) (\S+)</regex>
<order>dstport,dstport,dstport,dstport,dstport,srcip,dstip</order>
</decoder>
And some rules:
<group name="symantecEP,">
<rule id="100000" level="5">
<decoded_as>symantec-EndpointProtection-SP</decoded_as>
<description>Grouping of Symantec Endpoint Protection Rules.</
description>
</rule>
<rule id="100001" level="5">
<category>windows</category>
<description>Grouping of Symantec EP rules from external syslog
server</description>
</rule>
<rule id="100002" level="15">
<if_sid>100000, 100001</if_sid>
<group>recon</group>
<description>Scan Port detected on a windows server.</description>
</rule>
</group> <!-- symantec SEP11 -->
It's really not perfect and need more "tunning" but it's work, I
received an email at each ports scan on my windows server.
On 2 août, 10:54, Blauch Armand <[email protected]> wrote:
> Hello,
>
> Thanks for your advices, yes I've restarted the manager's OSSEC
> processes after I added the <logall> option to the manager's
> ossec.conf. It's the same things, no scan log detection logs are send
> to the manager.
>
> On 1 août, 23:45, "dan (ddp)" <[email protected]> wrote:
>
>
>
>
>
>
>
> > On Mon, Aug 1, 2011 at 4:15 AM, Blauch Armand <[email protected]> wrote:
> > > Hello,
>
> > > Thanks for your advices.
> > > The purpose of rule 100001 it's to alert when there is a port scan
> > > detection on the host.
> > > I tried to active <logall> option on, and I my symantec logs don't
> > > arrive to ossec server. I don't know why.
> > > In parallel I work on email alert via symantec endpoint protection
> > > manager, maybe it's simplest than try to read symantec non-conforming
> > > logs with ossec.
>
> > That's always an option.
>
> > Did you restart the manager's OSSEC processes after you added the
> > <logall> option to the manager's ossec.conf? You need to restart the
> > processes for the setting to take effect.
>
> > > On 29 juil, 15:44, "dan (ddp)" <[email protected]> wrote:
> > >> On Thu, Jul 28, 2011 at 8:07 AM, Blauch Armand <[email protected]> wrote:
> > >> > Hello,
>
> > >> > I want to check a symantec end point protection log file without
> > >> > succes.
>
> > >> > This file (seclog.log) is here:
> > >> > C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\sec.log
>
> > >> > So, I first add on the ossec.conf this lines (on the agent):
> > >> > ***********************************************************
> > >> > <localfile>
> > >> > <location>C:\Program Files (x86)\Symantec\Symantec Endpoint
> > >> > Protection\seclog.log</location>
> > >> > <log_format>syslog</log_format>
> > >> > </localfile>
> > >> > ***********************************************************
>
> > >> > I've restarted ossec service and put full control for all user on the
> > >> > file sec.log.
>
> > >> > I have theses lines on the ossec.log on the agent:
> > >> > 2011/07/28 03:54:12 ossec-agent(1950): INFO: Analyzing file: 'C:
> > >> > \Program Files (x86)\Symantec\Symantec Endpoint Protection
> > >> > \seclog.log'.
> > >> > 2011/07/28 03:54:12 ossec-agent: INFO: Started (pid: 1308).
>
> > >> > On the ossec server, I've added a decoder:
> > >> > ********************************************************
> > >> > <decoder name="symantec-EndpointProtection-SP">
> > >> > <prematch>have been scanned from </prematch>
> > >> > <regex offset="after_prematch">(\S+)</regex>
> > >> > <order>srcip</order>
> > >> > </decoder>
> > >> > *********************************************************
>
> > >> > I've added to 3 rules:
> > >> > *********************************************************
> > >> > <group name="symantecEP,">
> > >> > <rule id="100000" level="5">
> > >> > <decoded_as>symantec-EndpointProtection-SP</decoded_as>
> > >> > <description>Grouping of Symantec Endpoint Protection Rules.</
> > >> > description>
> > >> > </rule>
>
> > >> > <rule id="100001" level="5">
> > >> > <category>windows</category>
> > >> > <description>Grouping of Symantec EP rules from file sec.log.</
> > >> > description>
> > >> > </rule>
>
> > >> What's the purpose of rule 100001?
>
> > >> > <rule id="100002" level="15">
> > >> > <if_sid>100000, 100001</if_sid>
> > >> > <group>recon</group>
> > >> > <description>Scan Port detected.</description>
> > >> > </rule>
>
> > >> > </group> <!-- symantec -->
> > >> > *************************************************************
> > >> > I've restarted ossec service on the server.
>
> > >> > My seclog.log is like this:
> > >> > *************************************************************
> > >> > 00000151 01cc4d09b71eCef1 000000ca 0000000b 460da2c0
> > >> > 451da2c0 00000002 00000000 00000001 01cc42095af2e918
> > >> > 01cc4d099113dfe8 000009c1 00000000 Somebody is scanning your
> > >> > computer.
> > >> > Your computer's TCP ports:
> > >> > 2068, 13705, 115, 83 and 1358 have been scanned from
> > >> > 192.168.25.69. PV¶ 6 PV¶ PV¶
> > >> > ø[ Default test DOMAIN
> > >> > 00000151 01cc4d14fdV17f78 000000ca 0000000b 460da2c0
> > >> > 450d28c0 00000002 00000000 00000001 01cc4d14af92e151
> > >> > 01cc4d14d682ae78 000004b7 00000000 Somebody is scanning your
> > >> > computer.
> > >> > Your computer's TCP ports:
> > >> > 9999, 39, 3001, 254 and 22273 have been scanned from
> > >> > 192.168.25.69. PV¶ 6 PV¶ PV¶
> > >> > ø[ Default test DOMAIN
> > >> > 00000151 01cc4d16b42e1e74 000000ca 0000000b 460d28c0
> > >> > 450da2c0 00000002 00000000 00000001 01cc4d16592a2768
> > >> > 01cc4d1690651668 00000800 00000000 Somebody is scanning your
> > >> > computer.
> > >> > Your computer's TCP ports:
> > >> > 627, 5432, 569, 1396 and 5901 have been scanned from
> > >> > 192.168.25.69. PV¶ 6 PV¶ PV¶
> > >> > ø[ Default test DOMAIN
> > >> > 00000152 01cc4d17156723e4 000000ca 0000000b 462da2c0
> > >> > 450da2c0 00000002 00000000 00000001 01cc4d16d0da2838
> > >> > 01cc4d16edefed08 0000027a 00000000 Somebody is scanning your
> > >> > computer.
> > >> > Your computer's TCP ports:
> > >> > 340, 487, 220, 4660 and 5803 have been scanned from
> > >> > 192.168.25.69. PV¶ 6 PV¶ PV¶
> > >> > ø[ Default test DOMAIN
> > >> > **************************************************************
>
> > >> Unfortunately, due to line wrapping I'm not sure where the logs begin an
> > >> end.
>
> > >> > And ossec-logtest is ok for this kind of line: "340, 487, 220, 4660
> > >> > and 5803 have been scanned from 192.168.25.69."
>
> > >> > Does anyone has an idea with my issue? How can I check that the ossec
> > >> > server has the informations on the seclog.log?
>
> > >> What is your issue?
> > >> If you want to make sure the logs are making it to the manager, turn
> > >> the <logall> option on. You can then check
> > >> /var/ossec/logs/archives/archives.log to see what log messages are
> > >> being
> > >> processed.http://www.ossec.net/doc/syntax/head_ossec_config.reports.html#elemen...
