[ossec-list] Rules for Honeypot

Thu, 18 Sep 2014 06:27:43 -0700 

Dear all,

I worked on MHN Honeypot and now I am able to log IP in a specific log file 
and by using OSSEC and active respons ALL my servers are able to ban IPs 
coming on the honeypot (for MHN script I wrote 
: 
https://groups.google.com/d/msg/modern-honey-network/szahW2nS2UM/oQTmlaXbyTEJ).
So everything is working fine, but I want to improve it a little bit before 
sharing a kind of how to on this.... and so I need your light ! :

On OSSEC server I created this decoder and rules :

*DECODER :*
<decoder name="mhn">
    <program_name>MHN</program_name>
    <!-- <prematch>^MHN: New attack from </prematch>
    <regex offset="after_prematch">SRC=(\S+) </regex>
    <order>srcip</order>-->
    <regex>from SRC=(\d+.\d+.\d+.\d+)</regex>
    <order>srcip</order>
</decoder>

*RULES :*
  <rule id="100010" level="3">
    <decoded_as>mhn</decoded_as>
    <description>Parent rule for MHN detection and action</description>
  </rule>
  <rule id="100011" level="3" frequency="1" timeframe="3600" ignore="3600">
    <if_matched_sid>100010</if_matched_sid>
    <description>This IP has been banned for some time...</description>
  </rule>

*And OSSEC.CONF :*
  <active-response>
    <command>host-deny</command>
    <location>defined-agent</location>
    <agent_id>xxx</agent_id>
    <rules_id>100011</rules_id>
    <timeout>3600</timeout>
  </active-response>

As you can see this is not perfect as I'm not sure I need 100011 for 
example !

Anyway, the idea is to :
1°) Alert immediatly all my agents (except the Honeypot) about a new 
attack, and add the IP in hosts.deny for X hours. Then during X hours don't 
alert the agents.
2°) If an attack comes from an IP for the second time (after the X delay) 
ban the IP for Y hours (Y > X !)
3°) if an attack comes from an IP for the third time (after Y delay) ban 
the IP for Z hours or day(s)

Is that possible ???

Many thanks for any idea or suggestion...

All the best

Thomas






-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to