Hi dan,

Many thanks for the link ! That's exactly what I needed !

All the best

Thomas



Le jeudi 18 septembre 2014 15:25:29 UTC+2, Thomas Vidal a écrit :
>
> Dear all,
>
> I worked on MHN Honeypot and now I am able to log IP in a specific log 
> file and by using OSSEC and active respons ALL my servers are able to ban 
> IPs coming on the honeypot (for MHN script I wrote : 
> https://groups.google.com/d/msg/modern-honey-network/szahW2nS2UM/oQTmlaXbyTEJ
> ).
> So everything is working fine, but I want to improve it a little bit 
> before sharing a kind of how to on this.... and so I need your light ! :
>
> On OSSEC server I created this decoder and rules :
>
> *DECODER :*
> <decoder name="mhn">
>     <program_name>MHN</program_name>
>     <!-- <prematch>^MHN: New attack from </prematch>
>     <regex offset="after_prematch">SRC=(\S+) </regex>
>     <order>srcip</order>-->
>     <regex>from SRC=(\d+.\d+.\d+.\d+)</regex>
>     <order>srcip</order>
> </decoder>
>
> *RULES :*
>   <rule id="100010" level="3">
>     <decoded_as>mhn</decoded_as>
>     <description>Parent rule for MHN detection and action</description>
>   </rule>
>   <rule id="100011" level="3" frequency="1" timeframe="3600" ignore="3600"
> >
>     <if_matched_sid>100010</if_matched_sid>
>     <description>This IP has been banned for some time...</description>
>   </rule>
>
> *And OSSEC.CONF :*
>   <active-response>
>     <command>host-deny</command>
>     <location>defined-agent</location>
>     <agent_id>xxx</agent_id>
>     <rules_id>100011</rules_id>
>     <timeout>3600</timeout>
>   </active-response>
>
> As you can see this is not perfect as I'm not sure I need 100011 for 
> example !
>
> Anyway, the idea is to :
> 1°) Alert immediatly all my agents (except the Honeypot) about a new 
> attack, and add the IP in hosts.deny for X hours. Then during X hours don't 
> alert the agents.
> 2°) If an attack comes from an IP for the second time (after the X delay) 
> ban the IP for Y hours (Y > X !)
> 3°) if an attack comes from an IP for the third time (after Y delay) ban 
> the IP for Z hours or day(s)
>
> Is that possible ???
>
> Many thanks for any idea or suggestion...
>
> All the best
>
> Thomas
>
>
>
>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to