Hi dan, Many thanks for the link ! That's exactly what I needed !
All the best Thomas Le jeudi 18 septembre 2014 15:25:29 UTC+2, Thomas Vidal a écrit : > > Dear all, > > I worked on MHN Honeypot and now I am able to log IP in a specific log > file and by using OSSEC and active respons ALL my servers are able to ban > IPs coming on the honeypot (for MHN script I wrote : > https://groups.google.com/d/msg/modern-honey-network/szahW2nS2UM/oQTmlaXbyTEJ > ). > So everything is working fine, but I want to improve it a little bit > before sharing a kind of how to on this.... and so I need your light ! : > > On OSSEC server I created this decoder and rules : > > *DECODER :* > <decoder name="mhn"> > <program_name>MHN</program_name> > <!-- <prematch>^MHN: New attack from </prematch> > <regex offset="after_prematch">SRC=(\S+) </regex> > <order>srcip</order>--> > <regex>from SRC=(\d+.\d+.\d+.\d+)</regex> > <order>srcip</order> > </decoder> > > *RULES :* > <rule id="100010" level="3"> > <decoded_as>mhn</decoded_as> > <description>Parent rule for MHN detection and action</description> > </rule> > <rule id="100011" level="3" frequency="1" timeframe="3600" ignore="3600" > > > <if_matched_sid>100010</if_matched_sid> > <description>This IP has been banned for some time...</description> > </rule> > > *And OSSEC.CONF :* > <active-response> > <command>host-deny</command> > <location>defined-agent</location> > <agent_id>xxx</agent_id> > <rules_id>100011</rules_id> > <timeout>3600</timeout> > </active-response> > > As you can see this is not perfect as I'm not sure I need 100011 for > example ! > > Anyway, the idea is to : > 1°) Alert immediatly all my agents (except the Honeypot) about a new > attack, and add the IP in hosts.deny for X hours. Then during X hours don't > alert the agents. > 2°) If an attack comes from an IP for the second time (after the X delay) > ban the IP for Y hours (Y > X !) > 3°) if an attack comes from an IP for the third time (after Y delay) ban > the IP for Z hours or day(s) > > Is that possible ??? > > Many thanks for any idea or suggestion... > > All the best > > Thomas > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
