Hello everyone,my first post here and sharing this ideia!
I looking this tool maltrail -->https://github.com/stamparm/maltrail And i think will integrate with OSSEC! LOGs of maltrail: tail -n 10 /var/log/maltrail/2016-01-19.log "2016-01-19 17:10:36.993361" my.host.666 84.74.125.85 44909 0.0.0.0 51103 TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+binarydefense.com)" "2016-01-19 17:10:37.029597" my.host.666 84.74.125.85 44909 0.0.0.0 51103 TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+binarydefense.com)" "2016-01-19 17:11:58.084216" my.host.666 84.74.125.85 34646 0.0.0.0 51103 TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+binarydefense.com)" "2016-01-19 17:11:58.051196" my.host.666 84.74.125.85 34646 0.0.0.0 51103 TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+binarydefense.com)" ossec.conf <localfile> <location>/var/log/maltrail/%Y-%m-%d.log</location> <log_format>syslog</log_format> </localfile> decoders.xml <decoder name="maltrail"> <prematch>^"\d+-\d+-\d+ \d+:\d+:\d+.\d+"</prematch> </decoder> <decoder name="maltrail-alert"> <parent>maltrail</parent> <regex offset="after_parent">^ my.host.666 (\d+) (\d+.\d+.\d+.\d+) (\w+) (\d+) IP (\d+.\d+.\d+.\d+)</regex> <order>srcport, dstip, dstport,protocol, srcip</order> </decoder> local_rules.xml <group name="syslog,maltrail,"> <rule id="110000" level="0"> <decoded_as>maltrail</decoded_as> <description>MAILTRAIL KILLALL MDF app group.</description> </rule> <rule id="110001" level="7"> <if_sid>110000</if_sid> <srcip>0.0.0.0</srcip> <match>attack</match> <description>Possible attack from fucking ips!?</description> </rule> </group> Ideas or suggestions? Thks for reading! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
