Is it possible to have Ossec monitor Snort logs for certain Sid's and then trigger the active response on all agents when event occurs.
Looking at reacting to Nmap and Nessus type scans on my internal network. I guess I would have to monitor the Security Onion servers snort log for Sid's for port scans. In the Security Onion server I have /etc/nsm/rules/local.rules # look for stealth port scans/sweeps alert tcp any any -> any any (msg:"SYN FIN Scan"; flags: SF;sid:9000000;) alert tcp any any -> any any (msg:"FIN Scan"; flags: F;sid:9000001;) alert tcp any any -> any any (msg:"NULL Scan"; flags: 0;sid:9000002;) alert tcp any any -> any any (msg:"XMAS Scan"; flags: FPU;sid:9000003;) alert tcp any any -> any any (msg:"Full XMAS Scan"; flags: SRAFPU;sid: 9000004;) alert tcp any any -> any any (msg:"URG Scan"; flags: U;sid:9000005;) alert tcp any any -> any any (msg:"URG FIN Scan"; flags: FU;sid:9000006;) alert tcp any any -> any any (msg:"PUSH FIN Scan"; flags: FP;sid:9000007;) alert tcp any any -> any any (msg:"URG PUSH Scan"; flags: PU;sid:9000008;) alert tcp any any -> any any (flags: A; ack: 0; msg:"NMAP TCP ping!";sid: 9000009;) How would one write the local local.rules for the Ossec server to trigger active responses route-null function on agents. 1. Snort see's port scans and writes alert to log 2. Ossec see's snorts port scan alerts in log and triggers route-null on all agents. I there a guide to setting something like this up ? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
