That seems doable yes. I haven't seen that done before, but theoretically should work.
On Tue, May 10, 2016 at 1:35 PM, Jacob Mcgrath <[email protected]> wrote: > Is it possible to have Ossec monitor Snort logs for certain Sid's and then > trigger the active response on all agents when event occurs. > > Looking at reacting to Nmap and Nessus type scans on my internal network. > > > I guess I would have to monitor the Security Onion servers snort log for > Sid's for port scans. > > In the Security Onion server I have /etc/nsm/rules/local.rules > > > # look for stealth port scans/sweeps > alert tcp any any -> any any (msg:"SYN FIN Scan"; flags: SF;sid:9000000;) > alert tcp any any -> any any (msg:"FIN Scan"; flags: F;sid:9000001;) > alert tcp any any -> any any (msg:"NULL Scan"; flags: 0;sid:9000002;) > alert tcp any any -> any any (msg:"XMAS Scan"; flags: FPU;sid:9000003;) > alert tcp any any -> any any (msg:"Full XMAS Scan"; flags: SRAFPU;sid: > 9000004;) > alert tcp any any -> any any (msg:"URG Scan"; flags: U;sid:9000005;) > alert tcp any any -> any any (msg:"URG FIN Scan"; flags: FU;sid:9000006;) > alert tcp any any -> any any (msg:"PUSH FIN Scan"; flags: FP;sid:9000007;) > alert tcp any any -> any any (msg:"URG PUSH Scan"; flags: PU;sid:9000008;) > alert tcp any any -> any any (flags: A; ack: 0; msg:"NMAP TCP ping!";sid: > 9000009;) > > > > > How would one write the local local.rules for the Ossec server to trigger > active responses route-null function on agents. > > > 1. Snort see's port scans and writes alert to log > 2. Ossec see's snorts port scan alerts in log and triggers route-null on > all agents. > > I there a guide to setting something like this up ? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
