Hi Jacob, That sounds interesting. In case you need help to create decoders/rules or active responses for your snort logs paste here some log samples.
On Tuesday, May 10, 2016 at 10:41:36 PM UTC+2, Santiago Bassett wrote: > > That seems doable yes. I haven't seen that done before, but theoretically > should work. > > On Tue, May 10, 2016 at 1:35 PM, Jacob Mcgrath <[email protected] > <javascript:>> wrote: > >> Is it possible to have Ossec monitor Snort logs for certain Sid's and >> then trigger the active response on all agents when event occurs. >> >> Looking at reacting to Nmap and Nessus type scans on my internal network. >> >> >> I guess I would have to monitor the Security Onion servers snort log for >> Sid's for port scans. >> >> In the Security Onion server I have /etc/nsm/rules/local.rules >> >> >> # look for stealth port scans/sweeps >> alert tcp any any -> any any (msg:"SYN FIN Scan"; flags: SF;sid:9000000;) >> alert tcp any any -> any any (msg:"FIN Scan"; flags: F;sid:9000001;) >> alert tcp any any -> any any (msg:"NULL Scan"; flags: 0;sid:9000002;) >> alert tcp any any -> any any (msg:"XMAS Scan"; flags: FPU;sid:9000003;) >> alert tcp any any -> any any (msg:"Full XMAS Scan"; flags: SRAFPU;sid: >> 9000004;) >> alert tcp any any -> any any (msg:"URG Scan"; flags: U;sid:9000005;) >> alert tcp any any -> any any (msg:"URG FIN Scan"; flags: FU;sid:9000006;) >> alert tcp any any -> any any (msg:"PUSH FIN Scan"; flags: FP;sid:9000007 >> ;) >> alert tcp any any -> any any (msg:"URG PUSH Scan"; flags: PU;sid:9000008 >> ;) >> alert tcp any any -> any any (flags: A; ack: 0; msg:"NMAP TCP ping!";sid: >> 9000009;) >> >> >> >> >> How would one write the local local.rules for the Ossec server to trigger >> active responses route-null function on agents. >> >> >> 1. Snort see's port scans and writes alert to log >> 2. Ossec see's snorts port scan alerts in log and triggers route-null on >> all agents. >> >> I there a guide to setting something like this up ? >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
