On Thu, May 12, 2016 at 12:44 PM, Jacob Mcgrath <[email protected]> wrote: > I am thinking of monitoring the sguild.logs for snort alerts such as the > below that decoders would have to be made for ( which I am weak on ): > > 2016-05-12 16:08:58 pid(2410) Sending sock222f690: InsertEvent {0 0 unknown > alamo-eth1-1 {2016-05-12 16:08:58} 3 106 {Port Scan} 10.40.2.75 10.40.3.253 > 6 56496 10247 1 9000001 0 8 8 1} >
On a Securityonion sensor I have access to, barnyard2 is apparently configured to log to syslog (LOCAL6), although I'm not sure rsyslog is setup to handle that. You could configure rsyslog to log the syslog traffic in a file monitored by ossec. I'm not sure off hand whether ossec has snort syslog decoders or not though. > > > On Tuesday, May 10, 2016 at 3:35:26 PM UTC-5, Jacob Mcgrath wrote: >> >> Is it possible to have Ossec monitor Snort logs for certain Sid's and then >> trigger the active response on all agents when event occurs. >> >> Looking at reacting to Nmap and Nessus type scans on my internal network. >> >> >> I guess I would have to monitor the Security Onion servers snort log for >> Sid's for port scans. >> >> In the Security Onion server I have /etc/nsm/rules/local.rules >> >> >> # look for stealth port scans/sweeps >> alert tcp any any -> any any (msg:"SYN FIN Scan"; flags: SF;sid:9000000;) >> alert tcp any any -> any any (msg:"FIN Scan"; flags: F;sid:9000001;) >> alert tcp any any -> any any (msg:"NULL Scan"; flags: 0;sid:9000002;) >> alert tcp any any -> any any (msg:"XMAS Scan"; flags: FPU;sid:9000003;) >> alert tcp any any -> any any (msg:"Full XMAS Scan"; flags: >> SRAFPU;sid:9000004;) >> alert tcp any any -> any any (msg:"URG Scan"; flags: U;sid:9000005;) >> alert tcp any any -> any any (msg:"URG FIN Scan"; flags: FU;sid:9000006;) >> alert tcp any any -> any any (msg:"PUSH FIN Scan"; flags: FP;sid:9000007;) >> alert tcp any any -> any any (msg:"URG PUSH Scan"; flags: PU;sid:9000008;) >> alert tcp any any -> any any (flags: A; ack: 0; msg:"NMAP TCP >> ping!";sid:9000009;) >> >> >> >> >> How would one write the local local.rules for the Ossec server to trigger >> active responses route-null function on agents. >> >> >> 1. Snort see's port scans and writes alert to log >> 2. Ossec see's snorts port scan alerts in log and triggers route-null on >> all agents. >> >> I there a guide to setting something like this up ? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
