Very interesting project. Some features could be included in OSSEC, but we have to pay attention to false positives.
There are some workarounds to run these features in OSSEC: - Beaconing: Create an script to detect beaconing and send the output to a log. You can create decoders, rules and active response scripts. - Blacklisted IPs: Create/download a IP database reputation and use it like CDB list (field srcip). - Scanning: Use some software to detect scans (snort or similar) and read the logs. You can create active responses to block the IPs. - Long Duration Connections: Same idea that Beaconing. - Long URLs: You can create precompiled rules to see the length of a URL. Regards. Thanks for the ideas. On Wednesday, August 31, 2016 at 4:12:22 PM UTC+2, [email protected] wrote: > > John Strand and Black Hills Security developed a project called: > > http://www.blackhillsinfosec.com/?page_id=4417 > > > They developed a set of beaconing specs which 'm wondering if we can > reproduce in OSSEC. > > > Here's what I'm looking for: > > > Beaconing: > Connections that happen frequently and on similar intervals could be an > indicator of malware calling home. > > > Blacklisted IPs: > Blacklisted IPs are addresses reported as being involved with malware, > spamming, and other dangerous activities > > > Scanning: > These events occur when a computer attempts to connect to a large number > of ports on a system, searching for vulnerabilities. I think this has > traditionally been about active defenses. > > > Long Duration Connections: > Connections that are beyond the length of average on a network could > indicate a compromised system > > > Long URLs: > Longer than normal URLs could potentially be used to transfer malicious > data into the system > > > Concurrent Logins: > A user being logged into a high number of systems could indicate that this > user's account or original system has been compromised > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
