Ossec and Portsentry
Js Opdebeeck
http://groups.google.com/group/ossec-list/browse_thread/thread/fd9503ef5f9055cc/92abe89dfb932698
"Scanlogd Support".
Goal is to Detect port Scan with PortSentry, but I don't have
suffisent background about ossec rules to create smart events.
Here is the current status (but currently fails)
/var/ossec/etc/decoder.xml
<!-- Custom decoder for PortSentry Threat Events -->
<decoder name="portsentry">
<program_name>portsentry</program_name>
</decoder>
<decoder name="portsentry-attackalert">
<parent>portsentry</parent>
<prematch>attackalert: Connect from </prematch>
<regex offset="after_prematch">ost: (\S)/\S+ to \S+ port: (\d+)$</
regex>
<order>srcip, dstport</order>
</decoder>
<decoder name="portsentry-blocked">
<parent>portsentry</parent>
<prematch>is already blocked. Ignoring$</prematch>
<regex>Host: (\S+) is</regex>
<order>srcip</order>
</decoder>
/var/ossec/rules/local_rules.xml
<!-- Custom Rules for PortSentry Events -->
<group name="syslog,portsentry,">
<rule id="160000" level="0">
<decoded_as>portsentry</decoded_as>
<!-- <match>attackalert</match> -->
<description>Grouping for the PortSentry rules</description>
</rule>
<rule id="160103" level="10">
<if_sid>160000</if_sid>
<action>critical</action>
<description>PortSentry critical/alert message.</description>
</rule>
<rule id="160150" level="10" frequency="4" timeframe="180"
ignore="60">
<if_matched_sid>160103</if_matched_sid>
<description>Multiple PortSentry critical messages.</description>
<description>same source IP.</description>
</rule>
</group>
Sample log from logsentry
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Connect from
host: 172.16.211.1/172.16.211.1 to TCP port: 1
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Ignoring TCP
response per configuration file setting.
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Connect from
host: 172.16.211.1/172.16.211.1 to TCP port: 79
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Host:
172.16.211.1 is already blocked. Ignoring
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Connect from
host: 172.16.211.1/172.16.211.1 to TCP port: 111
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Host:
172.16.211.1 is already blocked. Ignoring
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Connect from
host: 172.16.211.1/172.16.211.1 to TCP port: 119
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Host:
172.16.211.1 is already blocked. Ignoring
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Connect from
host: 172.16.211.1/172.16.211.1 to TCP port: 143
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Host:
172.16.211.1 is already blocked. Ignoring
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Connect from
host: 172.16.211.1/172.16.211.1 to TCP port: 1080
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Host:
172.16.211.1 is already blocked. Ignoring
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Connect from
host: 172.16.211.1/172.16.211.1 to TCP port: 1524
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Host:
172.16.211.1 is already blocked. Ignoring
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Connect from
host: 172.16.211.1/172.16.211.1 to TCP port: 2000
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Host:
172.16.211.1 is already blocked. Ignoring
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Connect from
host: 172.16.211.1/172.16.211.1 to TCP port: 6667
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Host:
172.16.211.1 is already blocked. Ignoring
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Connect from
host: 172.16.211.1/172.16.211.1 to TCP port: 12345
Nov 2 19:56:52 matrix portsentry[1148]: attackalert: Host:
172.16.211.1 is already blocked. Ignoring
If you can add recommendation I'll be happy to test them.
Thanks all for your support.
dan (ddp)
I posted this in the other thread, but I'll post it here too. Slightly
tested decoders:
<decoder name="portsentry">
<program_name>portsentry</program_name>
</decoder>
<decoder name="portsentry-attackalert">
<parent>portsentry</parent>
<prematch>attackalert: Connect from host: </prematch>
<regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</regex>
<order>srcip,protocol,dstport</order>
</decoder>
<decoder name="portsentry-blocked">
<parent>portsentry</parent>
<prematch>is already blocked. Ignoring$</prematch>
<regex>Host: (\S+) is</regex>
<order>srcip</order>
</decoder>
> /var/ossec/rules/local_rules.xml
>
> <!-- Custom Rules for PortSentry Events -->
> <group name="syslog,portsentry,">
> <rule id="160000" level="0">
> <decoded_as>portsentry</decoded_as>
> <!-- <match>attackalert</match> -->
> <description>Grouping for the PortSentry rules</description>
> </rule>
You should add noalert="1" to the <group tag on the above rule.
> <rule id="160103" level="10">
> <if_sid>160000</if_sid>
> <action>critical</action>
> <description>PortSentry critical/alert message.</description>
> </rule>
There is no "action" defined in the decoders, and no "critical" in the
log message samples you've posted.
I'm not sure how important some of these messages are. For instance,
the "already blocked" messages might not matter much. So adjust the
Rule IDs to your liking (provide some feedback if you do, I'm
interested what other people think).
Again, these are untested (I'll try to do it tomorrow morning):
<group name="syslog,portsentry,">
<rule id="160000" level="0" noalert="1">
<decoded_as>portsentry</decoded_as>
<description>Grouping for the PortSentry rules</description>
</rule>
<rule id="160002" level="0">
<if_sid>160000</if_sid>
<match>Connect from host:</match>
<description>Connection from a host.</description>
</rule>
<rule id="160003" level="10" frequency="4" timeframe="180" ignore="60">
<if_sid>160002</if_sid>
<description>Repeated connections from the same host.</description>
<same_source_ip />
<group>recon,</group>
</rule>
<rule id="160004" level="0">
<if_sid>160000</if_sid>
<match>is already blocked. Ignoring$</match>
<description>Host is still scanning.</description>
</rule>
<rule id="160005" level="10" frequency="6" timeframe="180" ignore="60">
<if_sid>160004</if_sid>
<description>Repeated connections from a blocked host.</description>
<same_source_ip />
<group>recon,</group>
</rule>
</group>
Js Opdebeeck
The last version works really well.
Thanks for your help.
Kind regards.
Jean-sebastien.