I posted this in the other thread, but I'll post it here too. Slightly
tested decoders:
<decoder name="portsentry">
<program_name>portsentry</program_name>
</decoder>
<decoder name="portsentry-attackalert">
<parent>portsentry</parent>
<prematch>attackalert: Connect from host: </prematch>
<regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</regex>
<order>srcip,protocol,dstport</order>
</decoder>
<decoder name="portsentry-blocked">
<parent>portsentry</parent>
<prematch>is already blocked. Ignoring$</prematch>
<regex>Host: (\S+) is</regex>
<order>srcip</order>
</decoder>
> /var/ossec/rules/local_rules.xml
>
> <!-- Custom Rules for PortSentry Events -->
> <group name="syslog,portsentry,">
> <rule id="160000" level="0">
> <decoded_as>portsentry</decoded_as>
> <!-- <match>attackalert</match> -->
> <description>Grouping for the PortSentry rules</description>
> </rule>
You should add noalert="1" to the <group tag on the above rule.
> <rule id="160103" level="10">
> <if_sid>160000</if_sid>
> <action>critical</action>
> <description>PortSentry critical/alert message.</description>
> </rule>
There is no "action" defined in the decoders, and no "critical" in the
log message samples you've posted.
I'm not sure how important some of these messages are. For instance,
the "already blocked" messages might not matter much. So adjust the
Rule IDs to your liking (provide some feedback if you do, I'm
interested what other people think).
Again, these are untested (I'll try to do it tomorrow morning):
<group name="syslog,portsentry,">
<rule id="160000" level="0" noalert="1">
<decoded_as>portsentry</decoded_as>
<description>Grouping for the PortSentry rules</description>
</rule>
<rule id="160002" level="0">
<if_sid>160000</if_sid>
<match>Connect from host:</match>
<description>Connection from a host.</description>
</rule>
<rule id="160003" level="10" frequency="4" timeframe="180" ignore="60">
<if_sid>160002</if_sid>
<description>Repeated connections from the same host.</description>
<same_source_ip />
<group>recon,</group>
</rule>
<rule id="160004" level="0">
<if_sid>160000</if_sid>
<match>is already blocked. Ignoring$</match>
<description>Host is still scanning.</description>
</rule>
<rule id="160005" level="10" frequency="6" timeframe="180" ignore="60">
<if_sid>160004</if_sid>
<description>Repeated connections from a blocked host.</description>
<same_source_ip />
<group>recon,</group>
</rule>
</group>