Portsentry decoders and rules issues
239 views
Skip to first unread message
Blauch Armand
Jul 8, 2011, 9:59:39 AM7/8/11
to ossec-list
Hello,
I'm new to ossec and I need help. I've spent a lot of time about
portsentry rules and ossec.
There is already a subjet about this here:
http://groups.google.com/group/ossec-list/browse_thread/thread/6718daf1f522773f/dfa124f7b868197e?lnk=gst&q=portsentry#dfa124f7b868197e
I'm not exactly in the same situation. My logs (syslog) are different.
I haven't the same regular expressions.
I've tried to adapt the decoder and rules of the last subject, without
success.
My portsentry logs are like this:
*******************************************************
Jul 8 09:47:11 pctest portsentry[14021]: attackalert: TCP XMAS scan
from host: 192.168.4.51/192.168.4.51 to TCP port: 648
Jul 8 09:47:11 pctest portsentry[14021]: attackalert: Host:
192.168.4.51/192.168.4.51 is already blocked Ignoring
Jul 8 09:48:09 pctest portsentry[14021]: attackalert: TCP FIN scan
from host: 192.168.4.51/192.168.4.51 to TCP port: 465
Jul 8 09:48:09 pctest portsentry[14021]: attackalert: Host:
192.168.4.51/192.168.4.51 is already blocked Ignoring
Jul 8 10:02:12 pctest portsentry[14021]: attackalert: TCP NULL scan
from host: 192.168.4.51/192.168.4.51 to TCP port: 808
Jul 8 10:02:12 pctest portsentry[14021]: attackalert: Host:
192.168.4.51/192.168.4.51 is already blocked Ignoring
Jul 8 15:14:19 pctest portsentry[14021]: attackalert: TCP SYN/Normal
scan from host: 192.168.4.52/192.168.4.52 to TCP port: 700
Jul 8 15:14:19 pctest portsentry[14021]: attackalert: Host:
192.168.4.52/192.168.4.52 is already blocked Ignoring
*******************************************************
The decoders are like this:
(I try first to alert for TCP SYN/Normal scans, but when this one
manage I want to alert for all scans)
*******************************************************
<decoder name="portsentry">
<program_name>^portsentry</program_name>
</decoder>
<decoder name="portsentry-attackalert">
<parent>portsentry</parent>
<prematch>attackalert: TCP SYN/Normal scan from host: </prematch>
<regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</
regex>
<order>srcip,protocol,dstport</order>
</decoder>
<decoder name="portsentry-blocked">
<parent>portsentry</parent>
<prematch>is already blocked Ignoring$</prematch>
<regex>Host: (\S+)/\S+ is</regex>
<order>srcip</order>
</decoder>
*******************************************************
The rules are like this:
********************************************************
<group name="syslog,portsentry">
<rule id="160000" level="0" noalert="1">
<decoded_as>portsentry</decoded_as>
<description>Grouping for the PortSentry rules</description>
</rule>
<rule id="160002" level="0">
<if_sid>160000</if_sid>
<match>attackalert:</match>
<description>Connection from a host.</description>
</rule>
<rule id="160003" level="10" frequency="4" timeframe="180"
ignore="60">
<if_matched_sid>160002</if_matched_sid>
<description>Repeated connections from the same host.</
description>
<same_source_ip />
<group>recon,</group>
</rule>
<rule id="160004" level="0">
<if_sid>160000</if_sid>
<match>is already blocked Ignoring$</match>
<description>Host is still scanning.</description>
</rule>
<rule id="160005" level="10" frequency="6" timeframe="180"
ignore="60">
<if_sid>160004</if_sid>
<if_matched_sid>160002</if_matched_sid>
<description>Repeated connections from a blocked host.</
description>
<same_source_ip />
<group>recon,</group>
</rule>
</group>
********************************************************
Does anybody can help me?
What is wrong in my decoders and rules?
I'm new to ossec and I need help. I've spent a lot of time about
portsentry rules and ossec.
There is already a subjet about this here:
http://groups.google.com/group/ossec-list/browse_thread/thread/6718daf1f522773f/dfa124f7b868197e?lnk=gst&q=portsentry#dfa124f7b868197e
I'm not exactly in the same situation. My logs (syslog) are different.
I haven't the same regular expressions.
I've tried to adapt the decoder and rules of the last subject, without
success.
My portsentry logs are like this:
*******************************************************
Jul 8 09:47:11 pctest portsentry[14021]: attackalert: TCP XMAS scan
from host: 192.168.4.51/192.168.4.51 to TCP port: 648
Jul 8 09:47:11 pctest portsentry[14021]: attackalert: Host:
192.168.4.51/192.168.4.51 is already blocked Ignoring
Jul 8 09:48:09 pctest portsentry[14021]: attackalert: TCP FIN scan
from host: 192.168.4.51/192.168.4.51 to TCP port: 465
Jul 8 09:48:09 pctest portsentry[14021]: attackalert: Host:
192.168.4.51/192.168.4.51 is already blocked Ignoring
Jul 8 10:02:12 pctest portsentry[14021]: attackalert: TCP NULL scan
from host: 192.168.4.51/192.168.4.51 to TCP port: 808
Jul 8 10:02:12 pctest portsentry[14021]: attackalert: Host:
192.168.4.51/192.168.4.51 is already blocked Ignoring
Jul 8 15:14:19 pctest portsentry[14021]: attackalert: TCP SYN/Normal
scan from host: 192.168.4.52/192.168.4.52 to TCP port: 700
Jul 8 15:14:19 pctest portsentry[14021]: attackalert: Host:
192.168.4.52/192.168.4.52 is already blocked Ignoring
*******************************************************
The decoders are like this:
(I try first to alert for TCP SYN/Normal scans, but when this one
manage I want to alert for all scans)
*******************************************************
<decoder name="portsentry">
<program_name>^portsentry</program_name>
</decoder>
<decoder name="portsentry-attackalert">
<parent>portsentry</parent>
<prematch>attackalert: TCP SYN/Normal scan from host: </prematch>
<regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</
regex>
<order>srcip,protocol,dstport</order>
</decoder>
<decoder name="portsentry-blocked">
<parent>portsentry</parent>
<prematch>is already blocked Ignoring$</prematch>
<regex>Host: (\S+)/\S+ is</regex>
<order>srcip</order>
</decoder>
*******************************************************
The rules are like this:
********************************************************
<group name="syslog,portsentry">
<rule id="160000" level="0" noalert="1">
<decoded_as>portsentry</decoded_as>
<description>Grouping for the PortSentry rules</description>
</rule>
<rule id="160002" level="0">
<if_sid>160000</if_sid>
<match>attackalert:</match>
<description>Connection from a host.</description>
</rule>
<rule id="160003" level="10" frequency="4" timeframe="180"
ignore="60">
<if_matched_sid>160002</if_matched_sid>
<description>Repeated connections from the same host.</
description>
<same_source_ip />
<group>recon,</group>
</rule>
<rule id="160004" level="0">
<if_sid>160000</if_sid>
<match>is already blocked Ignoring$</match>
<description>Host is still scanning.</description>
</rule>
<rule id="160005" level="10" frequency="6" timeframe="180"
ignore="60">
<if_sid>160004</if_sid>
<if_matched_sid>160002</if_matched_sid>
<description>Repeated connections from a blocked host.</
description>
<same_source_ip />
<group>recon,</group>
</rule>
</group>
********************************************************
Does anybody can help me?
What is wrong in my decoders and rules?
dan (ddp)
Jul 8, 2011, 11:21:44 AM7/8/11
to ossec...@googlegroups.com
Add these to local_decoders.xml:
<decoder name="portsentry-scan">
<parent>portsentry</parent>
<prematch>^attackalert: TCP </prematch>
<regex offset="after_prematch">scan from host: (\S+)/\S+ to \S+
port: (\d+)$</regex>
<order>srcip, dstport</order>
</decoder>
<decoder name="portsentry-scan">
<parent>portsentry</parent>
<prematch>^attackalert: TCP </prematch>
<regex offset="after_prematch">scan from host: (\S+)/\S+ to \S+
port: (\d+)$</regex>
<order>srcip, dstport</order>
</decoder>
<decoder name="portsentry-host">
<parent>portsentry</parent>
<prematch offset="after_parent">^attackalert: Host: </prematch>
<regex offset="after_prematch">^(\S+)/\S+ </regex>
<order>srcip</order>
</decoder>
Blauch Armand
Jul 11, 2011, 4:55:00 AM7/11/11
to ossec-list
Hello,
Thank you for your help. I've tried to add your decoders on the
decoder.xml files and it still doesn't work. Ossec doesn't log any
alerts about portsentry.
My decoder are now like this:
*******************************
And my rules are like this:
************************************************
<group name="syslog,portsentry,">
How can I know if it's a decoder issue, or a rule issue, or both?
Thank you for your help. I've tried to add your decoders on the
decoder.xml files and it still doesn't work. Ossec doesn't log any
alerts about portsentry.
My decoder are now like this:
*******************************
<decoder name="portsentry">
<program_name>^portsentry</program_name>
</decoder>
<decoder name="portsentry-attackalert">
<parent>portsentry</parent>
<prematch>attackalert: TCP SYN/Normal scan from host: </prematch>
<regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</
regex>
<order>srcip,protocol,dstport</order>
</decoder>
<decoder name="portsentry-blocked">
<parent>portsentry</parent>
<prematch>is already blocked Ignoring$</prematch>
<regex>Host: (\S+)/\S+ is</regex>
<order>srcip</order>
</decoder>
<program_name>^portsentry</program_name>
</decoder>
<decoder name="portsentry-attackalert">
<parent>portsentry</parent>
<prematch>attackalert: TCP SYN/Normal scan from host: </prematch>
<regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</
regex>
<order>srcip,protocol,dstport</order>
</decoder>
<decoder name="portsentry-blocked">
<parent>portsentry</parent>
<prematch>is already blocked Ignoring$</prematch>
<regex>Host: (\S+)/\S+ is</regex>
<order>srcip</order>
</decoder>
<decoder name="portsentry-scan">
<parent>portsentry</parent>
<prematch>^attackalert: TCP </prematch>
<regex offset="after_prematch">scan from host: (\S+)/\S+ to \S+
port: (\d+)$</regex>
<order>srcip, dstport</order>
</decoder>
<decoder name="portsentry-host">
<parent>portsentry</parent>
<prematch offset="after_parent">^attackalert: Host: </prematch>
<regex offset="after_prematch">^(\S+)/\S+ </regex>
<order>srcip</order>
</decoder>
************************************************
<parent>portsentry</parent>
<prematch>^attackalert: TCP </prematch>
<regex offset="after_prematch">scan from host: (\S+)/\S+ to \S+
port: (\d+)$</regex>
<order>srcip, dstport</order>
</decoder>
<decoder name="portsentry-host">
<parent>portsentry</parent>
<prematch offset="after_parent">^attackalert: Host: </prematch>
<regex offset="after_prematch">^(\S+)/\S+ </regex>
<order>srcip</order>
</decoder>
And my rules are like this:
************************************************
<group name="syslog,portsentry,">
<rule id="160000" level="0" noalert="1">
<decoded_as>portsentry</decoded_as>
<description>Grouping for the PortSentry rules</description>
</rule>
<rule id="160002" level="0">
<if_sid>160000</if_sid>
<match>attackalert:</match>
<description>Connection from a host.</description>
</rule>
<rule id="160003" level="10" frequency="4" timeframe="180"
ignore="60">
<if_matched_sid>160002</if_matched_sid>
<description>Repeated connections from the same host.</
description>
<same_source_ip/>
<group>recon,</group>
</rule>
<rule id="160004" level="0">
<if_sid>160000</if_sid>
<match>is already blocked Ignoring$</match>
<description>Host is still scanning.</description>
</rule>
<rule id="160005" level="10" frequency="6" timeframe="180"
ignore="60">
<if_matched_sid>160004</if_matched_sid>
<decoded_as>portsentry</decoded_as>
<description>Grouping for the PortSentry rules</description>
</rule>
<rule id="160002" level="0">
<if_sid>160000</if_sid>
<match>attackalert:</match>
<description>Connection from a host.</description>
</rule>
<rule id="160003" level="10" frequency="4" timeframe="180"
ignore="60">
<if_matched_sid>160002</if_matched_sid>
<description>Repeated connections from the same host.</
description>
<same_source_ip/>
<group>recon,</group>
</rule>
<rule id="160004" level="0">
<if_sid>160000</if_sid>
<match>is already blocked Ignoring$</match>
<description>Host is still scanning.</description>
</rule>
<rule id="160005" level="10" frequency="6" timeframe="180"
ignore="60">
<description>Repeated connections from a blocked host.</
description>
<same_source_ip />
<group>recon,</group>
</rule>
</group>
********************************************************
Do you know what is wrong?
description>
<same_source_ip />
<group>recon,</group>
</rule>
</group>
********************************************************
How can I know if it's a decoder issue, or a rule issue, or both?
dan (ddp)
Jul 11, 2011, 5:26:06 PM7/11/11
to ossec...@googlegroups.com
Hi Blauch,
On Mon, Jul 11, 2011 at 4:55 AM, Blauch Armand <ama...@gmail.com> wrote:
> Hello,
>
> Thank you for your help. I've tried to add your decoders on the
> decoder.xml files and it still doesn't work. Ossec doesn't log any
> alerts about portsentry.
>
Use ossec-logtest to check your rules and decoders.
Unless the following rules include <if_sid>160002</if_sid>, this will
be the only rule alerting anything including "attackalert:" in the
message.
In fact, all of the log messages you sent previously are recorded as
160002 events.
> <rule id="160003" level="10" frequency="4" timeframe="180"
> ignore="60">
> <if_matched_sid>160002</if_matched_sid>
> <description>Repeated connections from the same host.</
> description>
> <same_source_ip/>
> <group>recon,</group>
> </rule>
>
This will require 6 events from the same IP within 3 minutes.
> <rule id="160004" level="0">
> <if_sid>160000</if_sid>
> <match>is already blocked Ignoring$</match>
> <description>Host is still scanning.</description>
> </rule>
>
This alert won't be triggered because of 160002.
Blauch Armand
Jul 12, 2011, 9:09:01 AM7/12/11
to ossec-list
Hello,
Thank you very much for your help and explanations! I've tried ossec-
logtest, it's wonderful!
I think I haven't finish yet to custom the portsentry rules in my
local rules, but now I have this on my decoders:
**********************************************
And in my rules:
******************************************************************
*****************************************************************
And it's work. I have alerts 160002, 160003 and 160004 on my ossec web
interface.
Thank you very much for your help and explanations! I've tried ossec-
logtest, it's wonderful!
I think I haven't finish yet to custom the portsentry rules in my
local rules, but now I have this on my decoders:
**********************************************
<decoder name="portsentry">
<program_name>^portsentry</program_name>
</decoder>
<decoder name="portsentry-attackalert">
<parent>portsentry</parent>
<prematch>attackalert: TCP SYN/Normal scan from host: </prematch>
<regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</
regex>
<order>srcip,protocol,dstport</order>
</decoder>
<decoder name="portsentry-blocked">
<parent>portsentry</parent>
<prematch>is already blocked Ignoring$</prematch>
<regex>Host: (\S+)/\S+ is</regex>
<order>srcip</order>
</decoder>
<decoder name="portsentry-scan">
<parent>portsentry</parent>
<prematch>^attackalert: </prematch>
<program_name>^portsentry</program_name>
</decoder>
<decoder name="portsentry-attackalert">
<parent>portsentry</parent>
<prematch>attackalert: TCP SYN/Normal scan from host: </prematch>
<regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</
regex>
<order>srcip,protocol,dstport</order>
</decoder>
<decoder name="portsentry-blocked">
<parent>portsentry</parent>
<prematch>is already blocked Ignoring$</prematch>
<regex>Host: (\S+)/\S+ is</regex>
<order>srcip</order>
</decoder>
<decoder name="portsentry-scan">
<parent>portsentry</parent>
<regex offset="after_prematch">scan from host: (\S+)/\S+ to \S+
port: (\d+)$</regex>
<order>srcip, dstport</order>
</decoder>
<decoder name="portsentry-host">
<parent>portsentry</parent>
<prematch offset="after_parent">^attackalert: Host: </prematch>
<regex offset="after_prematch">^(\S+)/\S+ </regex>
<order>srcip</order>
</decoder>
*****************************************************************
port: (\d+)$</regex>
<order>srcip, dstport</order>
</decoder>
<decoder name="portsentry-host">
<parent>portsentry</parent>
<prematch offset="after_parent">^attackalert: Host: </prematch>
<regex offset="after_prematch">^(\S+)/\S+ </regex>
<order>srcip</order>
</decoder>
And in my rules:
******************************************************************
<group name="syslog,portsentry,">
<rule id="160000" level="0" noalert="1">
<decoded_as>portsentry</decoded_as>
<description>Grouping for the PortSentry rules</description>
</rule>
<rule id="160002" level="3">
<rule id="160000" level="0" noalert="1">
<decoded_as>portsentry</decoded_as>
<description>Grouping for the PortSentry rules</description>
</rule>
<if_sid>160000</if_sid>
<match>attackalert:</match>
<description>Connection from a host.</description>
</rule>
<rule id="160003" level="8" frequency="4" timeframe="180"
<match>attackalert:</match>
<description>Connection from a host.</description>
</rule>
ignore="60">
<if_matched_sid>160002</if_matched_sid>
<description>Repeated connections from the same host.</
description>
<same_source_ip/>
<group>recon,</group>
</rule>
<rule id="160004" level="10" frequency="8" timeframe="180"
<if_matched_sid>160002</if_matched_sid>
<description>Repeated connections from the same host.</
description>
<same_source_ip/>
<group>recon,</group>
</rule>
ignore="60">
<if_matched_sid>160002</if_matched_sid>
<description>Host is still scanning</description>
<if_matched_sid>160002</if_matched_sid>
<same_source_ip />
<group>recon,</group>
</rule>
</group>
<group>recon,</group>
</rule>
*****************************************************************
And it's work. I have alerts 160002, 160003 and 160004 on my ossec web
interface.
Reply all
Reply to author
Forward
0 new messages