Scanlogd support

[Js Opdebeeck]

Hello;

I'd like to have report in case of network port scan, but I don't want
to use Snort. There is a post about 'iplog', but this tool is really
old.

On solution is to work with portsentry or scanlogd.

This last one is really easy to install.

--
syslog:Oct 31 20:12:23 O0O0O0O0 scanlogd: 192.168.2.101:53 to
192.168.2.103 ports 199, 995, 8080, 53, 5900, 445, 1720, 587,
8888, ..., fSrpauxy, TOS 00 @19:12:23
syslog:Oct 31 20:36:23 O0O0O0O0 scanlogd: 192.168.2.101 to
192.168.2.103 ports 199, 22, 1, 113, 3389, 1720, 111, 110, ..., ??
r?????, TOS 00 @19:27:49
syslog:Oct 31 20:42:10 O0O0O0O0 scanlogd: 192.168.2.101:50438 to
192.168.2.103 ports 8888, 25, 443, 21, 587, 1025, 3389, 3306, ...,
fSrpauxy, TOS 00 @19:42:10
syslog:Oct 31 20:46:02 O0O0O0O0 scanlogd: 192.168.2.101:45282 to
192.168.2.103 ports 111, 25, 993, 8080, 1720, 3389, 110, 143, ...,
fSrpauxy, TOS 00 @19:46:02
syslog:Oct 31 20:46:39 O0O0O0O0 scanlogd: 192.168.2.101:39448 to
192.168.2.103 ports 995, 199, 139, 23, 143, 113, 3389, ..., fSrpauxy,
TOS 00 @19:46:39
syslog:Oct 31 20:47:02 O0O0O0O0 scanlogd: 192.168.2.101:34736 to
192.168.2.103 ports 80, 111, 554, 1025, 443, 993, 587, ..., fSrpauxy,
TOS 00 @19:47:02
syslog.1:Oct 29 12:40:52 O0O0O0O0 scanlogd: 127.0.0.1:52042 to
127.0.0.1 ports 445, 8080, 21, 554, 23, 995, 443, 1025, ..., fSrpauxy,
TOS 00 @10:40:52
syslog.1:Oct 29 12:41:13 O0O0O0O0 scanlogd: 192.168.177.102:62651 to
192.168.177.102 ports 1723, 25, 110, 1025, 3306, 8888, 22, 111, ...,
f??pauxy, TOS 00 @10:41:13
--


Is someone already created ossec rules for this ?
If not , I'll try to do this, but I don't want to reinvent the wheel.

Js Op de Beeck

[Doug Burks]

Is this a Linux box? If so, have you considered using the native
IPTables logging? It's easy to configure and OSSEC can read it by
default:
http://www.ossec.net/wiki/Know_How:Iptables_Config

Regards,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com

[Js Opdebeeck]

Hello Doug

Thanks for your note. The host I is Ubuntu and the default firewall is
ufw.

Regarding the Port Scan detection, I will move to PortSentry (more
common than iplog or scanlogd), and with more options.
Install portsentry :

sudo apt-get install portsentry

Create a dedicated rule :
sudo vi /var/ossec/rules/local_rules.xml

<group name="syslog,sentry,">
<rule id="160100" level="12">
<match>attackalert</match>
<description>Port Sentry Attack Alert</description>
</rule>
</group>

But goal will be to extract the IP and source (for alert grouping) ...
with a decoder.xml , but too hard for me.

Sample syslog

Nov 1 19:28:58 testserver portsentry[1620]: adminalert: Going into
listen mode on UDP port: 31337
Nov 1 19:28:58 testserver portsentry[1620]: adminalert: Going into
listen mode on UDP port: 54321
Nov 1 19:28:58 testserver portsentry[1620]: adminalert: PortSentry is
now active and listening.
Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from
host: 192.168.45.1/192.168.45.1 to TCP port: 1
Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Ignoring TCP
response per configuration file setting.
Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from
host: 192.168.45.1/192.168.45.1 to TCP port: 79
Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Host:
192.168.45.1 is already blocked. Ignoring
Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from
host: 192.168.45.1/192.168.45.1 to TCP port: 111
Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Host:
192.168.45.1 is already blocked. Ignoring
Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from
host: 192.168.45.1/192.168.45.1 to TCP port: 119
Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Host:
192.168.45.1 is already blocked. Ignoring
Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from
host: 192.168.45.1/192.168.45.1 to TCP port: 143
Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Host:
192.168.45.1 is already blocked. Ignoring
Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from
host: 192.168.45.1/192.168.45.1 to TCP port: 1080
...

>
> > Js Op de Beeck

[dan (ddp)]

Completely untested:
<decoder name="portsentry">
<program_name>portsentry</program_name>
</decoder>

<decoder name="portsentry-attackalert">
<parent>portsentry</parent>
<prematch>attackalert: Connect from </prematch>
<regex offset="after_prematch">ost: (\S)/\S+ to \S+ port: (\d+)$</regex>
<order>srcip, dstport</order>
</decoder>

<decoder name="portsentry-blocked">
<parent>portsentry</parent>
<prematch>is already blocked. Ignoring$</prematch>
<regex>Host: (\S+) is</regex>
<order>srcip</order>
</decoder>

[Js Opdebeeck]

Dan

I close this post and open a new one called Portsentry ..

Thanks for your help, I'll try this.

On Nov 2, 12:07 am, "dan (ddp)" <ddp...@gmail.com> wrote:
> Completely untested:
> <decoder name="portsentry">
>   <program_name>portsentry</program_name>
> </decoder>
>
> <decoder name="portsentry-attackalert">
>   <parent>portsentry</parent>
>   <prematch>attackalert: Connect from </prematch>
>   <regex offset="after_prematch">ost: (\S)/\S+ to \S+ port: (\d+)$</regex>
>   <order>srcip, dstport</order>
> </decoder>
>
> <decoder name="portsentry-blocked">
>   <parent>portsentry</parent>
>   <prematch>is already blocked. Ignoring$</prematch>
>   <regex>Host: (\S+) is</regex>
>   <order>srcip</order>

[dan (ddp)]

I got a chance to test it out a tiny bit (very tiny). Here's something
that seemed to work a bit better:

<decoder name="portsentry">
<program_name>portsentry</program_name>
</decoder>

<decoder name="portsentry-attackalert">
<parent>portsentry</parent>

<prematch>attackalert: Connect from host: </prematch>
<regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</regex>
<order>srcip,protocol,dstport</order>
</decoder>

<decoder name="portsentry-blocked">
<parent>portsentry</parent>
<prematch>is already blocked. Ignoring$</prematch>
<regex>Host: (\S+) is</regex>
<order>srcip</order>
</decoder>