Rules for Honeypot

93 views
Skip to first unread message

Thomas Vidal

unread,
Sep 18, 2014, 9:25:29 AM9/18/14
to ossec...@googlegroups.com
Dear all,

I worked on MHN Honeypot and now I am able to log IP in a specific log file and by using OSSEC and active respons ALL my servers are able to ban IPs coming on the honeypot (for MHN script I wrote : https://groups.google.com/d/msg/modern-honey-network/szahW2nS2UM/oQTmlaXbyTEJ).
So everything is working fine, but I want to improve it a little bit before sharing a kind of how to on this.... and so I need your light ! :

On OSSEC server I created this decoder and rules :

DECODER :
<decoder name="mhn">
    <program_name>MHN</program_name>
    <!-- <prematch>^MHN: New attack from </prematch>
    <regex offset="after_prematch">SRC=(\S+) </regex>
    <order>srcip</order>-->
    <regex>from SRC=(\d+.\d+.\d+.\d+)</regex>
    <order>srcip</order>
</decoder>

RULES :
  <rule id="100010" level="3">
    <decoded_as>mhn</decoded_as>
    <description>Parent rule for MHN detection and action</description>
  </rule>
  <rule id="100011" level="3" frequency="1" timeframe="3600" ignore="3600">
    <if_matched_sid>100010</if_matched_sid>
    <description>This IP has been banned for some time...</description>
  </rule>

And OSSEC.CONF :
  <active-response>
    <command>host-deny</command>
    <location>defined-agent</location>
    <agent_id>xxx</agent_id>
    <rules_id>100011</rules_id>
    <timeout>3600</timeout>
  </active-response>

As you can see this is not perfect as I'm not sure I need 100011 for example !

Anyway, the idea is to :
1°) Alert immediatly all my agents (except the Honeypot) about a new attack, and add the IP in hosts.deny for X hours. Then during X hours don't alert the agents.
2°) If an attack comes from an IP for the second time (after the X delay) ban the IP for Y hours (Y > X !)
3°) if an attack comes from an IP for the third time (after Y delay) ban the IP for Z hours or day(s)

Is that possible ???

Many thanks for any idea or suggestion...

All the best

Thomas






dan (ddp)

unread,
Sep 19, 2014, 9:20:48 AM9/19/14
to ossec...@googlegroups.com
Yeah I think so using repeated offenders:
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.active-response.html#element-repeated_offenders

> Many thanks for any idea or suggestion...
>
> All the best
>
> Thomas
>
>
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Thomas Vidal

unread,
Sep 22, 2014, 5:18:26 AM9/22/14
to ossec...@googlegroups.com
Hi dan,

Many thanks for the link ! That's exactly what I needed !

All the best

Thomas
Reply all
Reply to author
Forward
0 new messages