Hello,
I'm new to ossec and I need help. I've spent a lot of time about
portsentry rules and ossec.
There is already a subjet about this here:
http://groups.google.com/group/ossec-list/browse_thread/thread/6718daf1f522773f/dfa124f7b868197e?lnk=gst&q=portsentry#dfa124f7b868197e
I'm not exactly in the same situation. My logs (syslog) are different.
I haven't the same regular expressions.
I've tried to adapt the decoder and rules of the last subject, without
success.
My portsentry logs are like this:
*******************************************************
Jul 8 09:47:11 pctest portsentry[14021]: attackalert: TCP XMAS scan
from host:
192.168.4.51/192.168.4.51 to TCP port: 648
Jul 8 09:47:11 pctest portsentry[14021]: attackalert: Host:
192.168.4.51/192.168.4.51 is already blocked Ignoring
Jul 8 09:48:09 pctest portsentry[14021]: attackalert: TCP FIN scan
from host:
192.168.4.51/192.168.4.51 to TCP port: 465
Jul 8 09:48:09 pctest portsentry[14021]: attackalert: Host:
192.168.4.51/192.168.4.51 is already blocked Ignoring
Jul 8 10:02:12 pctest portsentry[14021]: attackalert: TCP NULL scan
from host:
192.168.4.51/192.168.4.51 to TCP port: 808
Jul 8 10:02:12 pctest portsentry[14021]: attackalert: Host:
192.168.4.51/192.168.4.51 is already blocked Ignoring
Jul 8 15:14:19 pctest portsentry[14021]: attackalert: TCP SYN/Normal
scan from host:
192.168.4.52/192.168.4.52 to TCP port: 700
Jul 8 15:14:19 pctest portsentry[14021]: attackalert: Host:
192.168.4.52/192.168.4.52 is already blocked Ignoring
*******************************************************
The decoders are like this:
(I try first to alert for TCP SYN/Normal scans, but when this one
manage I want to alert for all scans)
*******************************************************
<decoder name="portsentry">
<program_name>^portsentry</program_name>
</decoder>
<decoder name="portsentry-attackalert">
<parent>portsentry</parent>
<prematch>attackalert: TCP SYN/Normal scan from host: </prematch>
<regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</
regex>
<order>srcip,protocol,dstport</order>
</decoder>
<decoder name="portsentry-blocked">
<parent>portsentry</parent>
<prematch>is already blocked Ignoring$</prematch>
<regex>Host: (\S+)/\S+ is</regex>
<order>srcip</order>
</decoder>
*******************************************************
The rules are like this:
********************************************************
<group name="syslog,portsentry">
<rule id="160000" level="0" noalert="1">
<decoded_as>portsentry</decoded_as>
<description>Grouping for the PortSentry rules</description>
</rule>
<rule id="160002" level="0">
<if_sid>160000</if_sid>
<match>attackalert:</match>
<description>Connection from a host.</description>
</rule>
<rule id="160003" level="10" frequency="4" timeframe="180"
ignore="60">
<if_matched_sid>160002</if_matched_sid>
<description>Repeated connections from the same host.</
description>
<same_source_ip />
<group>recon,</group>
</rule>
<rule id="160004" level="0">
<if_sid>160000</if_sid>
<match>is already blocked Ignoring$</match>
<description>Host is still scanning.</description>
</rule>
<rule id="160005" level="10" frequency="6" timeframe="180"
ignore="60">
<if_sid>160004</if_sid>
<if_matched_sid>160002</if_matched_sid>
<description>Repeated connections from a blocked host.</
description>
<same_source_ip />
<group>recon,</group>
</rule>
</group>
********************************************************
Does anybody can help me?
What is wrong in my decoders and rules?