Ossec active response from Snort alerts?
Jacob Mcgrath
* SO monitoring multiple Vlan's ( is detecting traffic signatures )
* SO's Ossec active response has tested functional invoking command from server to Windows agents ( route-null does function ).
I have multiple /16 networks and would like to have AR triggered when certain signatures are detected lets say network scans, Nessus ect ect...
When triggered the Ossec server would command all connected agents to drop the route to the offending IP for said amount of time providing they are not on the white list.
In Squert I see Snort and Ossec alerts but no overlap in these alerts ( Ossec reporting on the Snort alerts ).
How do I get a Ossec rule to see signature id's in the Snort alert logs properly ?
How would these rule be formatted to trigger a active response in Ossec?
Wes
Jacob,
You could have OSSEC look at /var/log/nsm/securityonion/sguild.log ("Alert Received" lines).
I suppose another way to monitor Snort alerts would be to have Barnyard2 write alerts to another location, other than the default:
https://github.com/Security-Onion-Solutions/security-onion/wiki/ThirdPartyIntegration#how-do-i-send-ids-alerts-to-an-external-system
You could try taking a look at the following:
http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf
There is some stuff about correlating Snort alerts with OSSEC in there, from which you could enable Active Response.
Also see:http://dcid.me/blog/2006/12/correlating-multiple-snort-ids-with-ossec/
I can't say specifically what the best configuration would be for Active Response, as I've not done a ton of customization with it.
It appears as though you have also posted a question about this on the OSSEC mailing list:
https://groups.google.com/forum/#!topic/ossec-list/mxk5vwzbh0k
That may be your best bet for getting the most accurate answer for the AR portion.
Hope this helps!
Thanks,
Wes
Jacob Mcgrath
Ok, with some reading in i can say that Snort or by use of Barnyard can put alerts into a logfile.
By commandline:
snort -de -c /etc/snort.conf -A fast
Or by Barnyard.conf:
output alert_fast /var/log/snort/iplog
In theory you should get this in the log when passed threw Barnyard:
11/06/04-00:32:05.706661 {ICMP} 192.168.206.129 - 192.168.100.5 [**] [1:469:3] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2]
Now I seen a site with some decoders, rules and responses as well.
Decoder: ( still attempting to understand these )
<decoder name="iplog-scan">
<prematch>ICMP PING NMAP</prematch>
<regex offset="after_prematch">\S+ \S+ from (\S+)</regex>
<order>srcip</order>
</decoder>
iplog_rules.xml:
<group name="syslog,errors,">
<rule id="99990" level="6">
<decoded_as>iplog-scan</decoded_as>
<description>iplog scan detect</description>
</rule>
</group>
ossec.conf:
<include>iplog_rules.xml</include>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/iplog</location>
</localfile>
<command>
<name>win_nullroute</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>win_nullroute</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
rules_id>99990</rules_id>
</active-response>
But I have not done live testing as of yet this is just in theory at the moment. But it does look like a possibility. Any thoughts?
Jacob Mcgrath
Hey never thought of that ty