Greetings: We use http://kodu.neti.ee/~risto/sec/ for real time monitoring on a server-by-server basis.
It works well, but I like the agent/server approach with ossec. In terms of converting rules we have with S.E.C. how would I go about converting the following three rules into ossec rules? # Horizontal port scan -- attacker is scanning a rannge of IP addresses # --------------------------------------------------------------------- # # /var/log/kernel $1 is scanning IP, $2 is destination IP, and $3 is destination port # type=Single ptype=RegExp pattern=\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+PUB_IN\s+DROP\s+\S+\s+\S+\s+\S+\s +\S+\s+SRC=(\S+)\s+DST=(\S+)\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+ \s+DPT=(\d+) context=!HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 continue=TakeNext desc=Horizontal port sweep started from source $1 to target port $3 action=eval %o ( $portscans{"$1:$3"} = {} ); \ create HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 60 \ eval %o ( delete $portscans{"$1:$3"} ) type=Single ptype=RegExp pattern=\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+PUB_IN\s+DROP\s+\S+\s+\S+\s+\S+\s +\S+\s+SRC=(\S+)\s+DST=(\S+)\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+ \s+DPT=(\d+) context=HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 continue=TakeNext desc=Scanned destination IP: $2 action=eval %o ( $portscans{"$1:$3"}->{$2} = 1 ); \ add HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 %t: %s;\ set HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 60 \ eval %o ( delete $portscans{"$1:$3"} ) type=Single ptype=RegExp pattern=\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+PUB_IN\s+DROP\s+\S+\s+\S+\s+\S+\s +\S+\s+SRC=(\S+)\s+DST=(\S+)\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+ \s+DPT=(\d+) context=HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 \ && =( scalar(keys(%{$portscans{"$1:$3"}})) > 10 ) continue=DontCont desc=$1 has scanned more than 10 destinations action=shellcmd /admin/sec/sec_block.pl $1 /var/log/blocks/timed/ horizon_scan.log "IP $1 scanned more than 10 IP's for port $3 in 60 seconds or less" 2880 ; \ delete HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_ $3; \ Please note the action is very similar to the active response, so I'm more concerned the ossec rule base itself. Thank you.