[ossec-list] Help with converting sec rules to ossec rules

Fri, 23 Nov 2007 08:55:35 -0800 

Greetings:

We use http://kodu.neti.ee/~risto/sec/ for real time monitoring on a
server-by-server basis.

It works well, but I like the agent/server approach with ossec.

In terms of converting rules we have with S.E.C. how would I go about
converting the following three rules into ossec rules?

# Horizontal port scan -- attacker is scanning a rannge of IP
addresses
#
---------------------------------------------------------------------
#
# /var/log/kernel $1 is scanning IP, $2 is destination IP, and $3 is
destination port
#
type=Single
ptype=RegExp
pattern=\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+PUB_IN\s+DROP\s+\S+\s+\S+\s+\S+\s
+\S+\s+SRC=(\S+)\s+DST=(\S+)\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+
\s+DPT=(\d+)
context=!HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3
continue=TakeNext
desc=Horizontal port sweep started from source $1 to target port $3
action=eval %o ( $portscans{"$1:$3"} = {} ); \
       create HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3
60 \
       eval %o ( delete $portscans{"$1:$3"} )

type=Single
ptype=RegExp
pattern=\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+PUB_IN\s+DROP\s+\S+\s+\S+\s+\S+\s
+\S+\s+SRC=(\S+)\s+DST=(\S+)\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+
\s+DPT=(\d+)
context=HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3
continue=TakeNext
desc=Scanned destination IP: $2
action=eval %o ( $portscans{"$1:$3"}->{$2} = 1 ); \
       add HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3
%t: %s;\
       set HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 60
\
       eval %o ( delete $portscans{"$1:$3"} )

type=Single
ptype=RegExp
pattern=\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+PUB_IN\s+DROP\s+\S+\s+\S+\s+\S+\s
+\S+\s+SRC=(\S+)\s+DST=(\S+)\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+
\s+DPT=(\d+)
context=HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 \
        && =( scalar(keys(%{$portscans{"$1:$3"}})) > 10 )
continue=DontCont
desc=$1 has scanned more than 10 destinations
action=shellcmd /admin/sec/sec_block.pl $1 /var/log/blocks/timed/
horizon_scan.log "IP $1 scanned more than 10 IP's for port $3 in 60
seconds or less" 2880 ; \
       delete HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_
$3; \


Please note the action is very similar to the active response, so I'm
more concerned the ossec rule base itself.

Thank you.

Reply via email to