[ossec-list] Re: Help with converting sec rules to ossec rules

Peter M. Abraham Tue, 27 Nov 2007 10:58:56 -0800

Greetings Daniel:

Thank you for your kindness


## Edited for destination IP to protect our client

grep 61.134.63.205 /var/log/kernel

Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
DST=aaa.bbb.ccc.87 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=53011
PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
DST=aaa.bbb.ccc.89 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=47782
PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
DST=aaa.bbb.ccc.91 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=59982
PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
DST=aaa.bbb.ccc.90 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=41032
PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
DST=aaa.bbb.ccc.93 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=5200 PROTO=TCP
SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
DST=aaa.bbb.ccc.92 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=56408
PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
DST=aaa.bbb.ccc.95 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=21850
PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
DST=aaa.bbb.ccc.96 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=29755
PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
DST=aaa.bbb.ccc.94 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=23984
PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
DST=aaa.bbb.ccc.100 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=38727
PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
DST=aaa.bbb.ccc.99 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=39298
PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0


In this case 61.134.63.205 from CHINANET Shanxi(SN) province network
scanned TCP port 25 10 or more (11 this time) times in 60 seconds or
less.

Here is another example:

grep 210.188.207.111 /var/log/kernel
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.19 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=52164
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.37 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=46107
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.41 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=36695
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.44 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=32063
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.7 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=43528 PROTO=TCP
SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.11 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=55002
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.18 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2470 PROTO=TCP
SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.23 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=25667
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.30 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=41525
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.33 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=31802
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.38 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=17592
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.133 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=4149
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.137 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=8726
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.135 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=6831
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.140 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=56727
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.142 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=13668
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.144 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=51289
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.146 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=29378
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.151 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=49795
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.153 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=58777
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.158 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=19333
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.131 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=10410
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.134 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=36295
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.136 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=32623
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.143 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=50724
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.147 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=56271
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.148 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=16607
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.150 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=51341
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.152 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=4293
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.154 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2442
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.11 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=46999
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.12 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=43129
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.33 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=56780
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.38 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=47769
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.36 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=58784
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.35 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=37074
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.61 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=41548
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.52 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=17772
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.54 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=29676
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.58 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=15596
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.63 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=9640 PROTO=TCP
SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.65 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=33420
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.10 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=32253
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.31 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=8918 PROTO=TCP
SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.34 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=38465
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.32 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=52546
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.37 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=46468
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.39 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=43695
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.57 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=26697
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.53 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=29615
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.55 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=20678
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.60 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=54032
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.59 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=15925
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.62 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=52926
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.64 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=34007
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
DST=aaa.bbb.ccc.66 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=44953
PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0

In this case 210.188.207.111 from SAKURA Internet Inc. in Japan
scanned TCP port 10000 56 times in approximately 60 seconds or less.

Please let me know if you need more examples.

Thank you.

[ossec-list] Re: Help with converting sec rules to ossec rules

Reply via email to