[ossec-list] Re: Help with converting sec rules to ossec rules

Daniel Cid Thu, 29 Nov 2007 17:12:16 -0800

Hi Peter,

Your examples are fine. First, this log was supposed to be parsed by
our iptables decoder, but
because of the additional space between "PUB_IN" and "DROP" it is not.
 The following article
explains what we expect from iptables:


http://www.ossec.net/wiki/index.php/Know_How:Iptables_Config

*If you can't change the iptables config, you would need to sligthly
modify the iptables decoder
to support multiple spaces in there.


Anyway, after the decoder is working, OSSEC should already alert you
on horizontal scans with
the following rule:

  <rule id="4151" level="10" frequency="16" timeframe="45" ignore="240">
    <if_matched_sid>4101</if_matched_sid>
    <same_source_ip />
    <description>Multiple Firewall drop events from same source.</description>
    <group>multiple_drops,</group>
  </rule>


You can change the frequency/timeframe as you want. Also, if you need
it to be to the same
destination port, just add the "same_dst_port" tag to the rule.

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

On Nov 27, 2007 2:56 PM, Peter M. Abraham <[EMAIL PROTECTED]> wrote:
>
> Greetings Daniel:
>
> Thank you for your kindness
>
> ## Edited for destination IP to protect our client
>
> grep 61.134.63.205 /var/log/kernel
>
> Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
> DST=aaa.bbb.ccc.87 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=53011
> PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
> DST=aaa.bbb.ccc.89 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=47782
> PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
> DST=aaa.bbb.ccc.91 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=59982
> PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
> DST=aaa.bbb.ccc.90 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=41032
> PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
> DST=aaa.bbb.ccc.93 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=5200 PROTO=TCP
> SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
> DST=aaa.bbb.ccc.92 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=56408
> PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
> DST=aaa.bbb.ccc.95 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=21850
> PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
> DST=aaa.bbb.ccc.96 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=29755
> PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
> DST=aaa.bbb.ccc.94 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=23984
> PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
> DST=aaa.bbb.ccc.100 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=38727
> PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 12:09:18 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:15:c5:60:33:1f:00:06:b1:03:0b:63:08:00 SRC=61.134.63.205
> DST=aaa.bbb.ccc.99 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=39298
> PROTO=TCP SPT=21997 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
>
>
> In this case 61.134.63.205 from CHINANET Shanxi(SN) province network
> scanned TCP port 25 10 or more (11 this time) times in 60 seconds or
> less.
>
> Here is another example:
>
> grep 210.188.207.111 /var/log/kernel
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.19 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=52164
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.37 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=46107
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.41 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=36695
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.44 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=32063
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.7 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=43528 PROTO=TCP
> SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.11 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=55002
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.18 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2470 PROTO=TCP
> SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.23 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=25667
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.30 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=41525
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.33 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=31802
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.38 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=17592
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.133 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=4149
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.137 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=8726
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.135 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=6831
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.140 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=56727
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.142 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=13668
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.144 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=51289
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.146 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=29378
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.151 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=49795
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.153 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=58777
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.158 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=19333
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.131 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=10410
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.134 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=36295
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.136 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=32623
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.143 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=50724
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.147 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=56271
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.148 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=16607
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.150 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=51341
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.152 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=4293
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:06:b1:03:0b:63:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.154 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=2442
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.11 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=46999
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.12 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=43129
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.33 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=56780
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.38 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=47769
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.36 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=58784
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.35 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=37074
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.61 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=41548
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.52 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=17772
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.54 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=29676
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.58 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=15596
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.63 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=9640 PROTO=TCP
> SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.65 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=33420
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.10 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=32253
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.31 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=8918 PROTO=TCP
> SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.34 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=38465
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.32 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=52546
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.37 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=46468
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.39 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=43695
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.57 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=26697
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.53 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=29615
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.55 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=20678
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.60 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=54032
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.59 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=15925
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.62 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=52926
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.64 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=34007
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> Nov 27 00:49:00 web1 kernel: PUB_IN DROP 5 IN=eth0 OUT=
> MAC=00:14:22:1c:43:aa:00:e0:80:4f:23:00:08:00 SRC=210.188.207.111
> DST=aaa.bbb.ccc.66 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=44953
> PROTO=TCP SPT=58359 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
>
> In this case 210.188.207.111 from SAKURA Internet Inc. in Japan
> scanned TCP port 10000 56 times in approximately 60 seconds or less.
>
> Please let me know if you need more examples.
>
> Thank you.
>

[ossec-list] Re: Help with converting sec rules to ossec rules

Reply via email to