Completely untested: <decoder name="portsentry"> <program_name>portsentry</program_name> </decoder>
<decoder name="portsentry-attackalert"> <parent>portsentry</parent> <prematch>attackalert: Connect from </prematch> <regex offset="after_prematch">ost: (\S)/\S+ to \S+ port: (\d+)$</regex> <order>srcip, dstport</order> </decoder> <decoder name="portsentry-blocked"> <parent>portsentry</parent> <prematch>is already blocked. Ignoring$</prematch> <regex>Host: (\S+) is</regex> <order>srcip</order> </decoder> On Mon, Nov 1, 2010 at 6:42 PM, Js Opdebeeck <[email protected]> wrote: > Hello Doug > > Thanks for your note. The host I is Ubuntu and the default firewall is > ufw. > > Regarding the Port Scan detection, I will move to PortSentry (more > common than iplog or scanlogd), and with more options. > Install portsentry : > > sudo apt-get install portsentry > > Create a dedicated rule : > sudo vi /var/ossec/rules/local_rules.xml > > <group name="syslog,sentry,"> > <rule id="160100" level="12"> > <match>attackalert</match> > <description>Port Sentry Attack Alert</description> > </rule> > </group> > > But goal will be to extract the IP and source (for alert grouping) ... > with a decoder.xml , but too hard for me. > > Sample syslog > > Nov 1 19:28:58 testserver portsentry[1620]: adminalert: Going into > listen mode on UDP port: 31337 > Nov 1 19:28:58 testserver portsentry[1620]: adminalert: Going into > listen mode on UDP port: 54321 > Nov 1 19:28:58 testserver portsentry[1620]: adminalert: PortSentry is > now active and listening. > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from > host: 192.168.45.1/192.168.45.1 to TCP port: 1 > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Ignoring TCP > response per configuration file setting. > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from > host: 192.168.45.1/192.168.45.1 to TCP port: 79 > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Host: > 192.168.45.1 is already blocked. Ignoring > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from > host: 192.168.45.1/192.168.45.1 to TCP port: 111 > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Host: > 192.168.45.1 is already blocked. Ignoring > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from > host: 192.168.45.1/192.168.45.1 to TCP port: 119 > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Host: > 192.168.45.1 is already blocked. Ignoring > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from > host: 192.168.45.1/192.168.45.1 to TCP port: 143 > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Host: > 192.168.45.1 is already blocked. Ignoring > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from > host: 192.168.45.1/192.168.45.1 to TCP port: 1080 > ... > >> >> > Js Op de Beeck
