Dan I close this post and open a new one called Portsentry ..
Thanks for your help, I'll try this. On Nov 2, 12:07 am, "dan (ddp)" <[email protected]> wrote: > Completely untested: > <decoder name="portsentry"> > <program_name>portsentry</program_name> > </decoder> > > <decoder name="portsentry-attackalert"> > <parent>portsentry</parent> > <prematch>attackalert: Connect from </prematch> > <regex offset="after_prematch">ost: (\S)/\S+ to \S+ port: (\d+)$</regex> > <order>srcip, dstport</order> > </decoder> > > <decoder name="portsentry-blocked"> > <parent>portsentry</parent> > <prematch>is already blocked. Ignoring$</prematch> > <regex>Host: (\S+) is</regex> > <order>srcip</order> > </decoder>On Mon, Nov 1, 2010 at 6:42 PM, Js Opdebeeck > <[email protected]> wrote: > > Hello Doug > > > Thanks for your note. The host I is Ubuntu and the default firewall is > > ufw. > > > Regarding the Port Scan detection, I will move to PortSentry (more > > common than iplog or scanlogd), and with more options. > > Install portsentry : > > > sudo apt-get install portsentry > > > Create a dedicated rule : > > sudo vi /var/ossec/rules/local_rules.xml > > > <group name="syslog,sentry,"> > > <rule id="160100" level="12"> > > <match>attackalert</match> > > <description>Port Sentry Attack Alert</description> > > </rule> > > </group> > > > But goal will be to extract the IP and source (for alert grouping) ... > > with a decoder.xml , but too hard for me. > > > Sample syslog > > > Nov 1 19:28:58 testserver portsentry[1620]: adminalert: Going into > > listen mode on UDP port: 31337 > > Nov 1 19:28:58 testserver portsentry[1620]: adminalert: Going into > > listen mode on UDP port: 54321 > > Nov 1 19:28:58 testserver portsentry[1620]: adminalert: PortSentry is > > now active and listening. > > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from > > host: 192.168.45.1/192.168.45.1 to TCP port: 1 > > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Ignoring TCP > > response per configuration file setting. > > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from > > host: 192.168.45.1/192.168.45.1 to TCP port: 79 > > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Host: > > 192.168.45.1 is already blocked. Ignoring > > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from > > host: 192.168.45.1/192.168.45.1 to TCP port: 111 > > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Host: > > 192.168.45.1 is already blocked. Ignoring > > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from > > host: 192.168.45.1/192.168.45.1 to TCP port: 119 > > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Host: > > 192.168.45.1 is already blocked. Ignoring > > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from > > host: 192.168.45.1/192.168.45.1 to TCP port: 143 > > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Host: > > 192.168.45.1 is already blocked. Ignoring > > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from > > host: 192.168.45.1/192.168.45.1 to TCP port: 1080 > > ... > > >> > Js Op de Beeck
