I got a chance to test it out a tiny bit (very tiny). Here's something
that seemed to work a bit better:
<decoder name="portsentry">
<program_name>portsentry</program_name>
</decoder>
<decoder name="portsentry-attackalert">
<parent>portsentry</parent>
<prematch>attackalert: Connect from host: </prematch>
<regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</regex>
<order>srcip,protocol,dstport</order>
</decoder>
<decoder name="portsentry-blocked">
<parent>portsentry</parent>
<prematch>is already blocked. Ignoring$</prematch>
<regex>Host: (\S+) is</regex>
<order>srcip</order>
</decoder>
On Tue, Nov 2, 2010 at 3:35 PM, Js Opdebeeck <[email protected]> wrote:
> Dan
>
> I close this post and open a new one called Portsentry ..
>
> Thanks for your help, I'll try this.
>
> On Nov 2, 12:07 am, "dan (ddp)" <[email protected]> wrote:
>> Completely untested:
>> <decoder name="portsentry">
>> <program_name>portsentry</program_name>
>> </decoder>
>>
>> <decoder name="portsentry-attackalert">
>> <parent>portsentry</parent>
>> <prematch>attackalert: Connect from </prematch>
>> <regex offset="after_prematch">ost: (\S)/\S+ to \S+ port: (\d+)$</regex>
>> <order>srcip, dstport</order>
>> </decoder>
>>
>> <decoder name="portsentry-blocked">
>> <parent>portsentry</parent>
>> <prematch>is already blocked. Ignoring$</prematch>
>> <regex>Host: (\S+) is</regex>
>> <order>srcip</order>
>> </decoder>On Mon, Nov 1, 2010 at 6:42 PM, Js Opdebeeck
>> <[email protected]> wrote:
>> > Hello Doug
>>
>> > Thanks for your note. The host I is Ubuntu and the default firewall is
>> > ufw.
>>
>> > Regarding the Port Scan detection, I will move to PortSentry (more
>> > common than iplog or scanlogd), and with more options.
>> > Install portsentry :
>>
>> > sudo apt-get install portsentry
>>
>> > Create a dedicated rule :
>> > sudo vi /var/ossec/rules/local_rules.xml
>>
>> > <group name="syslog,sentry,">
>> > <rule id="160100" level="12">
>> > <match>attackalert</match>
>> > <description>Port Sentry Attack Alert</description>
>> > </rule>
>> > </group>
>>
>> > But goal will be to extract the IP and source (for alert grouping) ...
>> > with a decoder.xml , but too hard for me.
>>
>> > Sample syslog
>>
>> > Nov 1 19:28:58 testserver portsentry[1620]: adminalert: Going into
>> > listen mode on UDP port: 31337
>> > Nov 1 19:28:58 testserver portsentry[1620]: adminalert: Going into
>> > listen mode on UDP port: 54321
>> > Nov 1 19:28:58 testserver portsentry[1620]: adminalert: PortSentry is
>> > now active and listening.
>> > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from
>> > host: 192.168.45.1/192.168.45.1 to TCP port: 1
>> > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Ignoring TCP
>> > response per configuration file setting.
>> > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from
>> > host: 192.168.45.1/192.168.45.1 to TCP port: 79
>> > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Host:
>> > 192.168.45.1 is already blocked. Ignoring
>> > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from
>> > host: 192.168.45.1/192.168.45.1 to TCP port: 111
>> > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Host:
>> > 192.168.45.1 is already blocked. Ignoring
>> > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from
>> > host: 192.168.45.1/192.168.45.1 to TCP port: 119
>> > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Host:
>> > 192.168.45.1 is already blocked. Ignoring
>> > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from
>> > host: 192.168.45.1/192.168.45.1 to TCP port: 143
>> > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Host:
>> > 192.168.45.1 is already blocked. Ignoring
>> > Nov 1 19:31:33 testserver portsentry[1616]: attackalert: Connect from
>> > host: 192.168.45.1/192.168.45.1 to TCP port: 1080
>> > ...
>>
>> >> > Js Op de Beeck
