I wonder if some one knows some attacks library to test Ossec and if you know some rules to test these attacks in Ossec. Thanks for any help Hesham
On Sunday, October 31, 2010 12:59:17 PM UTC-7, Js Opdebeeck wrote: > Hello; > > I'd like to have report in case of network port scan, but I don't want > to use Snort. There is a post about 'iplog', but this tool is really > old. > > On solution is to work with portsentry or scanlogd. > > This last one is really easy to install. > > -- > syslog:Oct 31 20:12:23 O0O0O0O0 scanlogd: 192.168.2.101:53 to > 192.168.2.103 ports 199, 995, 8080, 53, 5900, 445, 1720, 587, > 8888, ..., fSrpauxy, TOS 00 @19:12:23 > syslog:Oct 31 20:36:23 O0O0O0O0 scanlogd: 192.168.2.101 to > 192.168.2.103 ports 199, 22, 1, 113, 3389, 1720, 111, 110, ..., ?? > r?????, TOS 00 @19:27:49 > syslog:Oct 31 20:42:10 O0O0O0O0 scanlogd: 192.168.2.101:50438 to > 192.168.2.103 ports 8888, 25, 443, 21, 587, 1025, 3389, 3306, ..., > fSrpauxy, TOS 00 @19:42:10 > syslog:Oct 31 20:46:02 O0O0O0O0 scanlogd: 192.168.2.101:45282 to > 192.168.2.103 ports 111, 25, 993, 8080, 1720, 3389, 110, 143, ..., > fSrpauxy, TOS 00 @19:46:02 > syslog:Oct 31 20:46:39 O0O0O0O0 scanlogd: 192.168.2.101:39448 to > 192.168.2.103 ports 995, 199, 139, 23, 143, 113, 3389, ..., fSrpauxy, > TOS 00 @19:46:39 > syslog:Oct 31 20:47:02 O0O0O0O0 scanlogd: 192.168.2.101:34736 to > 192.168.2.103 ports 80, 111, 554, 1025, 443, 993, 587, ..., fSrpauxy, > TOS 00 @19:47:02 > syslog.1:Oct 29 12:40:52 O0O0O0O0 scanlogd: 127.0.0.1:52042 to > 127.0.0.1 ports 445, 8080, 21, 554, 23, 995, 443, 1025, ..., fSrpauxy, > TOS 00 @10:40:52 > syslog.1:Oct 29 12:41:13 O0O0O0O0 scanlogd: 192.168.177.102:62651 to > 192.168.177.102 ports 1723, 25, 110, 1025, 3306, 8888, 22, 111, ..., > f??pauxy, TOS 00 @10:41:13 > -- > > > Is someone already created ossec rules for this ? > If not , I'll try to do this, but I don't want to reinvent the wheel. > > Js Op de Beeck
