Hello List, I've tried 2 combinations of snort logging and 3 ossec parsers
1) Snort -> alert_full -> ossec[snort-full] =
[**] [1:5001684:99] E3[rb] BotHunter Malware Windows executable (PE) sent
from remote host [**]
As you can see there is not SRC/DST IP, and Xref tags, and ID etc., just
only the useless line above.
2) Snort -> alert_full -> ossec[multi-line:10] =
[**] [1:2100538:17] GPL NETBIOS SMB IPC$ unicode share access [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
08/05-05:35:51.201302 192.168.1.2:4800 -> 192.168.1.6:139 TCP TTL:126
TOS:0x0 ID:1527 IpLen:20 DgmLen:140 DF ***AP*** Seq: 0xFC97B192 Ack:
0x24EB759C Win: 0xFCE7 TcpLen: 20 [**] [1:2100538:17] GPL NETBIOS SMB IPC$
unicode share access [**] [Classification: Generic Protocol Command Decode]
[Priority: 3] 08/05-05:35:51.505576 192.168.1.2 :4801 -> 192.168.1.6:139
TCP TTL:126 TOS:0x0 ID:1551 IpLen:20 DgmLen:140 DF
As you can see now, due to different quantity of lines on each alert, we
got some alerts mixed or truncated, some alerts Has more than one Xref tag,
so 10 lines for multiline reading is wrong because is fixed.
3) Snort -> alert_fast -> ossec[snort-fast] =
08/05-11:18:55.267293 [**] [1:2101411:12] GPL SNMP public access udp [**]
[Classification: Attempted Information Leak] [Priority: 2] {UDP}
10.206.85.168:54872 -> 10.206.91.40:161
It's working, but I really need the full log, sometimes is useful the ID,
Packet Info and Xref.
Versions:
Snort: 2.9.2.2 IPv6 GRE (Build 121)
OSSEC: 2.7.1
Snort (alert_full examples)
[**] [1:2100376:8] GPL ICMP_INFO PING Microsoft Windows [**]
[Classification: Misc activity] [Priority: 3]
08/04-22:24:54.228442 192.168.1.23 -> 192.168.1.25
ICMP TTL:126 TOS:0x0 ID:16644 IpLen:20 DgmLen:60
Type:8 Code:0 ID:512 Seq:16079 ECHO
[Xref => http://www.whitehats.com/info/IDS159]
[**] [1:2100538:17] GPL NETBIOS SMB IPC$ unicode share access [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
08/04-22:24:55.610646 192.168.1.28:1257 -> 192.168.1.25:139
TCP TTL:125 TOS:0x0 ID:3584 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xB000F47F Ack: 0x9A2D4A80 Win: 0xFABA TcpLen: 20
[**] [1:2103003:7] GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1
overflow attempt [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
08/04-22:24:55.847944 192.168.1.28:1258 -> 192.168.1.25:445
TCP TTL:125 TOS:0x0 ID:3595 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x6BCD86DD Ack: 0xC26980EC Win: 0xFF49 TcpLen: 20
[Xref =>
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx][Xref =>
http://cgi.nessus.org/plugins/dump.php3?id=12065][Xref =>
http://cgi.nessus.org/plugins/dump.php3?id=12052][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0818][Xref =>
http://www.securityfocus.com/bid/9635][Xref =>
http://www.securityfocus.com/bid/9633]
Does anyone has a tip?
Best regards in advance.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
