Dear all, I worked on MHN Honeypot and now I am able to log IP in a specific log file and by using OSSEC and active respons ALL my servers are able to ban IPs coming on the honeypot (for MHN script I wrote : https://groups.google.com/d/msg/modern-honey-network/szahW2nS2UM/oQTmlaXbyTEJ). So everything is working fine, but I want to improve it a little bit before sharing a kind of how to on this.... and so I need your light ! :
On OSSEC server I created this decoder and rules : *DECODER :* <decoder name="mhn"> <program_name>MHN</program_name> <!-- <prematch>^MHN: New attack from </prematch> <regex offset="after_prematch">SRC=(\S+) </regex> <order>srcip</order>--> <regex>from SRC=(\d+.\d+.\d+.\d+)</regex> <order>srcip</order> </decoder> *RULES :* <rule id="100010" level="3"> <decoded_as>mhn</decoded_as> <description>Parent rule for MHN detection and action</description> </rule> <rule id="100011" level="3" frequency="1" timeframe="3600" ignore="3600"> <if_matched_sid>100010</if_matched_sid> <description>This IP has been banned for some time...</description> </rule> *And OSSEC.CONF :* <active-response> <command>host-deny</command> <location>defined-agent</location> <agent_id>xxx</agent_id> <rules_id>100011</rules_id> <timeout>3600</timeout> </active-response> As you can see this is not perfect as I'm not sure I need 100011 for example ! Anyway, the idea is to : 1°) Alert immediatly all my agents (except the Honeypot) about a new attack, and add the IP in hosts.deny for X hours. Then during X hours don't alert the agents. 2°) If an attack comes from an IP for the second time (after the X delay) ban the IP for Y hours (Y > X !) 3°) if an attack comes from an IP for the third time (after Y delay) ban the IP for Z hours or day(s) Is that possible ??? Many thanks for any idea or suggestion... All the best Thomas -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.