On Thu, Sep 18, 2014 at 9:25 AM, Thomas Vidal <vidal.tho...@gmail.com> wrote: > Dear all, > > I worked on MHN Honeypot and now I am able to log IP in a specific log file > and by using OSSEC and active respons ALL my servers are able to ban IPs > coming on the honeypot (for MHN script I wrote : > https://groups.google.com/d/msg/modern-honey-network/szahW2nS2UM/oQTmlaXbyTEJ). > So everything is working fine, but I want to improve it a little bit before > sharing a kind of how to on this.... and so I need your light ! : > > On OSSEC server I created this decoder and rules : > > DECODER : > <decoder name="mhn"> > <program_name>MHN</program_name> > <!-- <prematch>^MHN: New attack from </prematch> > <regex offset="after_prematch">SRC=(\S+) </regex> > <order>srcip</order>--> > <regex>from SRC=(\d+.\d+.\d+.\d+)</regex> > <order>srcip</order> > </decoder> > > RULES : > <rule id="100010" level="3"> > <decoded_as>mhn</decoded_as> > <description>Parent rule for MHN detection and action</description> > </rule> > <rule id="100011" level="3" frequency="1" timeframe="3600" ignore="3600"> > <if_matched_sid>100010</if_matched_sid> > <description>This IP has been banned for some time...</description> > </rule> > > And OSSEC.CONF : > <active-response> > <command>host-deny</command> > <location>defined-agent</location> > <agent_id>xxx</agent_id> > <rules_id>100011</rules_id> > <timeout>3600</timeout> > </active-response> > > As you can see this is not perfect as I'm not sure I need 100011 for example > ! > > Anyway, the idea is to : > 1°) Alert immediatly all my agents (except the Honeypot) about a new attack, > and add the IP in hosts.deny for X hours. Then during X hours don't alert > the agents. > 2°) If an attack comes from an IP for the second time (after the X delay) > ban the IP for Y hours (Y > X !) > 3°) if an attack comes from an IP for the third time (after Y delay) ban the > IP for Z hours or day(s) > > Is that possible ??? >
Yeah I think so using repeated offenders: http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.active-response.html#element-repeated_offenders > Many thanks for any idea or suggestion... > > All the best > > Thomas > > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
