On Sun, Nov 2, 2014 at 10:28 PM, Tom Travis
<ttra...@computing-management.com> wrote:
> I am new to this but I am trying.
>
> I have a Security Onion 12.04 set up and am trying to set up Ossec.
>
> I did manage to get syslog-ng to output alerts to a log file:
> /var/log/nsm/securityonion/sguild.log
>
> Here is a sample of the log messages when I do the command: #grep Received
> /var/log/nsm/securityonion/sguild.log
>
> 2014-11-03 02:03:03 pid(20247) Alert Received: 0 3 misc-activity
> ttravis-Precision-WorkStation-T3400-eth0 {2014-11-03 02:03:03} 6 158838 {URL
> wxdata.weather.com} 192.168.10.76 23.220.153.33 6 57923 80 10001 420042 1
> 158838 158838
> 2014-11-03 02:12:33 pid(20247) Alert Received: 0 2 misc-attack
> ttravis-Precision-WorkStation-T3400-eth0-1 {2014-11-03 02:12:33} 3 18635 {ET
> CINS Active Threat Intelligence Poor Reputation IP TCP group 9} 76.164.196.6
> 192.168.10.250 6 6000 3306 1 2403316 1373 274 274
> 2014-11-03 02:12:33 pid(20247) Alert Received: 0 2 bad-unknown
> ttravis-Precision-WorkStation-T3400-eth0-1 {2014-11-03 02:12:33} 3 18636 {ET
> POLICY Suspicious inbound to mySQL port 3306} 76.164.196.6 192.168.10.250 6
> 6000 3306 1 2010937 2 275 275
> 2014-11-03 02:12:33 pid(20247) Alert Received: 0 2 bad-unknown
> ttravis-Precision-WorkStation-T3400-eth0-1 {2014-11-03 02:12:33} 3 18637 {ET
> POLICY Suspicious inbound to mySQL port 3306} 76.164.196.6 192.168.10.250 6
> 6000 3306 1 2010937 2 276 276
> 2014-11-03 02:18:20 pid(20247) Alert Received: 0 2 misc-attack
> ttravis-Precision-WorkStation-T3400-eth0-1 {2014-11-03 02:18:20} 3 18638 {ET
> COMPROMISED Known Compromised or Hostile Host Traffic TCP group 23}
> 61.234.146.22 192.168.10.250 6 36888 22 1 2500044 3406 277 277
> 2014-11-03 02:18:31 pid(20247) Alert Received: 0 2 attempted-recon
> ttravis-Precision-WorkStation-T3400-eth0-1 {2014-11-03 02:18:30} 3 18639 {ET
> SCAN Potential SSH Scan} 61.234.146.22 192.168.10.250 6 38884 22 1 2001219
> 19 278 278
> 2014-11-03 02:18:44 pid(20247) Alert Received: 0 1 attempted-admin
> ttravis-Precision-WorkStation-T3400-eth0-1 {2014-11-03 02:18:43} 3 18640 {ET
> SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack!}
> 61.234.146.22 192.168.10.250 6 40849 22 1 2006546 5 279 279
>
I will have nightmares about these logs tonight.
<decoder name="alert-stuff">
<parent>windows-date-format</parent>
<prematch>Alert received: </prematch>
<regex offset="after_prematch">} (\d+.\d+.\d+.\d+) (\d+.\d+.\d+.\d+) </regex>
<order>srcip,dstip</order>
<!--
<regex offset="after_prematch">{URL (\S+)} (S+) (\S+) </regex>
<order>url, srcip, dstip</order>
-->
</decoder>
<decoder name="alert-stuff">
<parent>windows-date-format</parent>
<regex>{URL (\S+)} |{(ET \.+)} </regex>
<order>extra_data</order>
</decoder>
[root@localhost ossec]# /var/ossec/bin/ossec-logtest
2014/11/03 09:26:29 ossec-testrule: INFO: Reading local decoder file.
2014/11/03 09:26:29 ossec-testrule: INFO: Started (pid: 25361).
ossec-testrule: Type one log per line.
2014-11-03 02:12:33 pid(20247) Alert Received: 0 2 misc-attack
ttravis-Precision-WorkStation-T3400-eth0-1 {2014-11-03 02:12:33} 3
18635 {ET CINS Active Threat Intelligence Poor Reputation IP TCP group
9} 76.164.196.6 192.168.10.250 6 6000 3306 1 2403316 1373 274 274
**Phase 1: Completed pre-decoding.
full event: '2014-11-03 02:12:33 pid(20247) Alert Received: 0
2 misc-attack ttravis-Precision-WorkStation-T3400-eth0-1 {2014-11-03
02:12:33} 3 18635 {ET CINS Active Threat Intelligence Poor Reputation
IP TCP group 9} 76.164.196.6 192.168.10.250 6 6000 3306 1 2403316 1373
274 274'
hostname: 'localhost'
program_name: '(null)'
log: '2014-11-03 02:12:33 pid(20247) Alert Received: 0 2
misc-attack ttravis-Precision-WorkStation-T3400-eth0-1 {2014-11-03
02:12:33} 3 18635 {ET CINS Active Threat Intelligence Poor Reputation
IP TCP group 9} 76.164.196.6 192.168.10.250 6 6000 3306 1 2403316 1373
274 274'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
srcip: '76.164.196.6'
dstip: '192.168.10.250'
url: 'ET CINS Active Threat Intelligence Poor Reputation IP TCP group 9'
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
2014-11-03 02:03:03 pid(20247) Alert Received: 0 3 misc-activity
ttravis-Precision-WorkStation-T3400-eth0 {2014-11-03 02:03:03} 6
158838 {URL wxdata.weather.com} 192.168.10.76 23.220.153.33 6 57923 80
10001 420042 1 158838 158838
**Phase 1: Completed pre-decoding.
full event: '2014-11-03 02:03:03 pid(20247) Alert Received: 0
3 misc-activity ttravis-Precision-WorkStation-T3400-eth0 {2014-11-03
02:03:03} 6 158838 {URL wxdata.weather.com} 192.168.10.76
23.220.153.33 6 57923 80 10001 420042 1 158838 158838'
hostname: 'localhost'
program_name: '(null)'
log: '2014-11-03 02:03:03 pid(20247) Alert Received: 0 3
misc-activity ttravis-Precision-WorkStation-T3400-eth0 {2014-11-03
02:03:03} 6 158838 {URL wxdata.weather.com} 192.168.10.76
23.220.153.33 6 57923 80 10001 420042 1 158838 158838'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
srcip: '192.168.10.76'
dstip: '23.220.153.33'
url: 'wxdata.weather.com'
> I do have Ossec looking at this log file as stated in ossec.conf:
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/nsm/securityonion/sguild.log</location>
> </localfile>
>
> ***** Should I be specifying the Snort format here? I do not know what a
> raw snort long entry looks like.
>
> Here is my attempt at a decoder in /var/ossec/etc/decoder.xml:
> <decoder name="tom">
> <prematch>Alert Received: </prematch>
> </decoder>
>
> <decoder name="tom-alert">
> <parent>tom</parent>
> <regex
> offset="after_parent">^*}\s(d+.d+.d+.d+)\s(d+.d+.d+.d+)\s\d\s(\d+)(/.*)</regex>
> <order>srcip,dstip,id,extra_data</order>
> </decoder>
>
> When I run #/var/ossec/bin/ossec-logtest and put in a line from my log, I
> get the following output:
>
> root@ttravis-Precision-WorkStation-T3400:/var/ossec/bin#
> /var/ossec/bin/ossec-logtest
> 2014/11/03 03:20:28 ossec-testrule: INFO: Reading local decoder file.
> 2014/11/03 03:20:30 ossec-testrule: INFO: Started (pid: 13875).
> ossec-testrule: Type one log per line.
>
> {2014-11-03 02:12:33} 3 18636 {ET POLICY Suspicious inbound to mySQL port
> 3306} 76.164.196.6 192.168.10.250 6 6000 3306 1 2010937 2 275 275
>
>
> **Phase 1: Completed pre-decoding.
> full event: '{2014-11-03 02:12:33} 3 18636 {ET POLICY Suspicious
> inbound to mySQL port 3306} 76.164.196.6 192.168.10.250 6 6000 3306 1
> 2010937 2 275 275'
> hostname: 'ttravis-Precision-WorkStation-T3400'
> program_name: '(null)'
> log: '{2014-11-03 02:12:33} 3 18636 {ET POLICY Suspicious inbound to
> mySQL port 3306} 76.164.196.6 192.168.10.250 6 6000 3306 1 2010937 2 275
> 275'
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
> (At this point it just hangs until I hit ^C)
>
>
> Someone please have mercy on this newbe. I've been trying for a couple days
> to fiddle with the decoder.
>
> Please tell me what I am doing wrong and/or provide me with an example of
> something that works.
>
> I think I should be able to extract at least srcip,dstip, and id. I believe
> ID will be the snort ID which I will use in my rules.
>
> Thanks in advance, any help would be appreciated.
>
> Tom Travis
>
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
