I had to re-purpose my Vm playground PE R900 until I get a replacement motherboard for my signage server; so it may take a bit until I can start playing with this. But it looks like there is a way to use Barnyard to decode alerts to a readable log format. At least from what I read.
I am referencing this log alerts <http://commons.oreilly.com/wiki/index.php/Snort_Cookbook/Logging,_Alerts,_and_Output_Plug-ins#Logging_Only_Alerts> On Tuesday, May 10, 2016 at 3:35:26 PM UTC-5, Jacob Mcgrath wrote: > > Is it possible to have Ossec monitor Snort logs for certain Sid's and then > trigger the active response on all agents when event occurs. > > Looking at reacting to Nmap and Nessus type scans on my internal network. > > > I guess I would have to monitor the Security Onion servers snort log for > Sid's for port scans. > > In the Security Onion server I have /etc/nsm/rules/local.rules > > > # look for stealth port scans/sweeps > alert tcp any any -> any any (msg:"SYN FIN Scan"; flags: SF;sid:9000000;) > alert tcp any any -> any any (msg:"FIN Scan"; flags: F;sid:9000001;) > alert tcp any any -> any any (msg:"NULL Scan"; flags: 0;sid:9000002;) > alert tcp any any -> any any (msg:"XMAS Scan"; flags: FPU;sid:9000003;) > alert tcp any any -> any any (msg:"Full XMAS Scan"; flags: SRAFPU;sid: > 9000004;) > alert tcp any any -> any any (msg:"URG Scan"; flags: U;sid:9000005;) > alert tcp any any -> any any (msg:"URG FIN Scan"; flags: FU;sid:9000006;) > alert tcp any any -> any any (msg:"PUSH FIN Scan"; flags: FP;sid:9000007;) > alert tcp any any -> any any (msg:"URG PUSH Scan"; flags: PU;sid:9000008;) > alert tcp any any -> any any (flags: A; ack: 0; msg:"NMAP TCP ping!";sid: > 9000009;) > > > > > How would one write the local local.rules for the Ossec server to trigger > active responses route-null function on agents. > > > 1. Snort see's port scans and writes alert to log > 2. Ossec see's snorts port scan alerts in log and triggers route-null on > all agents. > > I there a guide to setting something like this up ? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
