[ossec-list] Re: Have Snort signature trigger Ossec active response...?

Thu, 12 May 2016 09:44:45 -0700 

I am thinking of monitoring the sguild.logs for snort alerts such as the 
below that decoders would  have to be made for ( which I am weak on ):

2016-05-12 16:08:58 pid(2410)  Sending sock222f690: InsertEvent {0 0 
unknown alamo-eth1-1 {2016-05-12 16:08:58} 3 106 {Port Scan} 10.40.2.75 
10.40.3.253 6 56496 10247 1 9000001 0 8 8 1}



On Tuesday, May 10, 2016 at 3:35:26 PM UTC-5, Jacob Mcgrath wrote:
>
> Is it possible to have Ossec monitor Snort logs for certain Sid's and then 
> trigger the active response on all agents when event occurs.
>
> Looking at reacting to Nmap and Nessus type  scans on my internal network.
>
>
> I guess I would have to monitor the Security Onion servers snort log for 
> Sid's for port scans.
>
> In the Security Onion server I have  /etc/nsm/rules/local.rules 
>
>
> # look for stealth port scans/sweeps
> alert tcp any any -> any any (msg:"SYN FIN Scan"; flags: SF;sid:9000000;)
> alert tcp any any -> any any (msg:"FIN Scan"; flags: F;sid:9000001;)
> alert tcp any any -> any any (msg:"NULL Scan"; flags: 0;sid:9000002;)
> alert tcp any any -> any any (msg:"XMAS Scan"; flags: FPU;sid:9000003;)
> alert tcp any any -> any any (msg:"Full XMAS Scan"; flags: SRAFPU;sid:
> 9000004;)
> alert tcp any any -> any any (msg:"URG Scan"; flags: U;sid:9000005;)
> alert tcp any any -> any any (msg:"URG FIN Scan"; flags: FU;sid:9000006;)
> alert tcp any any -> any any (msg:"PUSH FIN Scan"; flags: FP;sid:9000007;)
> alert tcp any any -> any any (msg:"URG PUSH Scan"; flags: PU;sid:9000008;)
> alert tcp any any -> any any (flags: A; ack: 0; msg:"NMAP TCP ping!";sid:
> 9000009;)
>
>
>
>
> How would one write the local local.rules for the Ossec server to trigger 
> active responses route-null function on agents.
>
>
> 1. Snort see's port scans and writes alert to log
> 2. Ossec see's snorts port scan alerts in log and triggers route-null on 
> all agents.
>
> I there a guide to setting something like this up ?
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to