Hi Jacob,
OSSEC is decoding your log as a windows event:
**Phase 1: Completed pre-decoding.
full event: '2016-05-12 16:08:58 pid(2410) Sending sock222f690:
InsertEvent {0 0 unknown alamo-eth1-1 {2016-05-12 16:08:58} 3 106 {Port
Scan} 10.40.2.75 10.40.3.253 6 56496 10247 1 9000001 0 8 8 1}'
hostname: 'LinMV'
program_name: '(null)'
log: '2016-05-12 16:08:58 pid(2410) Sending sock222f690:
InsertEvent {0 0 unknown alamo-eth1-1 {2016-05-12 16:08:58} 3 106 {Port
Scan} 10.40.2.75 10.40.3.253 6 56496 10247 1 9000001 0 8 8 1}'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
OSSEC has decoders and rules for snort and squid. Try to send the logs with
that format and your logs will be decoded properly. If it is not possible,
you can add a tag to identify your logs and create your own decoder:
"*TAG *2016-05-12 16:08:58 pid(2410) Sending sock222f690: InsertEvent {0 0
unknown alamo-eth1-1 {2016-05-12 16:08:58} 3 106 {Port Scan} 10.40.2.75
10.40.3.253 6 56496 10247 1 9000001 0 8 8 1}"
Regards.
On Thursday, May 12, 2016 at 6:58:21 PM UTC+2, dan (ddpbsd) wrote:
>
> On Thu, May 12, 2016 at 12:44 PM, Jacob Mcgrath
> <jacob.xt...@gmail.com <javascript:>> wrote:
> > I am thinking of monitoring the sguild.logs for snort alerts such as the
> > below that decoders would have to be made for ( which I am weak on ):
> >
> > 2016-05-12 16:08:58 pid(2410) Sending sock222f690: InsertEvent {0 0
> unknown
> > alamo-eth1-1 {2016-05-12 16:08:58} 3 106 {Port Scan} 10.40.2.75
> 10.40.3.253
> > 6 56496 10247 1 9000001 0 8 8 1}
> >
>
> On a Securityonion sensor I have access to, barnyard2 is apparently
> configured to log to syslog (LOCAL6), although I'm not sure rsyslog is
> setup to handle that.
> You could configure rsyslog to log the syslog traffic in a file
> monitored by ossec.
> I'm not sure off hand whether ossec has snort syslog decoders or not
> though.
>
> >
> >
> > On Tuesday, May 10, 2016 at 3:35:26 PM UTC-5, Jacob Mcgrath wrote:
> >>
> >> Is it possible to have Ossec monitor Snort logs for certain Sid's and
> then
> >> trigger the active response on all agents when event occurs.
> >>
> >> Looking at reacting to Nmap and Nessus type scans on my internal
> network.
> >>
> >>
> >> I guess I would have to monitor the Security Onion servers snort log
> for
> >> Sid's for port scans.
> >>
> >> In the Security Onion server I have /etc/nsm/rules/local.rules
> >>
> >>
> >> # look for stealth port scans/sweeps
> >> alert tcp any any -> any any (msg:"SYN FIN Scan"; flags:
> SF;sid:9000000;)
> >> alert tcp any any -> any any (msg:"FIN Scan"; flags: F;sid:9000001;)
> >> alert tcp any any -> any any (msg:"NULL Scan"; flags: 0;sid:9000002;)
> >> alert tcp any any -> any any (msg:"XMAS Scan"; flags: FPU;sid:9000003;)
> >> alert tcp any any -> any any (msg:"Full XMAS Scan"; flags:
> >> SRAFPU;sid:9000004;)
> >> alert tcp any any -> any any (msg:"URG Scan"; flags: U;sid:9000005;)
> >> alert tcp any any -> any any (msg:"URG FIN Scan"; flags:
> FU;sid:9000006;)
> >> alert tcp any any -> any any (msg:"PUSH FIN Scan"; flags:
> FP;sid:9000007;)
> >> alert tcp any any -> any any (msg:"URG PUSH Scan"; flags:
> PU;sid:9000008;)
> >> alert tcp any any -> any any (flags: A; ack: 0; msg:"NMAP TCP
> >> ping!";sid:9000009;)
> >>
> >>
> >>
> >>
> >> How would one write the local local.rules for the Ossec server to
> trigger
> >> active responses route-null function on agents.
> >>
> >>
> >> 1. Snort see's port scans and writes alert to log
> >> 2. Ossec see's snorts port scan alerts in log and triggers route-null
> on
> >> all agents.
> >>
> >> I there a guide to setting something like this up ?
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
