OSSEC and PortSentry

Note:
I know that OSSEC can generate PortScan alert by reading IPTABLES logs.
On Ubuntu the default firewall is UFW, and I did not see rules for that.
My goal is also to detect PortScan on machines without local firewall.
Maybe OSSEC Agents will do it natively in future release ?

1. Why PortSentry ?

I want to implement Port Scan detection on some hosts, but without installing all the Snort stuffs.

  • There is a great post on the Ossec Website about iplog, but this program is no more supported and updated since 2001.
  • I also did some test with scanlogd, but without many returns in my logs (errors, crash, all the scans not detected).
  • I decided to select to PortSentry (more common than iplog or scanlogd), and with more options (but not really fresh – 2003).

2. Setup

I suppose you already have an OSSEC Server, if not, read this post , or consult the OSSEC website.

Install portsentry :

apt-get install portsentry

3. Ossec configuration

And define the new alert via new rule in local_rules.xml (/var/ossec/rules/local_rules.xml):

<group name="syslog,sentry,">
 <rule id="160100" level="12">
  <match>attackalert</match>
  <description>Port Sentry Attack Alert</description>
 </rule>
</group>

Final goal will be to extract the IP and source (for alert grouping) … with a decoder.xml.

4. Sample log generated by portsentry

Nov  1 19:24:01 testserver portsentry[1279]: adminalert: PortSentry 1.2 is starting.
Nov  1 19:24:01 testserver portsentry[1281]: adminalert: Going into listen mode on TCP port: 1
Nov  1 19:24:01 testserver portsentry[1281]: adminalert: Going into listen mode on TCP port: 11
Nov  1 19:24:01 testserver portsentry[1281]: adminalert: Going into listen mode on TCP port: 15
Nov  1 19:24:01 testserver portsentry[1281]: adminalert: Going into listen mode on TCP port: 79
Nov  1 19:24:01 testserver portsentry[1281]: adminalert: Going into listen mode on TCP port: 111
Nov  1 19:24:01 testserver portsentry[1281]: adminalert: Going into listen mode on TCP port: 119
Nov  1 19:24:01 testserver portsentry[1281]: adminalert: Going into listen mode on TCP port: 143
Nov  1 19:24:01 testserver portsentry[1281]: adminalert: Going into listen mode on TCP port: 540
Nov  1 19:24:01 testserver portsentry[1281]: adminalert: Going into listen mode on TCP port: 635
Nov  1 19:24:01 testserver portsentry[1281]: adminalert: Going into listen mode on TCP port: 1080
Nov  1 19:24:01 testserver portsentry[1281]: adminalert: Going into listen mode on TCP port: 1524
Nov  1 19:24:01 testserver portsentry[1281]: adminalert: PortSentry is now active and listening.
...
Nov  1 19:31:33 testserver portsentry[1616]: attackalert: Connect from host: 192.168.45.1/192.168.45.1 to TCP port: 1
Nov  1 19:31:33 testserver portsentry[1616]: attackalert: Ignoring TCP response per configuration file setting.
Nov  1 19:31:33 testserver portsentry[1616]: attackalert: Connect from host: 192.168.45.1/192.168.45.1 to TCP port: 79
Nov  1 19:31:33 testserver portsentry[1616]: attackalert: Host: 192.168.45.1 is already blocked. Ignoring
Nov  1 19:31:33 testserver portsentry[1616]: attackalert: Connect from host: 192.168.45.1/192.168.45.1 to TCP port: 111
Nov  1 19:31:33 testserver portsentry[1616]: attackalert: Host: 192.168.45.1 is already blocked. Ignoring
Nov  1 19:31:33 testserver portsentry[1616]: attackalert: Connect from host: 192.168.45.1/192.168.45.1 to TCP port: 119
Nov  1 19:31:33 testserver portsentry[1616]: attackalert: Host: 192.168.45.1 is already blocked. Ignoring
Nov  1 19:31:33 testserver portsentry[1616]: attackalert: Connect from host: 192.168.45.1/192.168.45.1 to TCP port: 143
Nov  1 19:31:33 testserver portsentry[1616]: attackalert: Host: 192.168.45.1 is already blocked. Ignoring
Nov  1 19:31:33 testserver portsentry[1616]: attackalert: Connect from host: 192.168.45.1/192.168.45.1 to TCP port: 1080
Nov  1 19:31:33 testserver portsentry[1616]: attackalert: Host: 192.168.45.1 is already blocked. Ignoring
Nov  1 19:31:33 testserver portsentry[1616]: attackalert: Connect from host: 192.168.45.1/192.168.45.1 to TCP port: 1524
Nov  1 19:31:33 testserver portsentry[1616]: attackalert: Host: 192.168.45.1 is already blocked. Ignoring
Nov  1 19:31:33 testserver portsentry[1616]: attackalert: Connect from host: 192.168.45.1/192.168.45.1 to TCP port: 2000
Nov  1 19:31:33 testserver portsentry[1616]: attackalert: Host: 192.168.45.1 is already blocked. Ignoring
Nov  1 19:31:33 testserver portsentry[1616]: attackalert: Connect from host: 192.168.45.1/192.168.45.1 to TCP port: 6667
Nov  1 19:31:33 testserver portsentry[1616]: attackalert: Host: 192.168.45.1 is already blocked. Ignoring
Nov  1 19:31:33 testserver portsentry[1616]: attackalert: Connect from host: 192.168.45.1/192.168.45.1 to TCP port: 12345
...

Be the first to comment

Leave a Reply

Your email address will not be published.


*


*