ossec-hids med nmap integrert
Ossec kan lese nmap grepable filer og bruke de som en verktøy for å sjekke og varsle om host endringer.
Følgende endringer er gjort for å få det til å fungere.
Nmap correlation
Ossec can read nmap grepable output files to use as a correlation tool and also to alert based on host information changes. Follow the step by step below on how to configure ossec:
1. | Add the nmap output file on ossec.conf (generally at /var/ossec/etc/ossec.conf): |
<ossec_config> <localfile> <log_format>nmapg</log_format> <location>/var/log/nmap-out.log</location> </localfile> </ossec_config>
2. | If the file does not exist, touch it: |
ossec-test# touch /var/log/nmap-out.log
3. | Restart ossec: |
ossec-test# /var/ossec/bin/ossec-control restart
4. | Run your nmap scans (example scanning 192.168.2.0/24 network): |
ossec-test# nmap --append_output -sU -sT -oG /var/log/nmap-out.log 192.168.2.0-255 NOTE: I've found that this is handiest when paired with a routine nmap scan.
5. | So add the above line to your crontab. |
ossec-test#crontab -e 15 * * * * nmap --append_output -sU -sT -oG /var/log/nmap-out.log 192.168.2.0-255
[edit]
Example of alert when a new host is found:
** Alert 1152058913.238: mail 2006 Jul 04 20:21:53 /var/log/nmap-out.log Rule: 15 (level 8) -> 'New host information added.' Src IP: (none) User: (none) Host: 192.168.2.10, open ports: 21(tcp) 22(tcp) 80(tcp) 113(tcp) 514(udp) 1514(udp) 4500(udp)
[edit]
Example of alert when a new a host information is changed:
** Alert 1152058983.487: mail 2006 Jul 04 20:23:03 /var/log/nmap-out.log Rule: 15 (level 8) -> 'Host information changed.' Src IP: (none) User: (none) Host: 192.168.2.1, open ports: 54(udp) 8080(tcp) 161(udp) 520(udp) 1025(udp) 1900(udp) Previously open ports: 53(udp) 80(tcp) 161(udp) 520(udp) 1025(udp) 1900(udp)