+++ /dev/null
-OSSEC
-Copyright (C) 2009 Trend Micro Inc.
-
-
-** Nmap correlation **
-
-Ossec can read nmap grepable output files to use as a
-correlation tool and also to alert based on host information
-changes. Follow the step by step below on how to configure
-ossec:
-
-
-1- Add the nmap output file on ossec.conf (generally
- at /var/ossec/etc/ossec.conf):
-
-<ossec_config>
- <localfile>
- <log_format>nmapg</log_format>
- <location>/var/log/nmap-out.log</location>
- </localfile>
-</ossec_config>
-
-
-2- If the file does not exist, touch it:
-
-ossec-test# touch /var/log/nmap-out.log
-
-
-3- Restart ossec:
-
-ossec-test# /var/ossec/bin/ossec-control restart
-
-
-4- Run your nmap scans (example scanning 192.168.2.0/24 network):
-
-ossec-test# nmap --append_output -sU -sT -oG /var/log/nmap-out.log 192.168.2.0-255
-
-
-
-*** Example of alert when a new host is found:
-
-** Alert 1152058913.238: mail
-2006 Jul 04 20:21:53 /var/log/nmap-out.log
-Rule: 15 (level 8) -> 'New host information added.'
-Src IP: (none)
-User: (none)
-Host: 192.168.2.10, open ports: 21(tcp) 22(tcp) 80(tcp) 113(tcp) 514(udp) 1514(udp) 4500(udp)
-
-
-*** Example of alert when a new a host information is changed:
-
-** Alert 1152058983.487: mail
-2006 Jul 04 20:23:03 /var/log/nmap-out.log
-Rule: 15 (level 8) -> 'Host information changed.'
-Src IP: (none)
-User: (none)
-Host: 192.168.2.1, open ports: 54(udp) 8080(tcp) 161(udp) 520(udp) 1025(udp) 1900(udp)
-Previously open ports: 53(udp) 80(tcp) 161(udp) 520(udp) 1025(udp) 1900(udp)
-
projects / ossec-hids.git / blobdiff