new upstream release (3.3.0); modify package compatibility for Stretch

[ossec-hids.git] / debian / ossec-hids / usr / share / doc / ossec-hids / nmap.txt

diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/nmap.txt b/debian/ossec-hids/usr/share/doc/ossec-hids/nmap.txt
new file mode 100644 (file)
index 0000000..9c8e1b1
--- /dev/null
+++ b/debian/ossec-hids/usr/share/doc/ossec-hids/nmap.txt
@@ -0,0 +1,59 @@
+OSSEC
+Copyright (C) 2009 Trend Micro Inc.
+
+
+** Nmap correlation **
+
+Ossec can read nmap grepable output files to use as a
+correlation tool and also to alert based on host information
+changes. Follow the step by step below on how to configure
+ossec:
+
+
+1- Add the nmap output file on ossec.conf (generally 
+   at /var/ossec/etc/ossec.conf):
+
+<ossec_config>
+  <localfile>
+    <log_format>nmapg</log_format>
+    <location>/var/log/nmap-out.log</location>
+  </localfile>
+</ossec_config>
+
+
+2- If the file does not exist, touch it:
+
+ossec-test# touch /var/log/nmap-out.log
+
+
+3- Restart ossec:
+
+ossec-test# /var/ossec/bin/ossec-control restart
+
+
+4- Run your nmap scans (example scanning 192.168.2.0/24 network):
+
+ossec-test# nmap --append_output -sU -sT -oG /var/log/nmap-out.log 192.168.2.0-255
+
+
+
+*** Example of alert when a new host is found:
+
+** Alert 1152058913.238: mail
+2006 Jul 04 20:21:53 /var/log/nmap-out.log
+Rule: 15 (level 8) -> 'New host information added.'
+Src IP: (none)
+User: (none)
+Host: 192.168.2.10, open ports: 21(tcp) 22(tcp) 80(tcp) 113(tcp) 514(udp) 1514(udp) 4500(udp)
+
+
+*** Example of alert when a new a host information is changed:
+
+** Alert 1152058983.487: mail
+2006 Jul 04 20:23:03 /var/log/nmap-out.log
+Rule: 15 (level 8) -> 'Host information changed.'
+Src IP: (none)
+User: (none)
+Host: 192.168.2.1, open ports: 54(udp) 8080(tcp) 161(udp) 520(udp) 1025(udp) 1900(udp)
+Previously open ports: 53(udp) 80(tcp) 161(udp) 520(udp) 1025(udp) 1900(udp)
+