Menu
▾
▴
[Os-sim-devel] HIDS rules...
|
From: W. <joe...@ei...> - 2005-08-30 09:25:04
|
Hi, I have a little request about how to write HIDS rules on OSSIM. I used Prelude before with prelude-lml... HIDS here doesn't mean to check files integrity but finding patterns in sepecific log files (as you do with Snare and Syslog). I saw that you were using python software to listen to log files and for catching specific informations (patterns). The problem is that rules are hard coded in Python files or are directly located on ossim-server. A good think would be to add hids configuration files on agents and let people do their own rules. The agent would then be able to send rules title (sid) and plugin title (id) to the server. Like this, it would appear in CONFIGURATION =3D> PLUGIN on the framework and the server woul be able to use them in correlation directive... When i was using Prelude, i did rules (based on regex) to get specific informations about Dansguardian Proxy (modified to act as reverse-proxy). Here is an exemple of a rule ... ##################################################################### # To get When a requested URL is bloqued (comming from the # Bannedregexpurllist file of dansguardian configuration) ##################################################################### #LOG exemple: #2004.10.27 15:42:51 - 10.192.72.83 http://10.192.72.95/iissamples/ *DENIED* Banned Regular Expression URL: .*/iissamples/ GET 0 regex=3D([\d+\.]+) http://(.*)\s\*DENIED\*\sBanned Regular Expression URL:(.*)\s(GET|POST).*; \ class.name=3DDansguardian Reverse-proxy: DENIED request to Web server; \ impact.severity=3Dhigh; \ impact.completion=3Dfailed; \ impact.type=3Dother; \ impact.description=3DUrl: $2 requested by $1 had dangerous content defined by this regular expression: $3; \ #attention, obligatoire pour un bon fonctionnement source.node.address; \ source.node.address.address=3D$1; \ source.node.address.category=3Dipv4-addr; \ source.service.port=3D80; \ source.service.protocol=3Dhttp; \ target.node.address; \ target.node.address.category=3Dunknown; \ target.node.address.address=3D$2; \ target.service.port=3D80; \ target.service.protocol=3Dhttp; Let me know what do you think about this ! I would be pleased to help you (even to help you to write a bit of code)... Read you soon ... Jo=EBl Winteregg |
