2

I have OSSEC installed on my hosts. I want to detect port scans and generate an alert in OSSEC. So, how can I detect these port scans?

Is it possible reading iptables logs? Do you recommend some specific tool as PSAD?.

Thanks.

Jugad
  • 41
  • 3
  • 1
    http://ossec-docs.readthedocs.org/en/latest/manual/notes/portscan_detection.html ? It's in the OSSEC documentation. – Ohnana Mar 09 '16 at 13:05
  • IPLOG is outdated... – Jugad Mar 09 '16 at 13:23
  • 2
    If your host is exposed to the internet, that alarm will be ringing all the time as port scans are always happening to every IP v4 address. I'm not sure how that will be of value. Now if the host is only visible on a private network, port scans may be of help. – Neil Smithline Mar 09 '16 at 15:23
  • My host is exposed to the internet. The idea is to block that IPs. – Jugad Mar 14 '16 at 11:22
  • I don't see how asking about information security tools if off-topic. That is some stupid shit right there... – Yokai Seishinkage Jun 25 '16 at 20:51

1 Answers1

0

Log Monitoring

You could do it through log monitoring and trigger some alerts. Check out a commercial solution like Splunk. This allows you to manage and read your logs by creating dashboards, thresholds, and alerts.

Whenever you are being probed, you could pop an alert through log monitoring.

Soon enough you'll find yourself creating dashboards and alerts for all kinds of things!

Also check out GrayLog and ELK (ElasticSearch, Logstash, Kibana) which I believe are open-source and free.

Robert
  • 156
  • 5
  • Yes, I can use ELK or Splunk. But the question is how to detect a scan, reading some logs (iptables?, PSAD?, IPLOG?). Thanks! – Jugad Mar 09 '16 at 17:55
  • Well you could install snort which is an awesome free IDS. Check out this video for a demonstration : https://www.youtube.com/watch?v=uM7bNsNM8Gk. You can set up snort and define where and how port scans are going to be logged. From there on, using it with a tool for operational monitoring should be straightforward. Hope it helps ^_^ – Robert Mar 10 '16 at 01:22
  • Thanks Robert. I'm looking for something simpler than Snort. PSAD is a good idea? – Jugad Mar 11 '16 at 10:58