{"id":347,"date":"2006-12-26T04:25:00","date_gmt":"2006-12-26T04:25:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=347"},"modified":"2020-07-03T04:27:15","modified_gmt":"2020-07-03T04:27:15","slug":"correlating-multiple-snort-ids-with-ossec","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2006\/12\/correlating-multiple-snort-ids-with-ossec\/","title":{"rendered":"Correlating multiple snort IDS with OSSEC"},"content":{"rendered":"\n

I was asked recently what is the best way to correlate multiple snort<\/a> events with OSSEC<\/a>. The idea would be to generate an ossec alert (by e-mail and possible an active response) if a specific number of snort rules are fired from the same source IP address (in any order)..<\/p>\n\n\n\n

The easiest way to solve this is by creating a local ossec rule (inside local_rules.xml) to match if any of the desired snort signatures are fired:<\/p>\n\n\n\n

<rule id=\u201d100015\u2033 level=\u201d6\u2033>
<if_sid>20101<\/if_sid>
<decoded_as>snort<\/decoded_as>
<id>1:xx|1:yy|1:zz<\/id>
<description>Watched snort ids<\/description>
<\/rule><\/p>\n\n\n\n

Note that 1:xx<\/em>, 1:yy<\/em> are the snort ids that you are interested to watch. We use the <if_sid><\/em> to make sure that this rule is only tested if it is an IDS event (see rule 20101<\/a>).<\/p>\n\n\n\n

Now, we create another ossec rule with a higher severity that will only be fired if the above rule (100015) is generated at least 4 times from the same source ip within 3 minutes (180 seconds):<\/p>\n\n\n\n

<rule id=\u201d100016\u2033 frequency=\u201d4\u2033 level=\u201d10\u2033 timeframe=\u201d180\u2033>
<if_matched_sid>100015<\/if_matched_sid>
<same_source_ip \/>
<description>Multiple snort alerts with the watched ids<\/description>
<\/rule><\/em><\/p>\n\n\n\n

This idea can be extended to any other log format that you want to monitor. The following entry in the ossec wiki has some information too: Ignoring rules<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

I was asked recently what is the best way to correlate multiple snort events with OSSEC. The idea would be to generate an ossec alert (by e-mail and possible an active response) if a specific number of snort rules are fired from the same source IP address (in any order).. The easiest way to solve this is by […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[14],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/347"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=347"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/347\/revisions"}],"predecessor-version":[{"id":348,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/347\/revisions\/348"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=347"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=347"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=347"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}