Ossec can read nmap grepable output files to use as a correlation tool and also to alert based on host information changes. Follow the step by step below on how to configure ospatrol:
- Add the nmap output file on ospatrol.conf (generally at
/var/ospatrol/etc/ospatrol.conf
):
<ospatrol_config>
<localfile>
<log_format>nmapg</log_format>
<location>/var/log/nmap-out.log</location>
</localfile>
</ospatrol_config>
- If the file does not exist, touch it:
ospatrol-test# touch /var/log/nmap-out.log
- Restart ospatrol:
ospatrol-test# /var/ospatrol/bin/ospatrol-control restart
- Run your nmap scans (example scanning
192.168.2.0/24
network):
ospatrol-test# nmap --append_output -sU -sT -oG /var/log/nmap-out.log 192.168.2.0-255
.. note::
I've found that this is handiest when paired with a routine nmap scan.
- So add the above line to your crontab.
ospatrol-test#crontab -e
15 * * * * nmap --append_output -sU -sT -oG /var/log/nmap-out.log 192.168.2.0-255
** Alert 1152058913.238: mail
2006 Jul 04 20:21:53 /var/log/nmap-out.log
Rule: 15 (level 8) -> 'New host information added.'
Src IP: (none)
User: (none)
Host: 192.168.2.10, open ports: 21(tcp) 22(tcp) 80(tcp) 113(tcp) 514(udp) 1514(udp) 4500(udp)
** Alert 1152058983.487: mail
2006 Jul 04 20:23:03 /var/log/nmap-out.log
Rule: 15 (level 8) -> 'Host information changed.'
Src IP: (none)
User: (none)
Host: 192.168.2.1, open ports: 54(udp) 8080(tcp) 161(udp) 520(udp) 1025(udp) 1900(udp)
Previously open ports: 53(udp) 80(tcp) 161(udp) 520(udp) 1025(udp) 1900(udp)