Pre request

Test OSSEC new log from ‘ossec-logtest’

Here is the custom created rules. This rule is mainly looking on url with word with ‘payment’

<rule id="31181" level="6">
   <if_sid>31100</if_sid>
   <url>payment|paid|pay|pays|bar</url>
   <description>Customer payment attempt.</description>
   <group>attack,</group>
</rule>

1. Update the OSSIM plugins

OSSIM plugin need to update to map OSSEC rule to OSSIM agent plugin 

etc/ossim/agent/plugins/ossec-single-line.cfg

<rule id>=<data source id>

eg: 31181=7058

2. Check the rules is visible to ossim

Rules id will shows ‘environment –> detection –> hids –> Edit Rules’

3. Adding OSSIM Event

Add new event type as below by navigating on ‘configuration --> threat_intelligence --> data_source’

Re configure the OSSIM server

ossim-reconfig -c -v –d

Test OSSEC rule mapping to OSSIM

send the below request

httpStatus=400
alienvault:/var/ossec/rules# echo "192.168.100.251 - testuser [$(date +"%d/%b/%Y:%T %z")] \"GET /myapp/pays HTTP/1.1\" $httpStatus 3360 \"-\" \"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116

Here Alert comes

add rules id for

alienvault:/etc/ossim/agent/plugins# httpStatus=404

alienvault:/etc/ossim/agent/plugins# echo "192.168.100.251 - testuser [$(date +"%d/%b/%Y:%T %z")] \"GET /ossim/go/payment HTTP/1.1\" $httpStatus 3360 \"-\" \"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36\"" >> ../../../../../var/log/apache2/access.log

ossim-reconfig -c -v -d