Misc. NotesΒΆ
- Why am I getting multiple 675 events from AD + Samba?
- Agentless Scripts
- Periodic diff Specification
- Periodic Specification
- Example of real FWD: command.
- Configuring Checkpoint
- How do I use or create my own compiled rules?
- Correlating multiple snort IDS with ospatrol
- Creating Customized Active Responses
- Question: How does the decoder.xml relate to the rules?
- Disconnected Agent Alert
- Additional rules
- Why is OSPatrol not seeing my iptables messages?
- Migrating/backing up the manager
- How to add multiple log files to be monitored?
- Nmap correlation
- How to set up Syslog output
- How to configure PIX and OSPatrol
- Detecting portscans with OSPatrol and iplog
- iplog.conf:
- iplog: Scan and attack responses
- Connect Scan and SYN scan
- iplog response:
- FIN Stealth Scan:
- iplog response:
- NULL Stealth Scan:
- iplog response:
- Xmas Tree Stealth Scan:
- iplog response:
- UDP port scan:
- iplog response:
- traceroute:
- iplog response:
- Flood ping attack:
- iplog response:
- IP fragment attacks:
- UDP and ICMP “smurf” attacks:
- Another interesting logs:
- bogus TCP flags:
- OSPatrol (HIDS) + iplog (sensor) implementation:
- iplog decoder:
- For this logs:
- a working decoder is:
- For this log:
- a proppossed decoder is (not tested):
- For this log:
- a proppossed decoder is (not tested):
- For this log:
- a proppossed decoder is (not tested):
- For this log:
- a proppossed decoder is (not tested):
- iplog rules:
- OSPatrol active-response:
- Firewall Drop: FreeBSD-IPFW:
- More restrictions:
- iplog.conf:
- BSD’s sysctl (some FreeBSD especific):
- Rule Groups
- How to configure ospatrol to never block some IPs in the active response