prelude-lml-rules 4.1.0-1 / etc / prelude-lml / ruleset / portsentry.rules

This file is indexed.

/etc/prelude-lml/ruleset/portsentry.rules is in prelude-lml-rules 4.1.0-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#FULLNAME: PortSentry
#VERSION: 1.0
#DESCRIPTION: PortSentry will watch unused ports for activity and depending on how it is configured take action upon excessive access to watched ports.

#####
#
# Copyright (C) 2003 Stephane Loeuillet (stephane.loeuillet@tiscali.fr)
# All Rights Reserved
#
# RulesID: 1503
# Copyright (C) 2004-2005 G Ramon Gomez <gene at gomezbrothers dot com>
# All Rights Reserved
#
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
#####

#DESCRIPTION:Someone performed a scan
#CATEGORY:Recognition
#LOG:May 11 23:29:48 icecube portsentry[791]: attackalert: SYN/Normal scan from host: server1.miniclip.com/64.23.60.30 to TCP port: 443
#LOG:May  8 08:58:22 icecube portsentry[795]: attackalert: UDP scan from host: 193.63.249.24/193.63.249.24 to UDP port: 177
#LOG:Apr 18 10:42:51 20.0.0.3 portsentry[2549]: attackalert: TCP SYN/Normal scan from  host: 2.0.0.3/2.0.0.3 to TCP port: 119
regex=attackalert:.*?(\S+) scan from\s+host: (\S+)/([\d\.]+|[\dA-Fa-f\:]+) to (TCP|UDP) port: (\d+); \
 classification.text=$1 Scan; \
 id=1500; \
 revision=1; \
 analyzer(0).name=PortSentry; \
 analyzer(0).manufacturer=sentrytools.sourceforge.net; \
 analyzer(0).class=HIDS; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.severity=medium; \
 assessment.impact.description=PortSentry found someone performed a '$1' scan; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$3; \
 source(0).node.name=$2; \
 source(0).service.iana_protocol_name=$4; \
 target(0).service.iana_protocol_name=$4; \
 source(0).service.port=$5; \
 last

#DESCRIPTION:Connection logged
#CATEGORY:Recognition
#LOG:Mar 28 00:03:25 hoste portsentry[103]: attackalert: Connect from host: 217.33.28.29/217.33.28.29 to TCP port: 111
regex=attackalert: Connect from host: (\S+)/([\d\.]+|[\dA-Fa-f\:]+) to (TCP|UDP) port: (\d+); \
 classification.text=Connection logged; \
 id=1501; \
 revision=1; \
 analyzer(0).name=PortSentry; \
 analyzer(0).manufacturer=sentrytools.sourceforge.net; \
 analyzer(0).class=HIDS; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.severity=low; \
 assessment.impact.description=PortSentry found someone connecting to port $3/$4; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$2; \
 source(0).node.name=$1; \
 source(0).service.iana_protocol_name=$3; \
 target(0).service.iana_protocol_name=$3; \
 target(0).service.port=$4; \
 last

#DESCRIPTION:Host blocked
#CATEGORY:Recognition
#LOG:Oct 15 13:50:07 basile portsentry[28412]: attackalert: Host 195.220.107.15 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 195.220.107.15 -j DENY"
regex=attackalert: Host ([\d\.]+) has been blocked via dropped route using command: "([^"]+)"; \
 classification.text=Host blocked; \
 id=1502; \
 revision=1; \
 analyzer(0).name=PortSentry; \
 analyzer(0).manufacturer=sentrytools.sourceforge.net; \
 analyzer(0).class=HIDS; \
 assessment.impact.completion=failed; \
 assessment.impact.type=other; \
 assessment.impact.severity=low; \
 assessment.impact.description=PortSentry saw your firewall blocked a host via : $2; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$1; \
 last

#DESCRIPTION:Host already blocked
#CATEGORY:Recognition
#LOG:Apr 18 10:42:51 20.0.0.3 portsentry[2549]: attackalert: Host: 2.0.0.3/2.0.0.3 is  already blocked Ignoring
regex=attackalert: Host: (\S+)/([\d\.]+) is\s+already blocked; \
 classification.text=Host blocked; \
 id=1503; \
 revision=1; \
 analyzer(0).name=PortSentry; \
 analyzer(0).manufacturer=sentrytools.sourceforge.net; \
 analyzer(0).class=HIDS; \
 assessment.impact.completion=failed; \
 assessment.impact.type=other; \
 assessment.impact.severity=medium; \
 assessment.impact.description=PortSentry saw your firewall blocked a host.; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$2; \
 source(0).node.name=$1; \
 last

APT Browse - Built by Thomas Orozco.