From OSSEC Wiki
[edit]
Why and how to monitor nmap output?
*Additional howto: Tutorials:Nmap_Correlation.
[edit]
Why?
If you constantly scan your internal network looking for open ports or changes, ossec can automate some of your work. It will generate alerts on new found systems or when a specific host information changes (for example, when a new port is found opened).
Example of alerts:
2006 Jul 04 20:21:53 /var/log/nmap-out.log Rule: 15 (level 8) -> 'New host information added.' Src IP: (none) User: (none) Host: 192.168.2.10, open ports: 21(tcp) 22(tcp) 80(tcp) 113(tcp) 514(udp) 1514(udp) 4500(udp) 2006 Jul 04 20:23:03 /var/log/nmap-out.log Rule: 15 (level 8) -> 'Host information changed.' Src IP: (none) User: (none) Host: 192.168.2.1, open ports: 54(udp) 8080(tcp) 161(udp) 520(udp) 1025(udp) 1900(udp) Previously open ports: 53(udp) 80(tcp) 161(udp) 520(udp) 1025(udp) 1900(udp)
[edit]
How?
Ossec can read nmap grepable output files to use them as a correlation tool and alert based on host information changes. Follow the step by step guide below on how to configure ossec:
- 1 - Add a nmap output file to ossec.conf.
<ossec_config>
<localfile>
<log_format>nmapg</log_format>
<location>/var/log/nmap-out.log</location>
</localfile>
</ossec_config>
- 2 - Restart ossec. Make sure to touch the log file of nmap if it does not exist.
ossec-test# touch /var/log/nmap-out.log
ossec-test# /var/ossec/bin/ossec-control restart
- 3 - Run your nmap scans. (Example below scanning the 192.168.2.0/24 network).
ossec-test# nmap --append_output -sU -sT -oG /var/log/nmap-out.log 192.168.2.0-255
- 4 - That's it. OSSEC should be monitoring your logs now and generating alerts when necessary.