Install and configure OSSEC HIDS than write a rule to log pings using the Internet Control Message Protocol (ICMP) protocol.

computer science

Description

Install and configure OSSEC HIDS than write a rule to log pings using the Internet Control Message Protocol (ICMP) protocol. Take a screenshot of everything associated with the rule you wrote and send it to me. Use Ubuntu 20.04 in VMware or VisualBox. Install the local version of OSSEC, not the agent or the server versions.
In other to understand ICMP, open a terminal and input ping and any IP address or website name. You will begin to see some output. It will not stop until you press ctrl c or z.

Write a rule that will log the pings of anybody, IP address, websites pinging my public IP address. That is the assignment.

Write rules and decoder for log_ip, icmp, ping and ping_flood.
This is what I started with

set log_ip true
set icmp true
set ping true
set ping_flood

I did not use log_ip or ping_flood.

I have done some part of it. Can you take a look at what I have done and correct it if I made any mistake. Also, please finish. It is not completed. I want a fully function rules and decoder that log ping using icmp protocol

This is the decoder I wrote for icmp ping

<!-- This log ICMP ping -->

<decoder name="ICMP-ping">

       <program_name>ICMP</program_name>

       <prematch>ping detected from</prematch>

       <regex offset="after_prematch">(\S+)</regex>

       <order>srcip</order>

</decoder>

I created a decoder file called icmplog_decoder.xml in /var/ossec/etc/

I tested it in /var/ossec/bin/ossec-logtest

Using: Nov 14 19:09:33 ICMP: ping detected from 10.20.30.1

This was the result:

Nov 14 19:03:25 ICMP: ping detected from 10.10.150.1

 

 

**Phase 1: Completed pre-decoding.

       full event: 'Nov 14 19:03:25 ICMP: ping detected from 10.10.150.1'

       hostname: 'chubbyfellow'

       program_name: 'ICMP'

       log: 'ping detected from 10.10.150.1'

 

**Phase 2: Completed decoding.

       decoder: 'ICMP-ping'

       srcip: '10.10.150.1'

 

**Phase 3: Completed filtering (rules).

       Rule id: '199990'

       Level: '6'

       Description: 'ping detected from'

**Alert to be generated.

The decoder and rule I wrote worked.

 

This is my rule

<group name="syslog,ICMP-ping,">


Related Questions in computer science category