Hello all,
thank you for the support & help that this list and the ossec.net web
site provides. And I am hoping to stretch this a bit further... please
I have got an Cisco ASA that is currently sending its syslogs over to my
OSSEC machine. This is running on a cut down version of Red Hat and
running very nicely. I get my e-mail alerts as I should when things
happen that should not.
I have also been able to configure a little "active-response" script for
this ASA so that IP addresses get shunned & un-shunned as per the
firewall-drop.sh
Well, I have been a bit lazy and I have added the Cisco ASA entries into
the Linux section of this script. What I have done is this (in red, bold
are my additions)
# We should run on linux
if [ "X${UNAME}" = "XLinux" ]; then
if [ "x${ACTION}" = "xadd" ]; then
ARG1="-I INPUT -s ${IP} -j DROP"
ARG2="-I FORWARD -s ${IP} -j DROP"
echo "shun ${IP}" > /var/ossec/active-response/bin/ASA/${IP}.txt
cat /var/ossec/active-response/bin/ASA/shun1.txt
/var/ossec/active-response/bin/ASA/${IP}.txt
/var/ossec/active-response/bin/ASA/shun3.txt >
/var/ossec/active-response/bin/ASA/shun${IP}.txt
expect /var/ossec/active-response/bin/ASA/shun${IP}.txt
else
ARG1="-D INPUT -s ${IP} -j DROP"
ARG2="-D FORWARD -s ${IP} -j DROP"
echo "no shun ${IP}" >
/var/ossec/active-response/bin/ASA/un${IP}.txt
cat /var/ossec/active-response/bin/ASA/shun1.txt
/var/ossec/active-response/bin/ASA/un${IP}.txt
/var/ossec/active-response/bin/ASA/shun3.txt >
/var/ossec/active-response/bin/ASA/unshun${IP}.txt
expect /var/ossec/active-response/bin/ASA/unshun${IP}.txt
fi
# Checking if iptables is present
ls ${IPTABLES} >> /dev/null 2>&1
if [ $? != 0 ]; then
IPTABLES="/usr"${IPTABLES}
ls ${IPTABLES} >> /dev/null 2>&1
if [ $? != 0 ]; then
exit 0;
fi
fi
# Executing and exiting
${IPTABLES} ${ARG1}
${IPTABLES} ${ARG2}
exit 0;
Not what you expected I am sure, it is a kluge, but it works - and I am
a happy man.
shun1.txt & shun3.txt are text files that contain the beginning and end
part of an expect script while ${IP}.txt & un${IP}.txt are the commands
to shun & unshun the IP in question from the ASA. This all works - this
is great. The expect line simply runs the command as it should against a
ASA that is hard coded into the shun1.txt file.
And here is my problem - I do not want it to be hard coded, really, I
would like this to be picked up from the log entries. I have another ASA
somewhere else that I also want to have send its Syslog messages to this
OSSEC Server. And I want to have the same goodness on that ASA.
Hence my question (after a half marathon) - is there any way that I can
extract the IP of the source of the Syslog files for the shun & un-shun
of the hosts for the ASA? I am hoping for a parameter that I can use in
that script so that I can parse it to a text file and use it as well.
Thank you all for any help that you may be able to give.
If anyone has ASAs and wants to know how those text files work with the
ASA please let me know - I would be more than happy to help.
Regards,
Jens C Harsem I Regional MIS Manager I MICROS-Fidelio Asia Pacific I
Suite 7, 13 Narabang Way I Belrose , NSW 2085 I Australia
+612 9485 1005* I +612 9485 1099 * I [EMAIL PROTECTED] * I
www.micros.com <http://www.micros.com/>
Confidentiality Notice This email is intended only for the individual/s
to whom it is addressed and may contain information that is confidential
or privileged. If you are not the intended recipient/s, or the employee
or person responsible for delivering it to the intended recipient/s you
are hereby notified that any dissemination, distribution, copying or use
is strictly prohibited. If you have received this communication in
error, please notify the sender immediately by telephone and return the
original email to the sender.
