Hi Jens,
Reply inline..
On 6/14/07, Harsem, Jens <[EMAIL PROTECTED]> wrote:
>
> Hello all,
>
> thank you for the support & help that this list and the ossec.net web site
> provides. And I am hoping to stretch this a bit further… please
>
>
> I have got an Cisco ASA that is currently sending its syslogs over to my
> OSSEC machine. This is running on a cut down version of Red Hat and running
> very nicely. I get my e-mail alerts as I should when things happen that
> should not.
Good :)
> # We should run on linux
> ....
> ....
> if [ "X${UNAME}" = "XLinux" ]; then
>
> Not what you expected I am sure, it is a kluge, but it works – and I am a
> happy man.
The idea is very good, and maybe you could share your script with us? Are you
using ssh or telnet to log to the ASA? We could clean up it a little
bit and make
it available for everyone (I know external active responses are something many
people have asked before)...
> And here is my problem – I do not want it to be hard coded, really, I would
> like this to be picked up from the log entries. I have another ASA somewhere
> else that I also want to have send its Syslog messages to this OSSEC Server.
> And I want to have the same goodness on that ASA.
>
> Hence my question (after a half marathon) – is there any way that I can
> extract the IP of the source of the Syslog files for the shun & un-shun of
> the hosts for the ASA? I am hoping for a parameter that I can use in that
> script so that I can parse it to a text file and use it as well.
Yes, you can. If you look at the script, we only use up to the
argument 5 (rule id), but
if you use the argument $6 and $7 they will have the agent (or ip of
the device) that
generated the alert, so based on that you can device where to shun ...
> If anyone has ASAs and wants to know how those text files work with the ASA
> please let me know – I would be more than happy to help.
Yes, please (see above) :)
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
