Hi Daniel, Just wanna know if version 2 can now be able to parse into the database the source ip, source port, destination ip and destination port.
Sherwin -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Daniel Cid Sent: Monday, January 14, 2008 6:25 PM To: [email protected] Subject: [ossec-list] Re: OSSEC 1.4 Destination IP, Source port, Destination Port NOT PARSE Hi Sherwin, OSSEC parses this data and you can see them at /var/ossec/logs/firewall/firewall.log, but currently it is not storing that in the database. It only stores whatever is written at the alerts.log, which does not include the dstip, ports, etc. However, it is in our todo list, to handle that for the next release. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Jan 11, 2008 1:57 PM, Sherwin P. William Abocejo <[email protected]> wrote: > > Hi All, > > I just wondering why ossec 1.4 did not parse the Destination IP, Source > Port and Destination Port and throw in the database? I have this > > alert.... > > OSSEC HIDS Notification. > 2008 Jan 11 10:20:39 > > Received From: sdnasim->192.168.32.1 > Rule: 4151 fired (level 10) -> "Multiple Firewall drop events from same > source." > Portion of the log(s): > > %PIX-7-710005: UDP request discarded from 192.168.32.43/138 to > inside:192.168.32.255/netbios-dgm > %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to > inside:192.168.32.255/netbios-ns > %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to > inside:192.168.32.255/netbios-ns > %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to > inside:192.168.32.255/netbios-ns > %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to > inside:192.168.32.255/netbios-ns > %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to > inside:192.168.32.255/netbios-ns > %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to > inside:192.168.32.255/netbios-ns > %PIX-7-710005: UDP request discarded from 192.168.32.43/138 to > inside:192.168.32.255/netbios-dgm > %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to > inside:192.168.32.255/netbios-ns > %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to > inside:192.168.32.255/netbios-ns > > > > --END OF NOTIFICATION > > ------------------- > > Is it the design of the ossec that it wont parse those info? Why there > are such fields in the database and the values always NULL? > > Sherwin > This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
