On Mon, Mar 5, 2012 at 1:18 PM, C. L. Martinez <carlopm...@gmail.com> wrote: > On Mon, Mar 5, 2012 at 1:04 PM, dan (ddp) <ddp...@gmail.com> wrote: >> On Mon, Mar 5, 2012 at 6:09 AM, C. L. Martinez <carlopm...@gmail.com> wrote: >>> On Mon, Mar 5, 2012 at 11:49 AM, dan (ddp) <ddp...@gmail.com> wrote: >>>> I should probably mention that I think the -a flag for ossec-logtest >>>> will give you OSSEC alert log output. Redirect that to a file or >>>> possibly to ossec-reportd, and you should probably get what you're >>>> after. >>>> >>> >>> Thanks Dan. It is correct, cp.logs is in ossec alert format. For example: >>> >>> ** Alert 1330945041.114: - firewall, >>> 2012 Mar 05 10:57:21 ossecsrv->stdin >>> Rule: 100100 (level 2) -> 'CheckPoint Firewall-1 rules grouped.' >>> Src IP: 192.168.1.7 >>> Dst IP: 192.168.2.3 >>> Dst Port: domain-udp >>> "113" "26Feb2012" "23:59:04" "bond0.30" "CHCKPNT1" "Log" "Drop" >>> "domain-udp" "47082" "192.168.1.7" "192.168.2.3" "udp" "82" "" >>> "82-Standard" "" "inzone: Internal; outzone: Internal; service_id: >>> domain-udp" "VPN-1 Power/UTM" "" "" >>> >>> doesn't trigger alert 100101 instead of 100100 ... >> >> It doesn't trigger 100101 because action isn't decoded. > > Uhhmmm .. wait a minute. Action is decoded using these decoders: > > <decoder name="custom-checkpoint-fw"> > <prematch>"\d+" "\d+\w+\d+" "\d+:\d+:\d+" "(\S+)" > "FW-INT-CHCKPNT1"</prematch> > </decoder> > > <decoder name="custom-checkpoint-fw-tcp-udp-icmp"> > <parent>custom-checkpoint-fw</parent> > <regex offset="after_parent">"\w+" "(\w+)" "(\S+)" "\S+" "(\S+)" > "(\S+)" "(\w+)" "\S+" "" "(\S+)"</regex> > <order>action,dstport,srcip,dstip,protocol,extra_data</order> > </decoder> > > <decoder name="custom-checkpoint-fw-tcp-udp-icmp"> > <parent>custom-checkpoint-fw</parent> > <regex offset="after_regex">"\w+" "(\w+)" "" "" "(\S+)" "(\S+)" > "(\w+)" "" "" "" "" "(\.+)"</regex> > <order>action,srcip,dstip,protocol,extra_data</order> > </decoder> > > <decoder name="custom-checkpoint-fw-tcp-udp-icmp"> > <parent>custom-checkpoint-fw</parent> > <regex offset="after_regex">"\w+" "(\w+)" "\S+" "\S+" "(\S+)" > "(\S+)" "(\w+)" "" "" "" "" "(\.+)"</regex> > <order>action,srcip,dstip,protocol,extra_data</order> > </decoder> > > for example: > > **Phase 1: Completed pre-decoding. > full event: '"629" "26Feb2012" "23:59:21" "bond0.30" "CHCKPNT1" > "Log" "Drop" "http" "4419" "192.168.1.15" > "trafficconverter-sinkhole.sie.isc.org" "tcp" "106" "" "106-Standard" > "" "service_id: http" "VPN-1 Power/UTM" "" ""' > hostname: 'ossecsrv' > program_name: '(null)' > log: '"629" "26Feb2012" "23:59:21" "bond0.30" "CHCKPNT1" "Log" > "Drop" "http" "4419" "192.168.1.15" > "trafficconverter-sinkhole.sie.isc.org" "tcp" "106" "" "106-Standard" > "" "service_id: http" "VPN-1 Power/UTM" "" ""' > > **Phase 2: Completed decoding. > decoder: 'custom-checkpoint-fw' > action: 'Drop' > dstport: 'http' > srcip: '192.168.1.15' > dstip: 'trafficconverter-sinkhole.sie.isc.org' > proto: 'tcp' > extra_data: '106-Standard' > > **Rule debugging: > Trying rule: 1 - Generic template for all syslog rules. > *Rule 1 matched. > *Trying child rules. > Trying rule: 100100 - CheckPoint Firewall-1 rules grouped. > *Rule 100100 matched. > *Trying child rules. > Trying rule: 100101 - CheckPoint Firewall-1 action event. > > **Phase 3: Completed filtering (rules). > Rule id: '100100' > Level: '0' > Description: 'CheckPoint Firewall-1 rules grouped.' > > Or do I need to decode log in rules file too??
Ok, I have found the problem .. It is in on my rules file. I have defined a var option like in syslog rules appears, and It seems is wrong ... Thanks for your help.