Re: [ossec-list] csf firewall

Tue, 15 Jan 2013 10:15:03 -0800 

Thanks Dan.  I have it mostly working, but maybe you could clarify a point or 2 
for me.

A couple typical log entries looks like:

Jan 15 19:58:43 wc20399 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= 
MAC=e8:39:35:4d:d6:2d:00:01:e8:8b:14:e9:08:00 SRC=x.x.x.x DST=x.x.x.x LEN=60 
TOS=0x00 PREC=0x20 TTL=40 ID=19542 DF PROTO=TCP SPT=52340 DPT=80 WINDOW=5840 
RES=0x00 SYN URGP=0

Jan 15 19:42:00 wc20399 kernel: Firewall: *Port Flood* IN=eth0 OUT= 
MAC=e8:39:35:4d:d6:2d:00:01:e8:8b:14:e9:08:00 SRC=x.x.x.x DST=x.x.x.x LEN=48 
TOS=0x00 PREC=0x00 TTL=237 ID=924 DF PROTO=TCP SPT=23581 DPT=80 WINDOW=24848 
RES=0x00 SYN URGP=0


I copied the shorewall decoders and made a couple changes:

<decoder name="iptables-csf">
   <parent>iptables</parent>
   <type>firewall</type>
   <prematch>^Firewall: </prematch>

   <regex offset="after_prematch">^*\S+ (\S+)* \.+ SRC=(\S+) DST=(\S+) \.+ 
</regex>
   <regex>PROTO=(\w+) </regex>
   <order>action,srcip,dstip,protocol</order>
</decoder>

<decoder name="iptables-csf">
   <parent>iptables</parent>
   <type>firewall</type>
   <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex>
   <order>srcport,dstport</order>
</decoder>

This makes the "action" = "Blocked" or "Flood".

Then I overwrote rule 4101:
  <rule id="4101" level="5" overwrite="yes">
      <if_sid>4100</if_sid>
      <action>Blocked</action>
      <options>no_log</options>
      <description>Firewall drop event.</description>
      <group>firewall_drop,</group>
  </rule>


What I'm still wondering though, is if it is possible to test for multiple 
"actions" (either "Blocked" OR "Flood")....to be used in:

  <rule id="4151" level="10" frequency="16" timeframe="45" ignore="240">
    <if_matched_sid>4101</if_matched_sid>
    <same_source_ip />
    <description>Multiple Firewall drop events from same source.</description>
    <group>multiple_drops,</group>
  </rule>

Thanks again!

----- Original Message -----
From: "dan (ddp)" <ddp...@gmail.com>
To: ossec-list@googlegroups.com
Sent: Tuesday, January 15, 2013 9:54:30 AM
Subject: Re: [ossec-list] csf firewall


On Mon, Jan 14, 2013 at 4:22 PM, Chris Warren
<chris.war...@netelligent.ca> wrote:
> Hi all,
> Has anyone set up a decoder for csf firewall logs?  They are pretty similar 
> to the shorewall logs, but with a few differences.  I'm not great with the 
> regex's and whatnot, so I haven't been able to decode the "action".
>
> Any help appreciated.
>
> Chris

If you provide samples I can help.

Reply via email to