Thanks Dan. I have it mostly working, but maybe you could clarify a point or 2 for me.
A couple typical log entries looks like: Jan 15 19:58:43 wc20399 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=e8:39:35:4d:d6:2d:00:01:e8:8b:14:e9:08:00 SRC=x.x.x.x DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x20 TTL=40 ID=19542 DF PROTO=TCP SPT=52340 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Jan 15 19:42:00 wc20399 kernel: Firewall: *Port Flood* IN=eth0 OUT= MAC=e8:39:35:4d:d6:2d:00:01:e8:8b:14:e9:08:00 SRC=x.x.x.x DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=237 ID=924 DF PROTO=TCP SPT=23581 DPT=80 WINDOW=24848 RES=0x00 SYN URGP=0 I copied the shorewall decoders and made a couple changes: <decoder name="iptables-csf"> <parent>iptables</parent> <type>firewall</type> <prematch>^Firewall: </prematch> <regex offset="after_prematch">^*\S+ (\S+)* \.+ SRC=(\S+) DST=(\S+) \.+ </regex> <regex>PROTO=(\w+) </regex> <order>action,srcip,dstip,protocol</order> </decoder> <decoder name="iptables-csf"> <parent>iptables</parent> <type>firewall</type> <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex> <order>srcport,dstport</order> </decoder> This makes the "action" = "Blocked" or "Flood". Then I overwrote rule 4101: <rule id="4101" level="5" overwrite="yes"> <if_sid>4100</if_sid> <action>Blocked</action> <options>no_log</options> <description>Firewall drop event.</description> <group>firewall_drop,</group> </rule> What I'm still wondering though, is if it is possible to test for multiple "actions" (either "Blocked" OR "Flood")....to be used in: <rule id="4151" level="10" frequency="16" timeframe="45" ignore="240"> <if_matched_sid>4101</if_matched_sid> <same_source_ip /> <description>Multiple Firewall drop events from same source.</description> <group>multiple_drops,</group> </rule> Thanks again! ----- Original Message ----- From: "dan (ddp)" <ddp...@gmail.com> To: ossec-list@googlegroups.com Sent: Tuesday, January 15, 2013 9:54:30 AM Subject: Re: [ossec-list] csf firewall On Mon, Jan 14, 2013 at 4:22 PM, Chris Warren <chris.war...@netelligent.ca> wrote: > Hi all, > Has anyone set up a decoder for csf firewall logs? They are pretty similar > to the shorewall logs, but with a few differences. I'm not great with the > regex's and whatnot, so I haven't been able to decode the "action". > > Any help appreciated. > > Chris If you provide samples I can help.