Hi Fredrik,
It is good progress. You can capture all events with:
<decoder name="Checkpoint-test">
<prematch>^redirect \p|^prevent \p|^allow \p|^block \p|^mail System
Alert|\S+ alert Protection Name:</prematch>
<type>firewall</type>
</decoder>
I know... It is not very elegant, but it controls all your events. Also,
you can add a tag in the beginning of the log (by the firewall settings or
with *rsyslog*) and the decoder will be vey easy:
Logs:
*FredikFirewall *Apr 15 12:23:16 > st4600fw01n1 alert Protection Name: TCP
Urgent Data Enforcement; Severity: 0; Confidence Level: 0; protection_id:
tcp_block_urg_bit_enable; SmartDefense Profile: Recommended_Protection;
Performance Impact: 0; Protection Type: settings; rule: 20; rule_uid: {
3F67BCCB-8087-4974-95FA-F4A4FF466D49}; rule_name: #sample; Attack Info: TCP
segment with urgent pointer (no data). Urgent data indication was stripped.
Please refer to sk36869.; attack: Streaming Engine: TCP Urgent Data
Enforcement; Total logs: 3; Suppressed logs: 2; proto: tcp; dst:
104.16.65.50; src: 192.168.10.204; product: SmartDefense; service: https;
s_port: 56814; FollowUp: Not Followed; product_family: Network;
Decoder:
<decoder name="Checkpoint-test">
<prematch>^FredikFirewall </prematch>
<type>firewall</type>
</decoder>
Regards,
Jesus Linares.
On Friday, April 15, 2016 at 3:47:17 PM UTC+2, Fredrik wrote:
>
> Hello Jesus!
>
>
> Story continues. Just wanted to let you know that I have been able, with
> help, to unify ALL the messages for easier handling in OSSEC. Thing is now
> that the hostname is extracted automagically (by OSSEC) from the message
> and I guess can't be used for my prematch, or? Ossec-logtest will treat the
> hostname as part of the header and start the 'Log:' section with e.g.
>
> block <eth6 mail src: 10.46.7.196; dst: 37.157.4.16; protocol ...
>
> How would you tackle this? Right a prematch with all operative words
> (actions) that is used with the messages I'm interested in (e.g.
> ^allow|^block|^prevent|^redirect)? In my scenario this shouldn't conflict
> with other type of messages. I'm guessing that you Ossec-pros will have
> options and better alternative though ;) I would also like to match the
> decoder regardless of which node in the firewall cluster is the source of
> the event? I The two possibilities are st4600fw01n1 and st4600fw01n2 .
>
> Here are more message samples:
>
> pr 15 14:41:53 st4600fw01n1 allow <eth6 mail src: 192.168.5.133; dst:
> 216.131.91.92; proto: tcp; appi_name: ******; app_desc: ******; app_id:
> 60461422; app_category: ******; matched_category: ******; app_properties:
> ******; app_risk: ******; app_rule_id: ******; app_rule_name: ******;
> web_client_type: Chrome; web_server_type: Apache; app_sig_id: 60461422:1;
> resource:
> http://strongvpn.com/difference_between_proxy_and_vpn.html?utm_source=adwords&utm_medium=sem&gclid=Cj0KEQjwosK4BRCYhsngx4_SybcBEiQAowaCJTFp6qNVmL7E-BhfeTkQouJTwpHN5v1wslK79jD62k4aAqBB8P8HAQ;
>
> proxy_src_ip: 192.168.5.133; product: Application Control; service: http;
> s_port: 59319; product_family: Network;
>
> Apr 15 14:21:37 st4600fw01n1 redirect <eth1 alert web_client_type: Chrome;
> resource:
> http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html;
> src: 192.168.5.133; dst: 184.31.90.152; proto: tcp; session_id:
> {0x5710dcd1,0x10002,0xc50d2e0a,0xc0000000}; Protection name: Check Point -
> Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence
> Level: 5; severity: 2; malware_action: Communication with C&C site;
> rule_uid: {9AF67731-0D35-4117-AF2B-9A47F9396D26}; Protection Type: URL
> reputation; malware_rule_id: {000000CE-00A4-0046-9658-621EA5468654};
> protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 192.168.5.133; scope:
> 192.168.5.133; product: Anti Malware; service: http; s_port: 57878;
>
> Apr 15 05:35:51 st4600fw01n1 prevent <eth6 alert src: 82.221.102.34; dst:
> 192.168.99.4; proto: tcp; session_id:
> {0x57106197,0x10003,0xc50d2e0a,0xc0000001}; Protection name:
> Trojan.Win32.HackerDefender.C; malware_family: HackerDefender; Source OS:
> Solaris; Confidence Level: 5; severity: 4; malware_action: Malicious
> network activity; rule_uid: {25157EEE-C09C-4FE0-A872-E0A1486526B8};
> rule_name: #extweb; Protection Type: protection; malware_rule_id:
> {000000CE-00A4-0046-9658-621EA5468654}; protection_id: 000043FBC; log_id:
> 2; scope: 192.168.99.4; product: Anti Malware; service: http; s_port: 49228;
>
> Apr 15 14:13:17 st4600fw01n1 block <eth6 mail src: 192.168.7.196; dst:
> 37.157.2.24; proto: tcp; appi_name: ******; app_desc: ******; app_id:
> 1875144601; app_category: ******; matched_category: ******; app_properties:
> ******; app_risk: ******; app_rule_id: ******; app_rule_name: ******;
> web_client_type: Chrome; web_server_type: Other: nginx; resource:
> http://adx.adform.net/adx/?rp=3&pv=1&bWlkPTk3ODMyJmN0dXJsPWh0dHA6Ly9mdXNpb24uYm9ubmllcnRpZHNrcmlmdGVyLnNlL2V2ZW50L2ZsaXlmL2J0LmVrb25vbWkucGFmLnJvcy8xNDc3OTkyNzcvY2xpY2s_dXJsPQ&bWlkPTk3ODMxJmN0dXJsPWh0dHA6Ly9mdXNpb24uYm9ubmllcnRpZHNrcmlmdGVyLnNlL2V2ZW50L2V0YnN3L2J0LmVrb25vbWkucGFmLnJvcy8xNDc3OTkyNzAvY2xpY2s_dXJsPQ&bWlkPTk3ODI5JmN0dXJsPWh0dHA6Ly9mdXNpb24uYm9ubmllcnRpZHNrcmlmdGVyLnNlL2V2ZW50L3FmdWh5L2J0LmVrb25vbWkucGFmLnJvcy8xNDc3OTkyNTYvY2xpY2s_dXJsPQ&callback=_adform_cb_1460722287088_3438587873323349;
>
> proxy_src_ip: 192.168.7.196; product: URL Filtering; service: http; s_port:
> 51190; product_family: Network;
>
> Apr 15 11:16:05 st4600fw01n1 block <eth6 mail src: 192.168.8.67; dst:
> 64.207.139.185; proto: tcp; appi_name: ******; app_desc: ******; app_id:
> 3723664659; app_category: ******; matched_category: ******; app_properties:
> ******; app_risk: ******; app_rule_id: ******; app_rule_name: ******;
> web_client_type: Chrome; web_server_type: Apache; resource:
> http://cdn.wibiya.com/Toolbars/dir_0650/Toolbar_650079/Loader_650079.js;
> proxy_src_ip: 192.168.8.67; product: URL Filtering; service: http; s_port:
> 61907; product_family: Network;
>
> The two outliers now are the messages below. Not quite sure how to handle
> them, but two additional decoders seem required, At least I'm down to two
> outliers and not a whole bunch of exceptions as previously :) :) What would
> be your take on how to treat these two?
>
> Mar 7 13:07:53 sto-fwm03 mail System Alert message: A Firewall Policy has
> been successfully installed on st4600fw01n1; Object: st4600fw01n1; Event:
> Change; Parameter: policy_time; Condition: changes Mon Mar 7 13:03:42
> 2016; Current value: Mon Mar 7 13:08:48 2016; product: Test Monitor;
> product_family: Network;
>
> Apr 15 12:23:16 > st4600fw01n1 alert Protection Name: TCP Urgent Data
> Enforcement; Severity: 0; Confidence Level: 0; protection_id:
> tcp_block_urg_bit_enable; SmartDefense Profile: Recommended_Protection;
> Performance Impact: 0; Protection Type: settings; rule: 20; rule_uid:
> {3F67BCCB-8087-4974-95FA-F4A4FF466D49}; rule_name: #sample; Attack Info:
> TCP segment with urgent pointer (no data). Urgent data indication was
> stripped. Please refer to sk36869.; attack: Streaming Engine: TCP Urgent
> Data Enforcement; Total logs: 3; Suppressed logs: 2; proto: tcp; dst:
> 104.16.65.50; src: 192.168.10.204; product: SmartDefense; service: https;
> s_port: 56814; FollowUp: Not Followed; product_family: Network;
>
> Best regards,
> Fredrik
>
>
> On Friday, April 1, 2016 at 1:18:17 PM UTC+2, Jesus Linares wrote:
>
> Hi Fredrik,
>
> here an example of decoding allow/block events (with the option
> *after_regex*):
>
>
> <!--
> pattern:
> Mar 29 09:04:21 127.0.0.1 Mar 29 8:52:29 st4600fw01n1 Text
> -->
> <decoder name="Checkpoint-test">
> <prematch>^\w\w\w \d+ \d+:\d+:\d+ \S+ </prematch>
> <type>firewall</type>
> </decoder>
>
>
> <!--
> Mar 30 09:03:56 127.0.0.1 Mar 30 8:52:05 st4600fw01n1 allow <eth6 mail
> src: 192.168.5.133; dst: 89.208.212.2; proto: tcp; bytes: 2396; sent_bytes:
> 1180; received_bytes: 1216; app_id: 10063753; browse_time: ******;
> Suppressed logs: 19; Referrer_self_uid: ******; product: Application
> Control; service: http; s_port: 64136; product_family: Network;
> -->
> <decoder name="Checkpoint-block-allow">
> <parent>Checkpoint-test</parent>
> <prematch offset="after_parent">^block|^allow</prematch>
> <regex offset="after_parent">(\w+) \S+ \S+ src: (\d+.\d+.\d+.\d+); dst:
> (\d+.\d+.\d+.\d+)</regex>
> <order>action,srcip,dstip</order>
> </decoder>
>
>
> <!--
> Checkpoint-block-allow: extra fields: resource and product
> Mar 30 09:03:35 127.0.0.1 Mar 30 8:51:43 st4600fw01n1 allow <eth6 mail
> src: 192.168.5.133; dst: 89.208.212.2; proto: tcp; appi_name: ******;
> app_desc: ******; app_id: 10063753; app_category: ******; matched_category:
> ******; app_properties: ******; app_risk: ******; app_rule_id: ******;
> app_rule_name: ******; web_client_type: Chrome; web_server_type:
> Microsoft-IIS; app_sig_id: 10063753:5; resource:
> http://www.aliveproxy.com/; proxy_src_ip: 192.168.5.133; product:
> Application Control; service: http; s_port: 64136; product_family: Network;
> -->
> <decoder name="Checkpoint-block-allow">
> <parent>Checkpoint-test</parent>
> <regex offset="after_regex">resource: (\S+); proxy_src_ip: \S+;
> product: (\.+); </regex>
> <order>url, extra_data</order>
> </decoder>
>
>
> I recommend you configure all your checkpoint devices with the same log
> format. If you can't you could use *several parents*:
>
> <!--
> pattern:
> Mar 29 09:04:21 127.0.0.1 Mar 29 8:52:29 st4600fw01n1 Text
> -->
> <decoder name="Checkpoint-test">
> <prematch>^\w\w\w \d+ \d+:\d+:\d+ \S+ </prematch>
> <type>firewall</type>
> </decoder>
>
>
> <!--
> pattern:
> Mar 30 10:04:39 127.0.0.1 redirect <eth1 alert web_client_type: Chrome;
> resource:
> http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html;
> src: 192.168.5.133; dst: 172.226.217.148; proto: tcp; session_id:
> {0x56fb8896,0x10009,0xc50d2e0a,0xc0000001}; Protection name: Check Point -
> Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence
> Level: 5; severity: 2; malware_action: Communication with C&C site;
> rule_uid: {9AF67731-0D35-4117-AF2B-9A47F9396D26}; Protection Type: URL
> reputation; malware_rule_id: {000000CE-00A4-0046-9658-621EA5468654};
> protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 192.168.5.133; scope:
> 192.168.5.133; product: Anti Malware; service: http; s_port: 49244;
>
>
> Mar 29 20:13:14 127.0.0.1 prevent <eth1 alert web_client_type: Microsoft
> IE; resource:
> http://www.bing.com/fd/ls/GLinkPing.aspx?IG=9A0044152B65437D93F87086B9E730D9&&ID=SERP,5118.1&url=http://sc1.checkpoint.com/z...;
>
> src: 192.168.5.133; dst: 204.79.197.200; proto: tcp; session_id:
> {0x56fac5ba,0x10004,0xc50d2e0a,0xc0000000}; Protection name: Check Point -
> Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence
> Level: 5; severity: 2; malware_action: Communication with C&C site;
> rule_uid: {9AF67731-0D35-4117-AF2B-9A47F9396D26}; Protection Type: URL
> reputation; malware_rule_id: {000000CE-00A4-0046-9658-621EA5468654};
> protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 192.168.5.133; scope:
> 192.168.5.133; product: Anti Malware; service: http; s_port: 63119;
> -->
> <decoder name="Checkpoint-test">
> <prematch>^redirect \p|^prevent \p</prematch>
> <type>firewall</type>
> </decoder>
>
>
> <!--
> Mar 30 09:03:56 127.0.0.1 Mar 30 8:52:05 st4600fw01n1 allow <eth6 mail
> src: 192.168.5.133; dst: 89.208.212.2; proto: tcp; bytes: 2396; sent_bytes:
> 1180; received_bytes: 1216; app_id: 10063753; browse_time: ******;
> Suppressed logs: 19; Referrer_self_uid: ******; product: Application
> Control; service: http; s_port: 64136; product_family: Network;
> -->
> <decoder name="Checkpoint-block-allow">
> <parent>Checkpoint-test</parent>
> <prematch offset="after_parent">^block|^allow</prematch>
> <regex offset="after_parent">(\w+) \S+ \S+ src: (\d+.\d+.\d+.\d+); dst:
> (\d+.\d+.\d+.\d+)</regex>
> <order>action,srcip,dstip</order>
> </decoder>
>
>
> <!--
> Checkpoint-block-allow: extra fields: resource and product
> Mar 30 09:03:35 127.0.0.1 Mar 30 8:51:43 st4600fw01n1 allow <eth6 mail
> src: 192.168.5.133; dst: 89.208.212.2; proto: tcp; appi_name: ******;
> app_desc: ******; app_id: 10063753; app_category: ******; matched_category:
> ******; app_properties: ******; app_risk: ******; app_rule_id: ******;
> app_rule_name: ******; web_client_type: Chrome; web_server_type:
> Microsoft-IIS; app_sig_id: 10063753:5; resource:
> http://www.aliveproxy.com/; proxy_src_ip: 192.168.5.133; product:
> Application Control; service: http; s_port: 64136; product_family: Network;
> -->
> <decoder name="Checkpoint-block-allow">
> <parent>Checkpoint-test</parent>
> <regex offset="after_regex">resource: (\S+); proxy_src_ip: \S+;
> product: (\.+); </regex>
> <order>url, extra_data</order>
> </decoder>
>
>
> P.S. My name is Jesus, not Jose ;).
>
> Regards,
> Jesus Linares.
>
>
>
> On Wednesday, March 30, 2016 at 10:28:09 AM UTC+2, Fredrik wrote:
>
> Hi Jose,
>
>
> I got some help to sort out the different timestamps (format) and all log
> types now use "Jan 27 09:41:01". You asked about the firewall, this
> particular one is a Checkpoint currently running version R77.20.
>
> The remaining question, that might be of interest to others on the path to
> OSSEC mastery ;) ;) is how to handle messages with different "format"
> coming from the same host. I have collected a bunch of messages that I
> would like to be able to decode, but I'm not sure about the most efficient
> way to build the parent/child decoder tree for this.
>
> With the help received previously in this thread, I currently have the
> following in my local_decoder and I'm experimenting with different addition
> - none of which is working so far ;)
>
> <decoder name="Checkpoint">
> <prematch>^\w+ \d+ \d+:\d+:\d+ st4600fw01n\d</prematch>
> <type>firewall</type>
> </decoder>
>
> <decoder name="Checkpoint-alert">
> <parent>Checkpoint</parent>
> <regex offset="after_parent">(\w+) \p\w+ \w+
> src:\s(\d+.\d+.\d+.\d+);\sdst:\s(\d+.\d+.\d+.\d+)</regex>
> <order>action,srcip,dstip</order>
> </decoder>
>
> <decoder name="Checkpoint-alert">
> <parent>Checkpoint</parent>
> <regex offset="after_regex">\.*resource: (\.*);\.*product: (\.*);</regex>
> <order>url,extra_data</order>
> </decoder>
>
>
> Below is a collection of syslog messages recieved from the firewall where
> the first section is currently decoded using the local_decoder above:
>
>
> Mar 29 10:09:40 127.0.0.1 Mar 29 9:57:49 st4600fw01n1 block <eth6 mail
> src: 192.168.7.206; dst: 54.72.9.51; proto: tcp; bytes: 4962; sent_bytes:
> 530; received_bytes: 4432; app_id: 3404393449; browse_time: ******;
> Suppressed logs: 1; Referrer_self_uid: ******; product: URL Filtering;
> service: http; s_port: 54693; product_family: Network;
>
> Mar 29 20:57:00, st4600fw01n1, allow <eth1 mail src: 192.168.5.133; dst:
> 89.208.212.2; proto: tcp; appi_name: ******; app_desc: ******; app_id:
> 10063753; app_category: ******; matched_category: ******; app_properties:
> ******; app_risk: ******; app_rule_id: ******; app_rule_name: ******;
> web_client_type: Microsoft IE; web_server_type: Microsoft-IIS; app_sig_id:
> 10063753:5; resource: http://aliveproxy.com/; proxy_src_ip:
> 192.168.5.133; product: Application Control; service: http; s_port: 63867;
> product_family: Network;
>
> Mar 30 09:04:14 127.0.0.1 Mar 30 8:52:22 st4600fw01n1 allow <eth6 mail
> src: 192.168.5.133; dst: 23.67.132.180; proto: tcp; appi_name: ******;
> app_desc: ******; app_id: 10003219; app_category: ******; matched_category:
> ******; app_properties: ******; app_risk: ******; app_rule_id: ******;
> app_rule_name: ******; app_sig_id: 10003219:4; proxy_src_ip: 192.168.5.133;
> product: Application Control; service: https; s_port: 64166;
> product_family: Network;
>
> Mar 30 09:03:56 127.0.0.1 Mar 30 8:52:05 st4600fw01n1 allow <eth6 mail
> src: 192.168.5.133; dst: 89.208.212.2; proto: tcp; bytes: 2396; sent_bytes:
> 1180; received_bytes: 1216; app_id: 10063753; browse_time: ******;
> Suppressed logs: 19; Referrer_self_uid: ******; product: Application
> Control; service: http; s_port: 64136; product_family: Network;
>
> Mar 30 09:03:35 127.0.0.1 Mar 30 8:51:43 st4600fw01n1 allow <eth6 mail
> src: 192.168.5.133; dst: 89.208.212.2; proto: tcp; appi_name: ******;
> app_desc: ******; app_id: 10063753; app_category: ******; matched_category:
> ******; app_properties: ******; app_risk: ******; app_rule_id: ******;
> app_rule_name: ******; web_client_type: Chrome; web_server_type:
> Microsoft-IIS; app_sig_id: 10063753:5; resource:
> http://www.aliveproxy.com/; proxy_src_ip: 192.168.5.133; product:
> Application Control; service: http; s_port: 64136; product_family: Network;
>
> Mar 29 09:04:21 127.0.0.1 Mar 29 8:52:29 st4600fw01n1 block <eth6 mail
> src: 192.168.5.136; dst: 37.157.4.15; proto: tcp; appi_name: ******;
> app_desc: ******; app_id: 1875144601; app_category: ******;
> matched_category: ******; app_properties: ******; app_risk: ******;
> app_rule_id: ******; app_rule_name: ******; web_client_type: Other:
> Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like
> Gecko; web_server_type: Other: nginx; resource:
> http://adx.adform.net/adx/?rp=3&pv=1&bWlkPTE1NzU3NiZybmQ9ODU1M2JjNGMtMmY2MC00YzVjLWFhMzAtYmY5NzZlNDllZDNk&callback=_adform_cb_1459234242747_7491414591872548;
>
> proxy_src_ip: 192.168.5.136; product: URL Filtering; service: http; s_port:
> 54051; product_family: Network;
>
> Mar 29 09:06:12 127.0.0.1 Mar 29 8:54:21 st4600fw01n1 block <eth6 mail
> src: 192.168.6.157; dst: 37.157.4.15; proto: tcp; appi_name: ******;
> app_desc: ******; app_id: 1875144601; app_category: ******;
> matched_category: ******; app_properties: ******; app_risk: ******;
> app_rule_id: ******; app_rule_name: ******; web_client_type: Other:
> Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like
> Gecko; web_server_type: Other: nginx; resource:
> http://adx.adform.net/adx/?rp=3&pv=1&bWlkPTk1NzI4&callback=_adform_cb_1459234355177_008705563130792681;
>
> proxy_src_ip: 192.168.6.157; product: URL Filtering; service: http; s_port:
> 51746; product_family: Network;
>
> Mar 29 08:37:54 127.0.0.1 Mar 29 8:26:03 st4600fw01n1 block <eth6 mail
> src: 192.168.6.157; dst: 152.115.75.210; proto: tcp; appi_name: ******;
> app_desc: ******; app_id: 1875144601; app_category: ******;
> matched_category: ******; app_properties: ******; app_risk: ******;
> app_rule_id: ******; app_rule_name: ******; web_client_type: Other:
> Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like
> Gecko; web_server_type: Other: nginx; resource:
> http://adx.adform.net/adx/?rp=3&pv=1&bWlkPTk3ODMyJmN0dXJsPWh0dHA6Ly9mdXNpb24uYm9ubmllcnRpZHNrcmlmdGVyLnNlL2V2ZW50L3VlZXVqL2J0LmVrb25vbWkucGFmLnJvcy8xNDc3OTkyNzcvY2xpY2s_dXJsPQ&bWlkPTk3ODMxJmN0dXJsPWh0dHA6Ly9mdXNpb24uYm9ubmllcnRpZHNrcmlmdGVyLnNlL2V2ZW50L3lydmd2L2J0LmVrb25vbWkucGFmLnJvcy8xNDc3OTkyNzAvY2xpY2s_dXJsPQ&callback=_adform_cb_1459232656248_7681010355476278;
>
> proxy_src_ip: 192.168.6.157; product: URL Filtering; service: http; s_port:
> 51104; product_family: Network;
>
> Mar 29 08:35:17 127.0.0.1 Mar 29 8:23:24 st4600fw01n1 block <eth6 mail
> src: 192.168.6.157; dst: 152.115.75.199; proto: tcp; appi_name: ******;
> app_desc: ******; app_id: 1875144601; app_category: ******;
> matched_category: ******; app_properties: ******; app_risk: ******;
> app_rule_id: ******; app_rule_name: ******; web_client_type: Other:
> Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like
> Gecko; web_server_type: Other: nginx; resource:
> http://adx.adform.net/adx/?rp=3&pv=1&bWlkPTk1NzMw&callback=_adform_cb_1459232497393_6046677836175733;
>
> proxy_src_ip: 192.168.6.157; product: URL Filtering; service: http; s_port:
> 50904; product_family: Network;
>
>
>
>
> Mar 30 10:04:39 127.0.0.1 redirect <eth1 alert web_client_type: Chrome;
> resource:
> http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html;
> src: 192.168.5.133; dst: 172.226.217.148; proto: tcp; session_id:
> {0x56fb8896,0x10009,0xc50d2e0a,0xc0000001}; Protection name: Check Point -
> Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence
> Level: 5; severity: 2; malware_action: Communication with C&C site;
> rule_uid: {9AF67731-0D35-4117-AF2B-9A47F9396D26}; Protection Type: URL
> reputation; malware_rule_id: {000000CE-00A4-0046-9658-621EA5468654};
> protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 192.168.5.133; scope:
> 192.168.5.133; product: Anti Malware; service: http; s_port: 49244;
>
> Mar 29 20:13:14 127.0.0.1 prevent <eth1 alert web_client_type: Microsoft
> IE; resource:
> http://www.bing.com/fd/ls/GLinkPing.aspx?IG=9A0044152B65437D93F87086B9E730D9&&ID=SERP,5118.1&url=http://sc1.checkpoint.com/z...;
>
> src: 192.168.5.133; dst: 204.79.197.200; proto: tcp; session_id:
> {0x56fac5ba,0x10004,0xc50d2e0a,0xc0000000}; Protection name: Check Point -
> Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence
> Level: 5; severity: 2; malware_action: Communication with C&C site;
> rule_uid: {9AF67731-0D35-4117-AF2B-9A47F9396D26}; Protection Type: URL
> reputation; malware_rule_id: {000000CE-00A4-0046-9658-621EA5468654};
> protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 192.168.5.133; scope:
> 192.168.5.133; product: Anti Malware; service: http; s_port: 63119;
>
> Mar 30 9:04:59, st4600fw01n1, allow <eth6 mail src: 192.168.5.133; dst:
> 207.244.85.73; proto: tcp; appi_name: ******; app_desc: ******; app_id
> : 10064017; app_category: ******; matched_category: ******;
> app_properties: ******; app_risk:
>
> ...
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
