Hello Dan, Thank you very much for your help.
I've a problem with the following decoder and sample. Its generates a segfault in ossec-logtest : <!--- Dec 2 14:37:42 192.168.10.1 id=firewall time="2016-12-02 14:37:41" fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW action=pass logtype="filter"#015 --> <decoder name="netasq-filter"> <parent>netasq</parent> <prematch>logtype="filter"</prematch> <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)" ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+) dstport=(\d+) \.+ action=(\S+)</regex> <order>id, extra_data, extra_data, protocol, protocol, srcip, srcport, dstip, dstport, action</order> </decoder> the segfaut appears before the display of dstport For the 'action' item, I can't display it too. Any ideas? 2016-12-07 13:06 GMT+01:00 dan (ddp) <ddp...@gmail.com>: > On Wed, Dec 7, 2016 at 5:26 AM, 1kn0 <mille...@gmail.com> wrote: >> Greetings, >> >> I'm new to OSSEC and I didn't find an answer to my problem on the list. >> I've appliance firewalls (netasq and stormshield) on a network. These >> firewalls exports their log to the computer where OSSEC is installed. >> >> For tests : >> >> I connect on the administration pages of the firewall, with a an invalid >> user/password. >>> >>> Dec 2 15:42:29 192.168.10.1 id=firewall time="2016-12-02 15:42:28" >>> fw="FW1" tz=+0000 startime="2016-12-02 15:42:28" user="admin" >>> src=192.168.10.2 ruleid=0 method="PLAIN" error=4 msg="Authentication request >>> invalid" logtype="auth"#015 >> >> >> I connect to the firewall with SSH >>> >>> Dec 2 14:37:42 192.168.10.1 id=firewall time="2016-12-02 14:37:41" >>> fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2 >>> ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh >>> src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp srcname=Routeur >>> dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW action=pass >>> logtype="filter"#015 >> >> >> >> Is there decoder and rules for firewall? >> How to configure decode/rules to analyze all events reported by the >> firewalls? >> > > I don't believe there are decoders or rules for this firewall (never > heard of it actually). > Running the samples provided through ossec-logtest, I get the following > output: > **Phase 1: Completed pre-decoding. > full event: 'Dec 2 15:42:29 192.168.10.1 id=firewall > time="2016-12-02 15:42:28" fw="FW1" tz=+0000 startime="2016-12-02 > 15:42:28" user="admin" src=192.168.10.2 ruleid=0 method="PLAIN" > error=4 msg="Authentication request invalid" logtype="auth"#015' > hostname: '192.168.10.1' > program_name: '(null)' > log: 'id=firewall time="2016-12-02 15:42:28" fw="FW1" tz=+0000 > startime="2016-12-02 15:42:28" user="admin" src=192.168.10.2 ruleid=0 > method="PLAIN" error=4 msg="Authentication request invalid" > logtype="auth"#015' > > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > > > **Phase 1: Completed pre-decoding. > full event: 'Dec 2 14:37:42 192.168.10.1 id=firewall > time="2016-12-02 14:37:41" fw="FW1" tz=+0000 startime="2016-12-02 > 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2" > srcifname="port2" ipproto=tcp proto=ssh src=192.168.10.2 srcport=33659 > srcportname=ephemeral_fw_tcp srcname=Routeur dst=192.168.10.1 > dstport=22 dstportname=ssh dstname=FW action=pass > logtype="filter"#015' > hostname: '192.168.10.1' > program_name: '(null)' > log: 'id=firewall time="2016-12-02 14:37:41" fw="FW1" tz=+0000 > startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 > srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh > src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp > srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW > action=pass logtype="filter"#015' > > **Phase 2: Completed decoding. > No decoder matched. > > > Adding the following deocder to local_decoder.xml gives us "decoder: > 'netasq'" (although this is untested against other logs to make sure > there are no conflicts): > <decoder name="netasq"> > <prematch>^id=</prematch> > </decoder> > > > These decoders flesh it out a bit: > <decoder name="netasq-log"> > <parent>netasq</parent> > <prematch>logtype="auth"</prematch> > <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ user="(\S+)" src=(\S+) \.+ > logtype="auth"</regex> > <order>id, extra_data, user, srcip</order> > </decoder> > > <decoder name="netasq-fw"> > <parent>netasq</parent> > <prematch> logtype="filter"</prematch> > <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ ipproto=(\S+) proto=(\S+) > src=(\S+) srcport=(\d+) \.+ dst=(\S+) dstport=(\d+) \.+ action=(\S+) > </regex> > <order>id, extra_data, protocol, protocol, srcip, srcport, dstip, > dstport, action</order> > </decoder> > > **Phase 1: Completed pre-decoding. > full event: 'Dec 2 15:42:29 192.168.10.1 id=firewall > time="2016-12-02 15:42:28" fw="FW1" tz=+0000 startime="2016-12-02 > 15:42:28" user="admin" src=192.168.10.2 ruleid=0 method="PLAIN" > error=4 msg="Authentication request invalid" logtype="auth"#015' > hostname: '192.168.10.1' > program_name: '(null)' > log: 'id=firewall time="2016-12-02 15:42:28" fw="FW1" tz=+0000 > startime="2016-12-02 15:42:28" user="admin" src=192.168.10.2 ruleid=0 > method="PLAIN" error=4 msg="Authentication request invalid" > logtype="auth"#015' > > **Phase 2: Completed decoding. > decoder: 'netasq' > id: 'firewall' > extra_data: 'FW1' > dstuser: 'admin' > srcip: '192.168.10.2' > > > **Phase 1: Completed pre-decoding. > full event: 'Dec 2 14:37:42 192.168.10.1 id=firewall > time="2016-12-02 14:37:41" fw="FW1" tz=+0000 startime="2016-12-02 > 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2" > srcifname="port2" ipproto=tcp proto=ssh src=192.168.10.2 srcport=33659 > srcportname=ephemeral_fw_tcp srcname=Routeur dst=192.168.10.1 > dstport=22 dstportname=ssh dstname=FW action=pass > logtype="filter"#015' > hostname: '192.168.10.1' > program_name: '(null)' > log: 'id=firewall time="2016-12-02 14:37:41" fw="FW1" tz=+0000 > startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 > srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh > src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp > srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW > action=pass logtype="filter"#015' > > **Phase 2: Completed decoding. > decoder: 'netasq' > id: 'firewall' > extra_data: 'FW1' > proto: 'tcp' > proto: 'ssh' > srcip: '192.168.10.2' > srcport: '33659' > dstip: '192.168.10.1' > dstport: '22' > > > I'm not sure why action isn't showing up in that second one off hand, > but I've fiddled with it enough for now. > Any rules you create based on these decoders should reference > <decoded_as>netasq</decoded_as>. > > > >> Thanks in advance for your help. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
