Hi, what OSSEC version are you running?.
Regards. On Friday, December 9, 2016 at 11:51:09 AM UTC+1, 1kn0 wrote: > > Hello Dan, > > Thank you very much for your help. > > I've a problem with the following decoder and sample. Its generates a > segfault in ossec-logtest : > > <!--- > Dec 2 14:37:42 192.168.10.1 id=firewall time="2016-12-02 14:37:41" > fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01 > slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp > proto=ssh src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp > srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW > action=pass logtype="filter"#015 > --> > > <decoder name="netasq-filter"> > <parent>netasq</parent> > <prematch>logtype="filter"</prematch> > <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)" > ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+) > dstport=(\d+) \.+ action=(\S+)</regex> > <order>id, extra_data, extra_data, protocol, protocol, srcip, > srcport, dstip, dstport, action</order> > </decoder> > > the segfaut appears before the display of dstport > For the 'action' item, I can't display it too. > > Any ideas? > > > > 2016-12-07 13:06 GMT+01:00 dan (ddp) <ddp...@gmail.com <javascript:>>: > > On Wed, Dec 7, 2016 at 5:26 AM, 1kn0 <mill...@gmail.com <javascript:>> > wrote: > >> Greetings, > >> > >> I'm new to OSSEC and I didn't find an answer to my problem on the list. > >> I've appliance firewalls (netasq and stormshield) on a network. These > >> firewalls exports their log to the computer where OSSEC is installed. > >> > >> For tests : > >> > >> I connect on the administration pages of the firewall, with a an > invalid > >> user/password. > >>> > >>> Dec 2 15:42:29 192.168.10.1 id=firewall time="2016-12-02 15:42:28" > >>> fw="FW1" tz=+0000 startime="2016-12-02 15:42:28" user="admin" > >>> src=192.168.10.2 ruleid=0 method="PLAIN" error=4 msg="Authentication > request > >>> invalid" logtype="auth"#015 > >> > >> > >> I connect to the firewall with SSH > >>> > >>> Dec 2 14:37:42 192.168.10.1 id=firewall time="2016-12-02 14:37:41" > >>> fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01 > slotlevel=2 > >>> ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh > >>> src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp > srcname=Routeur > >>> dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW action=pass > >>> logtype="filter"#015 > >> > >> > >> > >> Is there decoder and rules for firewall? > >> How to configure decode/rules to analyze all events reported by the > >> firewalls? > >> > > > > I don't believe there are decoders or rules for this firewall (never > > heard of it actually). > > Running the samples provided through ossec-logtest, I get the following > output: > > **Phase 1: Completed pre-decoding. > > full event: 'Dec 2 15:42:29 192.168.10.1 id=firewall > > time="2016-12-02 15:42:28" fw="FW1" tz=+0000 startime="2016-12-02 > > 15:42:28" user="admin" src=192.168.10.2 ruleid=0 method="PLAIN" > > error=4 msg="Authentication request invalid" logtype="auth"#015' > > hostname: '192.168.10.1' > > program_name: '(null)' > > log: 'id=firewall time="2016-12-02 15:42:28" fw="FW1" tz=+0000 > > startime="2016-12-02 15:42:28" user="admin" src=192.168.10.2 ruleid=0 > > method="PLAIN" error=4 msg="Authentication request invalid" > > logtype="auth"#015' > > > > **Phase 2: Completed decoding. > > No decoder matched. > > > > **Phase 3: Completed filtering (rules). > > Rule id: '1002' > > Level: '2' > > Description: 'Unknown problem somewhere in the system.' > > **Alert to be generated. > > > > > > **Phase 1: Completed pre-decoding. > > full event: 'Dec 2 14:37:42 192.168.10.1 id=firewall > > time="2016-12-02 14:37:41" fw="FW1" tz=+0000 startime="2016-12-02 > > 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2" > > srcifname="port2" ipproto=tcp proto=ssh src=192.168.10.2 srcport=33659 > > srcportname=ephemeral_fw_tcp srcname=Routeur dst=192.168.10.1 > > dstport=22 dstportname=ssh dstname=FW action=pass > > logtype="filter"#015' > > hostname: '192.168.10.1' > > program_name: '(null)' > > log: 'id=firewall time="2016-12-02 14:37:41" fw="FW1" tz=+0000 > > startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 > > srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh > > src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp > > srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW > > action=pass logtype="filter"#015' > > > > **Phase 2: Completed decoding. > > No decoder matched. > > > > > > Adding the following deocder to local_decoder.xml gives us "decoder: > > 'netasq'" (although this is untested against other logs to make sure > > there are no conflicts): > > <decoder name="netasq"> > > <prematch>^id=</prematch> > > </decoder> > > > > > > These decoders flesh it out a bit: > > <decoder name="netasq-log"> > > <parent>netasq</parent> > > <prematch>logtype="auth"</prematch> > > <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ user="(\S+)" src=(\S+) \.+ > > logtype="auth"</regex> > > <order>id, extra_data, user, srcip</order> > > </decoder> > > > > <decoder name="netasq-fw"> > > <parent>netasq</parent> > > <prematch> logtype="filter"</prematch> > > <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ ipproto=(\S+) proto=(\S+) > > src=(\S+) srcport=(\d+) \.+ dst=(\S+) dstport=(\d+) \.+ action=(\S+) > > </regex> > > <order>id, extra_data, protocol, protocol, srcip, srcport, dstip, > > dstport, action</order> > > </decoder> > > > > **Phase 1: Completed pre-decoding. > > full event: 'Dec 2 15:42:29 192.168.10.1 id=firewall > > time="2016-12-02 15:42:28" fw="FW1" tz=+0000 startime="2016-12-02 > > 15:42:28" user="admin" src=192.168.10.2 ruleid=0 method="PLAIN" > > error=4 msg="Authentication request invalid" logtype="auth"#015' > > hostname: '192.168.10.1' > > program_name: '(null)' > > log: 'id=firewall time="2016-12-02 15:42:28" fw="FW1" tz=+0000 > > startime="2016-12-02 15:42:28" user="admin" src=192.168.10.2 ruleid=0 > > method="PLAIN" error=4 msg="Authentication request invalid" > > logtype="auth"#015' > > > > **Phase 2: Completed decoding. > > decoder: 'netasq' > > id: 'firewall' > > extra_data: 'FW1' > > dstuser: 'admin' > > srcip: '192.168.10.2' > > > > > > **Phase 1: Completed pre-decoding. > > full event: 'Dec 2 14:37:42 192.168.10.1 id=firewall > > time="2016-12-02 14:37:41" fw="FW1" tz=+0000 startime="2016-12-02 > > 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2" > > srcifname="port2" ipproto=tcp proto=ssh src=192.168.10.2 srcport=33659 > > srcportname=ephemeral_fw_tcp srcname=Routeur dst=192.168.10.1 > > dstport=22 dstportname=ssh dstname=FW action=pass > > logtype="filter"#015' > > hostname: '192.168.10.1' > > program_name: '(null)' > > log: 'id=firewall time="2016-12-02 14:37:41" fw="FW1" tz=+0000 > > startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 > > srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh > > src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp > > srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW > > action=pass logtype="filter"#015' > > > > **Phase 2: Completed decoding. > > decoder: 'netasq' > > id: 'firewall' > > extra_data: 'FW1' > > proto: 'tcp' > > proto: 'ssh' > > srcip: '192.168.10.2' > > srcport: '33659' > > dstip: '192.168.10.1' > > dstport: '22' > > > > > > I'm not sure why action isn't showing up in that second one off hand, > > but I've fiddled with it enough for now. > > Any rules you create based on these decoders should reference > > <decoded_as>netasq</decoded_as>. > > > > > > > >> Thanks in advance for your help. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to ossec-list+...@googlegroups.com <javascript:>. > >> For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
