ossec-logtest -V reports v2.8 Regards
2016-12-09 12:50 GMT+01:00 Jesus Linares <je...@wazuh.com>: > Hi, > > what OSSEC version are you running?. > > Regards. > > On Friday, December 9, 2016 at 11:51:09 AM UTC+1, 1kn0 wrote: >> >> Hello Dan, >> >> Thank you very much for your help. >> >> I've a problem with the following decoder and sample. Its generates a >> segfault in ossec-logtest : >> >> <!--- >> Dec 2 14:37:42 192.168.10.1 id=firewall time="2016-12-02 14:37:41" >> fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01 >> slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp >> proto=ssh src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp >> srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW >> action=pass logtype="filter"#015 >> --> >> >> <decoder name="netasq-filter"> >> <parent>netasq</parent> >> <prematch>logtype="filter"</prematch> >> <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)" >> ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+) >> dstport=(\d+) \.+ action=(\S+)</regex> >> <order>id, extra_data, extra_data, protocol, protocol, srcip, >> srcport, dstip, dstport, action</order> >> </decoder> >> >> the segfaut appears before the display of dstport >> For the 'action' item, I can't display it too. >> >> Any ideas? >> >> >> >> 2016-12-07 13:06 GMT+01:00 dan (ddp) <ddp...@gmail.com>: >> > On Wed, Dec 7, 2016 at 5:26 AM, 1kn0 <mill...@gmail.com> wrote: >> >> Greetings, >> >> >> >> I'm new to OSSEC and I didn't find an answer to my problem on the list. >> >> I've appliance firewalls (netasq and stormshield) on a network. These >> >> firewalls exports their log to the computer where OSSEC is installed. >> >> >> >> For tests : >> >> >> >> I connect on the administration pages of the firewall, with a an >> >> invalid >> >> user/password. >> >>> >> >>> Dec 2 15:42:29 192.168.10.1 id=firewall time="2016-12-02 15:42:28" >> >>> fw="FW1" tz=+0000 startime="2016-12-02 15:42:28" user="admin" >> >>> src=192.168.10.2 ruleid=0 method="PLAIN" error=4 msg="Authentication >> >>> request >> >>> invalid" logtype="auth"#015 >> >> >> >> >> >> I connect to the firewall with SSH >> >>> >> >>> Dec 2 14:37:42 192.168.10.1 id=firewall time="2016-12-02 14:37:41" >> >>> fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01 >> >>> slotlevel=2 >> >>> ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh >> >>> src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp >> >>> srcname=Routeur >> >>> dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW action=pass >> >>> logtype="filter"#015 >> >> >> >> >> >> >> >> Is there decoder and rules for firewall? >> >> How to configure decode/rules to analyze all events reported by the >> >> firewalls? >> >> >> > >> > I don't believe there are decoders or rules for this firewall (never >> > heard of it actually). >> > Running the samples provided through ossec-logtest, I get the following >> > output: >> > **Phase 1: Completed pre-decoding. >> > full event: 'Dec 2 15:42:29 192.168.10.1 id=firewall >> > time="2016-12-02 15:42:28" fw="FW1" tz=+0000 startime="2016-12-02 >> > 15:42:28" user="admin" src=192.168.10.2 ruleid=0 method="PLAIN" >> > error=4 msg="Authentication request invalid" logtype="auth"#015' >> > hostname: '192.168.10.1' >> > program_name: '(null)' >> > log: 'id=firewall time="2016-12-02 15:42:28" fw="FW1" tz=+0000 >> > startime="2016-12-02 15:42:28" user="admin" src=192.168.10.2 ruleid=0 >> > method="PLAIN" error=4 msg="Authentication request invalid" >> > logtype="auth"#015' >> > >> > **Phase 2: Completed decoding. >> > No decoder matched. >> > >> > **Phase 3: Completed filtering (rules). >> > Rule id: '1002' >> > Level: '2' >> > Description: 'Unknown problem somewhere in the system.' >> > **Alert to be generated. >> > >> > >> > **Phase 1: Completed pre-decoding. >> > full event: 'Dec 2 14:37:42 192.168.10.1 id=firewall >> > time="2016-12-02 14:37:41" fw="FW1" tz=+0000 startime="2016-12-02 >> > 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2" >> > srcifname="port2" ipproto=tcp proto=ssh src=192.168.10.2 srcport=33659 >> > srcportname=ephemeral_fw_tcp srcname=Routeur dst=192.168.10.1 >> > dstport=22 dstportname=ssh dstname=FW action=pass >> > logtype="filter"#015' >> > hostname: '192.168.10.1' >> > program_name: '(null)' >> > log: 'id=firewall time="2016-12-02 14:37:41" fw="FW1" tz=+0000 >> > startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 >> > srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh >> > src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp >> > srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW >> > action=pass logtype="filter"#015' >> > >> > **Phase 2: Completed decoding. >> > No decoder matched. >> > >> > >> > Adding the following deocder to local_decoder.xml gives us "decoder: >> > 'netasq'" (although this is untested against other logs to make sure >> > there are no conflicts): >> > <decoder name="netasq"> >> > <prematch>^id=</prematch> >> > </decoder> >> > >> > >> > These decoders flesh it out a bit: >> > <decoder name="netasq-log"> >> > <parent>netasq</parent> >> > <prematch>logtype="auth"</prematch> >> > <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ user="(\S+)" src=(\S+) \.+ >> > logtype="auth"</regex> >> > <order>id, extra_data, user, srcip</order> >> > </decoder> >> > >> > <decoder name="netasq-fw"> >> > <parent>netasq</parent> >> > <prematch> logtype="filter"</prematch> >> > <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ ipproto=(\S+) proto=(\S+) >> > src=(\S+) srcport=(\d+) \.+ dst=(\S+) dstport=(\d+) \.+ action=(\S+) >> > </regex> >> > <order>id, extra_data, protocol, protocol, srcip, srcport, dstip, >> > dstport, action</order> >> > </decoder> >> > >> > **Phase 1: Completed pre-decoding. >> > full event: 'Dec 2 15:42:29 192.168.10.1 id=firewall >> > time="2016-12-02 15:42:28" fw="FW1" tz=+0000 startime="2016-12-02 >> > 15:42:28" user="admin" src=192.168.10.2 ruleid=0 method="PLAIN" >> > error=4 msg="Authentication request invalid" logtype="auth"#015' >> > hostname: '192.168.10.1' >> > program_name: '(null)' >> > log: 'id=firewall time="2016-12-02 15:42:28" fw="FW1" tz=+0000 >> > startime="2016-12-02 15:42:28" user="admin" src=192.168.10.2 ruleid=0 >> > method="PLAIN" error=4 msg="Authentication request invalid" >> > logtype="auth"#015' >> > >> > **Phase 2: Completed decoding. >> > decoder: 'netasq' >> > id: 'firewall' >> > extra_data: 'FW1' >> > dstuser: 'admin' >> > srcip: '192.168.10.2' >> > >> > >> > **Phase 1: Completed pre-decoding. >> > full event: 'Dec 2 14:37:42 192.168.10.1 id=firewall >> > time="2016-12-02 14:37:41" fw="FW1" tz=+0000 startime="2016-12-02 >> > 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2" >> > srcifname="port2" ipproto=tcp proto=ssh src=192.168.10.2 srcport=33659 >> > srcportname=ephemeral_fw_tcp srcname=Routeur dst=192.168.10.1 >> > dstport=22 dstportname=ssh dstname=FW action=pass >> > logtype="filter"#015' >> > hostname: '192.168.10.1' >> > program_name: '(null)' >> > log: 'id=firewall time="2016-12-02 14:37:41" fw="FW1" tz=+0000 >> > startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 >> > srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh >> > src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp >> > srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW >> > action=pass logtype="filter"#015' >> > >> > **Phase 2: Completed decoding. >> > decoder: 'netasq' >> > id: 'firewall' >> > extra_data: 'FW1' >> > proto: 'tcp' >> > proto: 'ssh' >> > srcip: '192.168.10.2' >> > srcport: '33659' >> > dstip: '192.168.10.1' >> > dstport: '22' >> > >> > >> > I'm not sure why action isn't showing up in that second one off hand, >> > but I've fiddled with it enough for now. >> > Any rules you create based on these decoders should reference >> > <decoded_as>netasq</decoded_as>. >> > >> > >> > >> >> Thanks in advance for your help. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to ossec-list+...@googlegroups.com. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.