Re: [ossec-list] Firewall appliance : netasq/stormshield

dan (ddp) Fri, 16 Dec 2016 07:24:05 -0800

On Wed, Dec 14, 2016 at 9:50 AM, Bertrand Danos <mille...@gmail.com> wrote:
> Without the action match and order, it's OK :
>


I feel like there was a limit in the number of entries in the <order>
field. Maybe it's 9?

What about something like this:


> <!--
> Dec  2 14:37:42 192.168.10.1 id=firewall time="2016-12-02 14:37:41"
> fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01
> slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp
> proto=ssh src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp
> srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW
> action=pass logtype="filter"#015
>  -->
> <decoder name="netasq-filter">
>   <parent>netasq</parent>
>   <prematch>logtype="filter"</prematch>
>   <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)"
> ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+)
> dstport=(\d+)</regex>
>   <order>id, extra_data, extra_data, protocol, protocol, srcip,
> srcport, dstip, dstport</order>
>
> <!-- segfault
>   <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)"
> ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+)
> dstport=(\d+) \.+ action=(\S+)</regex>
>   <order>id, extra_data, extra_data, protocol, protocol, srcip,
> srcport, dstip, dstport, action</order>
> -->
> </decoder>
>

Splitting it into multiple decoders seems to work for me:
<decoder name="netasq-filter">
  <parent>netasq</parent>
  <prematch>logtype="filter"</prematch>
  <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)"
ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+)
dstport=(\d+) </regex>
  <order>id, extra_data, extra_data, protocol, protocol, srcip,
srcport, dstip, dstport</order>
</decoder>

<decoder name="netasq-filter">
  <parent>netasq</parent>
  <regex>action=(\S+)</regex>
  <order>action</order>
</decoder>

**Phase 1: Completed pre-decoding.
       full event: 'Dec  2 14:37:42 192.168.10.1 id=firewall
time="2016-12-02 14:37:41" fw="FW1" tz=+0000 startime="2016-12-02
14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2"
srcifname="port2" ipproto=tcp proto=ssh src=192.168.10.2 srcport=33659
srcportname=ephemeral_fw_tcp srcname=Routeur dst=192.168.10.1
dstport=22 dstportname=ssh dstname=FW action=pass
logtype="filter"#015'
       hostname: '192.168.10.1'
       program_name: '(null)'
       log: 'id=firewall time="2016-12-02 14:37:41" fw="FW1" tz=+0000
startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1
srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh
src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp
srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW
action=pass logtype="filter"#015'

**Phase 2: Completed decoding.
       decoder: 'netasq'
       id: 'firewall'
       extra_data: 'FW1'
       extra_data: 'port2'
       proto: 'tcp'
       proto: 'ssh'
       srcip: '192.168.10.2'
       srcport: '33659'
       dstip: '192.168.10.1'
       action: 'pass'




>
> result :
>
> **Phase 2: Completed decoding.
>        decoder: 'netasq'
>        id: 'firewall'
>        extra_data: 'FW1'
>        extra_data: 'port2'
>        proto: 'tcp'
>        proto: 'ssh'
>        srcip: '192.168.10.2'
>        srcport: '33659'
>        dstip: '192.168.10.1'
>
>
>
> With the action match and order, it crash :
>
> strace ./ossec-logtest
>
> write(2, "\n**Phase 2: Completed decoding.", 31
> **Phase 2: Completed decoding.) = 31
> write(2, "\n", 1
> )                       = 1
> write(2, "       decoder: 'netasq'", 24       decoder: 'netasq') = 24
> write(2, "\n", 1
> )                       = 1
> write(2, "       id: 'firewall'", 21       id: 'firewall')   = 21
> write(2, "\n", 1
> )                       = 1
> write(2, "       extra_data: 'FW1'", 24       extra_data: 'FW1') = 24
> write(2, "\n", 1
> )                       = 1
> write(2, "       extra_data: 'port2'", 26       extra_data: 'port2') = 26
> write(2, "\n", 1
> )                       = 1
> write(2, "       proto: 'tcp'", 19       proto: 'tcp')     = 19
> write(2, "\n", 1
> )                       = 1
> write(2, "       proto: 'ssh'", 19       proto: 'ssh')     = 19
> write(2, "\n", 1
> )                       = 1
> write(2, "       srcip: '192.168.10.2'", 28       srcip: '192.168.10.2') = 28
> write(2, "\n", 1
> )                       = 1
> write(2, "       srcport: '33659'", 23       srcport: '33659') = 23
> write(2, "\n", 1
> )                       = 1
> write(2, "       dstip: '192.168.10.1'", 28       dstip: '192.168.10.1') = 28
> write(2, "\n", 1
> )                       = 1
> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
> +++ killed by SIGSEGV +++
>
>
>
> 2016-12-09 16:35 GMT+01:00 dan (ddp) <ddp...@gmail.com>:
>>
>>
>> On Dec 9, 2016 5:51 AM, "Bertrand Danos" <mille...@gmail.com> wrote:
>>
>> Hello Dan,
>>
>> Thank you very much for your help.
>>
>> I've a problem with the following decoder and sample. Its generates a
>> segfault in ossec-logtest :
>>
>> <!---
>> Dec  2 14:37:42 192.168.10.1 id=firewall time="2016-12-02 14:37:41"
>> fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01
>> slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp
>> proto=ssh src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp
>> srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW
>> action=pass logtype="filter"#015
>> -->
>>
>> <decoder name="netasq-filter">
>>   <parent>netasq</parent>
>>   <prematch>logtype="filter"</prematch>
>>   <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)"
>> ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+)
>> dstport=(\d+) \.+ action=(\S+)</regex>
>>   <order>id, extra_data, extra_data, protocol, protocol, srcip,
>> srcport, dstip, dstport, action</order>
>> </decoder>
>>
>> the segfaut appears before the display of dstport
>> For the 'action' item, I can't display it too.
>>
>>
>> Any ideas?
>>
>>
>>
>> If you remove the action match and order, does it still segfault?
>>
>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Firewall appliance : netasq/stormshield

Reply via email to