On Mon, Oct 14, 2019 at 3:03 PM Nate <nbentzin...@gmail.com> wrote: > > Hi, > > I've never seen this before but I setup our ASA 5516 to send syslog events to > our OSSEC server to detect SHUN events. > > ossec.conf > <remote> > <connection>syslog</connection> > <allowed-ips>10.10.2.2</allowed-ips> > <port>514</port> > </remote> > > <alerts> > <log_alert_level>0</log_alert_level> > <email_alert_level>9</email_alert_level> > </alerts> > > > local_rules.xml > > <group name="ASA,LANAttack"> > <rule id="100260" level="9"> > <!-- <decoded_as>ASA-lanattk</decoded_as> --> > <if_sid>4100</if_sid> > <regex>ASA-4-73310\d|ASA-4-40100\d</regex> > <description>ASA Shun event</description> > </rule> > </group> > > > but reviewing the alerts, archives,database no events from our 10.10.2.2 or > ASA show up. Running tcpdump on ossec shows they are received by the server: > > 14:53:41.611883 IP (tos 0x0, ttl 254, id 54586, offset 0, flags [none], proto > UDP (17), length 140) > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 > Facility local0 (16), Severity warning (4) > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a > 14:53:41.614335 IP (tos 0x0, ttl 254, id 46962, offset 0, flags [none], proto > UDP (17), length 140) > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 > Facility local0 (16), Severity warning (4) > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a > > If I copy out the Msg and paste it into ossec-logtest it does process it to > my rule: > > [USER@ossec~]# /var/ossec/bin/ossec-logtest > 2019/10/14 14:58:37 ossec-testrule: INFO: Reading local decoder file. > 2019/10/14 14:58:37 ossec-testrule: INFO: Started (pid: 29400). > ossec-testrule: Type one log per line. > > Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> > 87.106.71.108 on interface inside\0x0a > > > **Phase 1: Completed pre-decoding. > full event: 'Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a' > hostname: 'EDT' > program_name: '(null)' > log: 'fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> > 87.106.71.108 on interface inside\0x0a' > > **Phase 2: Completed decoding. > decoder: 'ASA-lanattk' > > **Phase 3: Completed filtering (rules). > Rule id: '100260' > Level: '9' > Description: 'ASA Shun event' > **Alert to be generated. > > I see that UDP port 514 is running: > > [root@secserv ~]# netstat -anp | grep 514 > tcp 0 0 127.0.0.1:3306 127.0.0.1:37514 > ESTABLISHED 5542/mysqld > tcp 0 0 127.0.0.1:37514 127.0.0.1:3306 > ESTABLISHED 29340/ossec-dbd > udp 0 0 :::1514 :::* > 29373/ossec-remoted > udp 0 0 :::514 :::* > 29372/ossec-remoted > > > What obvious thing am I missing to setup an ASA to OSSEC? Our HP switches and > Palo Alto firewall are sending syslogs just fine. >
After adding the system to allowed-ips, did you restart the OSSEC processes on the OSSEC server? Is there a host firewall (iptables) on the OSSEC server? Is 514UDP open to 10.10.2.2? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/b1faa727-7071-49a0-91da-9fe4b680a724%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMqVaKyr2A49%3Daf3LA4AodhY677HoGvzguhhZZWGrAO9EA%40mail.gmail.com.