Hi Dan, Yes I restarted the OSSEC service with a: service OSSEC restart
Right now the iptables are wide open due to this issue: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT My full remote connections list is the following: <remote> <connection>syslog</connection> <allowed-ips>10.10.10.0/23</allowed-ips> <allowed-ips>10.10.2.2</allowed-ips> <allowed-ips>10.10.39.2</allowed-ips> <allowed-ips>10.10.6.2</allowed-ips> <allowed-ips>10.10.9.1</allowed-ips> <allowed-ips>192.168.2.0/24</allowed-ips> <port>514</port> </remote> I will move up the 10.10.2.2 up above the /23 in case this is causing it but I know we are getting syslog events from all other sources. Maybe it's the Cisco packet? On Tuesday, October 15, 2019 at 7:19:23 AM UTC-4, dan (ddpbsd) wrote: > > On Mon, Oct 14, 2019 at 3:03 PM Nate <nbent...@gmail.com <javascript:>> > wrote: > > > > Hi, > > > > I've never seen this before but I setup our ASA 5516 to send syslog > events to our OSSEC server to detect SHUN events. > > > > ossec.conf > > <remote> > > <connection>syslog</connection> > > <allowed-ips>10.10.2.2</allowed-ips> > > <port>514</port> > > </remote> > > > > <alerts> > > <log_alert_level>0</log_alert_level> > > <email_alert_level>9</email_alert_level> > > </alerts> > > > > > > local_rules.xml > > > > <group name="ASA,LANAttack"> > > <rule id="100260" level="9"> > > <!-- <decoded_as>ASA-lanattk</decoded_as> --> > > <if_sid>4100</if_sid> > > <regex>ASA-4-73310\d|ASA-4-40100\d</regex> > > <description>ASA Shun event</description> > > </rule> > > </group> > > > > > > but reviewing the alerts, archives,database no events from our 10.10.2.2 > or ASA show up. Running tcpdump on ossec shows they are received by the > server: > > > > 14:53:41.611883 IP (tos 0x0, ttl 254, id 54586, offset 0, flags [none], > proto UDP (17), length 140) > > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 > > Facility local0 (16), Severity warning (4) > > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a > > 14:53:41.614335 IP (tos 0x0, ttl 254, id 46962, offset 0, flags [none], > proto UDP (17), length 140) > > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 > > Facility local0 (16), Severity warning (4) > > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a > > > > If I copy out the Msg and paste it into ossec-logtest it does process it > to my rule: > > > > [USER@ossec~]# /var/ossec/bin/ossec-logtest > > 2019/10/14 14:58:37 ossec-testrule: INFO: Reading local decoder file. > > 2019/10/14 14:58:37 ossec-testrule: INFO: Started (pid: 29400). > > ossec-testrule: Type one log per line. > > > > Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> > 87.106.71.108 on interface inside\0x0a > > > > > > **Phase 1: Completed pre-decoding. > > full event: 'Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned > packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a' > > hostname: 'EDT' > > program_name: '(null)' > > log: 'fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> > 87.106.71.108 on interface inside\0x0a' > > > > **Phase 2: Completed decoding. > > decoder: 'ASA-lanattk' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '100260' > > Level: '9' > > Description: 'ASA Shun event' > > **Alert to be generated. > > > > I see that UDP port 514 is running: > > > > [root@secserv ~]# netstat -anp | grep 514 > > tcp 0 0 127.0.0.1:3306 127.0.0.1:37514 > ESTABLISHED 5542/mysqld > > tcp 0 0 127.0.0.1:37514 127.0.0.1:3306 > ESTABLISHED 29340/ossec-dbd > > udp 0 0 :::1514 :::* > 29373/ossec-remoted > > udp 0 0 :::514 :::* > 29372/ossec-remoted > > > > > > What obvious thing am I missing to setup an ASA to OSSEC? Our HP > switches and Palo Alto firewall are sending syslogs just fine. > > > > After adding the system to allowed-ips, did you restart the OSSEC > processes on the OSSEC server? > Is there a host firewall (iptables) on the OSSEC server? Is 514UDP > open to 10.10.2.2? > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec...@googlegroups.com <javascript:>. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/b1faa727-7071-49a0-91da-9fe4b680a724%40googlegroups.com. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/111b5ea7-25e3-43a8-9cb3-8a14c65a95bc%40googlegroups.com.