On Tue, Oct 15, 2019 at 8:59 AM Nate <nbentzin...@gmail.com> wrote: > > Looking at the syslog packets I see the Cisco ASA only uses local facility > codes but my Palo Alto uses User facility codes: > > 08:55:50.340558 IP (tos 0x0, ttl 64, id 917, offset 0, flags [DF], proto UDP > (17), length 329) > 10.10.10.151.44375 > 10.10.10.17.syslog: SYSLOG, length: 301 > Facility user (1), Severity info (6) > Msg: Oct 15 08:55:50 10.10.10.151 1,2019/10/15 > 08:55:50,012001010622,SYSTEM,userid,0,2019/10/15 > 08:55:50,,connect-ldap-sever,10.10.10.10,0,0,general,informational,"ldap cfg > DOMAIN GMapping FW-Admins connected to server 10.10.10.10:389, initiated by: > 10.10.10.152",1204131,0x0,0,0,0,0,,fw2 > 08:55:50.726480 IP (tos 0x0, ttl 254, id 65458, offset 0, flags [none], proto > UDP (17), length 190) > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 162 > Facility local4 (20), Severity warning (4) > Msg: Oct 15 08:55:50 EDT fw1 : %ASA-4-106023: Deny udp src > outside:10.10.201.105/137 dst outside:10.10.201.255/137 by access-group > "outside_access_in" [0x0, 0x0]\0x0a > > I can't change the ASA to be anything other than local facility. >
I don't see anything in the remoted code that cares about the facility. If the IP isn't allowed, there should be a log message. If you don't have the <logall> option set to "yes," it might be worth turning it on to see if the messages make it to the archives.log file. > On Tuesday, October 15, 2019 at 8:34:52 AM UTC-4, Nate wrote: >> >> Hi Dan, >> >> Yes I restarted the OSSEC service with a: service OSSEC restart >> >> Right now the iptables are wide open due to this issue: >> >> # iptables -L >> Chain INPUT (policy ACCEPT) >> target prot opt source destination >> >> Chain FORWARD (policy ACCEPT) >> target prot opt source destination >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> # iptables -S >> -P INPUT ACCEPT >> -P FORWARD ACCEPT >> -P OUTPUT ACCEPT >> >> My full remote connections list is the following: >> >> <remote> >> <connection>syslog</connection> >> <allowed-ips>10.10.10.0/23</allowed-ips> >> <allowed-ips>10.10.2.2</allowed-ips> >> <allowed-ips>10.10.39.2</allowed-ips> >> <allowed-ips>10.10.6.2</allowed-ips> >> <allowed-ips>10.10.9.1</allowed-ips> >> <allowed-ips>192.168.2.0/24</allowed-ips> >> <port>514</port> >> </remote> >> >> I will move up the 10.10.2.2 up above the /23 in case this is causing it but >> I know we are getting syslog events from all other sources. >> >> Maybe it's the Cisco packet? >> >> On Tuesday, October 15, 2019 at 7:19:23 AM UTC-4, dan (ddpbsd) wrote: >>> >>> On Mon, Oct 14, 2019 at 3:03 PM Nate <nbent...@gmail.com> wrote: >>> > >>> > Hi, >>> > >>> > I've never seen this before but I setup our ASA 5516 to send syslog >>> > events to our OSSEC server to detect SHUN events. >>> > >>> > ossec.conf >>> > <remote> >>> > <connection>syslog</connection> >>> > <allowed-ips>10.10.2.2</allowed-ips> >>> > <port>514</port> >>> > </remote> >>> > >>> > <alerts> >>> > <log_alert_level>0</log_alert_level> >>> > <email_alert_level>9</email_alert_level> >>> > </alerts> >>> > >>> > >>> > local_rules.xml >>> > >>> > <group name="ASA,LANAttack"> >>> > <rule id="100260" level="9"> >>> > <!-- <decoded_as>ASA-lanattk</decoded_as> --> >>> > <if_sid>4100</if_sid> >>> > <regex>ASA-4-73310\d|ASA-4-40100\d</regex> >>> > <description>ASA Shun event</description> >>> > </rule> >>> > </group> >>> > >>> > >>> > but reviewing the alerts, archives,database no events from our 10.10.2.2 >>> > or ASA show up. Running tcpdump on ossec shows they are received by the >>> > server: >>> > >>> > 14:53:41.611883 IP (tos 0x0, ttl 254, id 54586, offset 0, flags [none], >>> > proto UDP (17), length 140) >>> > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 >>> > Facility local0 (16), Severity warning (4) >>> > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: >>> > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a >>> > 14:53:41.614335 IP (tos 0x0, ttl 254, id 46962, offset 0, flags [none], >>> > proto UDP (17), length 140) >>> > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 >>> > Facility local0 (16), Severity warning (4) >>> > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: >>> > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a >>> > >>> > If I copy out the Msg and paste it into ossec-logtest it does process it >>> > to my rule: >>> > >>> > [USER@ossec~]# /var/ossec/bin/ossec-logtest >>> > 2019/10/14 14:58:37 ossec-testrule: INFO: Reading local decoder file. >>> > 2019/10/14 14:58:37 ossec-testrule: INFO: Started (pid: 29400). >>> > ossec-testrule: Type one log per line. >>> > >>> > Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> >>> > 87.106.71.108 on interface inside\0x0a >>> > >>> > >>> > **Phase 1: Completed pre-decoding. >>> > full event: 'Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned >>> > packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a' >>> > hostname: 'EDT' >>> > program_name: '(null)' >>> > log: 'fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> >>> > 87.106.71.108 on interface inside\0x0a' >>> > >>> > **Phase 2: Completed decoding. >>> > decoder: 'ASA-lanattk' >>> > >>> > **Phase 3: Completed filtering (rules). >>> > Rule id: '100260' >>> > Level: '9' >>> > Description: 'ASA Shun event' >>> > **Alert to be generated. >>> > >>> > I see that UDP port 514 is running: >>> > >>> > [root@secserv ~]# netstat -anp | grep 514 >>> > tcp 0 0 127.0.0.1:3306 127.0.0.1:37514 >>> > ESTABLISHED 5542/mysqld >>> > tcp 0 0 127.0.0.1:37514 127.0.0.1:3306 >>> > ESTABLISHED 29340/ossec-dbd >>> > udp 0 0 :::1514 :::* >>> > 29373/ossec-remoted >>> > udp 0 0 :::514 :::* >>> > 29372/ossec-remoted >>> > >>> > >>> > What obvious thing am I missing to setup an ASA to OSSEC? Our HP switches >>> > and Palo Alto firewall are sending syslogs just fine. >>> > >>> >>> After adding the system to allowed-ips, did you restart the OSSEC >>> processes on the OSSEC server? >>> Is there a host firewall (iptables) on the OSSEC server? Is 514UDP >>> open to 10.10.2.2? >>> >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send an >>> > email to ossec...@googlegroups.com. >>> > To view this discussion on the web visit >>> > https://groups.google.com/d/msgid/ossec-list/b1faa727-7071-49a0-91da-9fe4b680a724%40googlegroups.com. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/e847005b-0106-4853-abef-512ff3a4a11f%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMquNBR1%3D0a2ZtJex3AwMdnuh8q_ck8P-0m_PNcAD76cNg%40mail.gmail.com.