Re: [ossec-list] OSSEC receiving syslog alerts from ASA but not processing them
The ASA firewall's IP that sent data to OSSEC was listed in the ossec.conf's . I setup to yes as well and tailed and grepped the log to find the events by the word ASA or source IP but nothing showed up despite tcpdump showing they hit the OSSEC server NIC. I ended up standing up rsyslogd to accept remote syslogs, whitelisted the IPs from the ossec.conf, shutdown the ossec syslog service and had OSSEC monitor the rsyslog.log. I was able to get those ASA events (and all others) into OSSEC. On Tuesday, October 22, 2019 at 9:33:39 AM UTC-4, dan (ddpbsd) wrote: > > On Tue, Oct 15, 2019 at 8:59 AM Nate > > wrote: > > > > Looking at the syslog packets I see the Cisco ASA only uses local > facility codes but my Palo Alto uses User facility codes: > > > > 08:55:50.340558 IP (tos 0x0, ttl 64, id 917, offset 0, flags [DF], proto > UDP (17), length 329) > > 10.10.10.151.44375 > 10.10.10.17.syslog: SYSLOG, length: 301 > > Facility user (1), Severity info (6) > > Msg: Oct 15 08:55:50 10.10.10.151 1,2019/10/15 > 08:55:50,012001010622,SYSTEM,userid,0,2019/10/15 > 08:55:50,,connect-ldap-sever,10.10.10.10,0,0,general,informational,"ldap > cfg DOMAIN GMapping FW-Admins connected to server 10.10.10.10:389, > initiated by: 10.10.10.152",1204131,0x0,0,0,0,0,,fw2 > > 08:55:50.726480 IP (tos 0x0, ttl 254, id 65458, offset 0, flags [none], > proto UDP (17), length 190) > > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 162 > > Facility local4 (20), Severity warning (4) > > Msg: Oct 15 08:55:50 EDT fw1 : %ASA-4-106023: Deny udp src > outside:10.10.201.105/137 dst outside:10.10.201.255/137 by access-group > "outside_access_in" [0x0, 0x0]\0x0a > > > > I can't change the ASA to be anything other than local facility. > > > > I don't see anything in the remoted code that cares about the facility. > If the IP isn't allowed, there should be a log message. > > If you don't have the option set to "yes," it might be worth > turning it on to see if the messages make it to the archives.log file. > > > On Tuesday, October 15, 2019 at 8:34:52 AM UTC-4, Nate wrote: > >> > >> Hi Dan, > >> > >> Yes I restarted the OSSEC service with a: service OSSEC restart > >> > >> Right now the iptables are wide open due to this issue: > >> > >> # iptables -L > >> Chain INPUT (policy ACCEPT) > >> target prot opt source destination > >> > >> Chain FORWARD (policy ACCEPT) > >> target prot opt source destination > >> > >> Chain OUTPUT (policy ACCEPT) > >> target prot opt source destination > >> # iptables -S > >> -P INPUT ACCEPT > >> -P FORWARD ACCEPT > >> -P OUTPUT ACCEPT > >> > >> My full remote connections list is the following: > >> > >> > >>syslog > >>10.10.10.0/23 > >>10.10.2.2 > >>10.10.39.2 > >>10.10.6.2 > >>10.10.9.1 > >>192.168.2.0/24 > >>514 > >> > >> > >> I will move up the 10.10.2.2 up above the /23 in case this is causing > it but I know we are getting syslog events from all other sources. > >> > >> Maybe it's the Cisco packet? > >> > >> On Tuesday, October 15, 2019 at 7:19:23 AM UTC-4, dan (ddpbsd) wrote: > >>> > >>> On Mon, Oct 14, 2019 at 3:03 PM Nate wrote: > >>> > > >>> > Hi, > >>> > > >>> > I've never seen this before but I setup our ASA 5516 to send syslog > events to our OSSEC server to detect SHUN events. > >>> > > >>> > ossec.conf > >>> > > >>> >syslog > >>> >10.10.2.2 > >>> >514 > >>> > > >>> > > >>> > > >>> > 0 > >>> > 9 > >>> > > >>> > > >>> > > >>> > local_rules.xml > >>> > > >>> > > >>> > > >>> > > >>> > 4100 > >>> > ASA-4-73310\d|ASA-4-40100\d > >>> > ASA Shun event > >>> > > >>> > > >>> > > >>> > > >>> > but reviewing the alerts, archives,database no events from our > 10.10.2.2 or ASA show up. Running tcpdump on ossec shows they are received > by the server: > >>> > > >>> > 14:53:41.611883 IP (tos 0x0, ttl 254, id 54586, offset 0, flags > [none], proto UDP (17), length 140) > >>> > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 > >>> > Facility local0 (16), Severity warning (4) > >>> > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned > packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a > >>> > 14:53:41.614335 IP (tos 0x0, ttl 254, id 46962, offset 0, flags > [none], proto UDP (17), length 140) > >>> > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 > >>> > Facility local0 (16), Severity warning (4) > >>> > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned > packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a > >>> > > >>> > If I copy out the Msg and paste it into ossec-logtest it does > process it to my rule: > >>> > > >>> > [USER@ossec~]# /var/ossec/bin/ossec-logtest > >>> > 2019/10/14 14:58:37 ossec-testrule:
Re: [ossec-list] OSSEC receiving syslog alerts from ASA but not processing them
On Tue, Oct 15, 2019 at 8:59 AM Nate wrote: > > Looking at the syslog packets I see the Cisco ASA only uses local facility > codes but my Palo Alto uses User facility codes: > > 08:55:50.340558 IP (tos 0x0, ttl 64, id 917, offset 0, flags [DF], proto UDP > (17), length 329) > 10.10.10.151.44375 > 10.10.10.17.syslog: SYSLOG, length: 301 > Facility user (1), Severity info (6) > Msg: Oct 15 08:55:50 10.10.10.151 1,2019/10/15 > 08:55:50,012001010622,SYSTEM,userid,0,2019/10/15 > 08:55:50,,connect-ldap-sever,10.10.10.10,0,0,general,informational,"ldap cfg > DOMAIN GMapping FW-Admins connected to server 10.10.10.10:389, initiated by: > 10.10.10.152",1204131,0x0,0,0,0,0,,fw2 > 08:55:50.726480 IP (tos 0x0, ttl 254, id 65458, offset 0, flags [none], proto > UDP (17), length 190) > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 162 > Facility local4 (20), Severity warning (4) > Msg: Oct 15 08:55:50 EDT fw1 : %ASA-4-106023: Deny udp src > outside:10.10.201.105/137 dst outside:10.10.201.255/137 by access-group > "outside_access_in" [0x0, 0x0]\0x0a > > I can't change the ASA to be anything other than local facility. > I don't see anything in the remoted code that cares about the facility. If the IP isn't allowed, there should be a log message. If you don't have the option set to "yes," it might be worth turning it on to see if the messages make it to the archives.log file. > On Tuesday, October 15, 2019 at 8:34:52 AM UTC-4, Nate wrote: >> >> Hi Dan, >> >> Yes I restarted the OSSEC service with a: service OSSEC restart >> >> Right now the iptables are wide open due to this issue: >> >> # iptables -L >> Chain INPUT (policy ACCEPT) >> target prot opt source destination >> >> Chain FORWARD (policy ACCEPT) >> target prot opt source destination >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> # iptables -S >> -P INPUT ACCEPT >> -P FORWARD ACCEPT >> -P OUTPUT ACCEPT >> >> My full remote connections list is the following: >> >> >>syslog >>10.10.10.0/23 >>10.10.2.2 >>10.10.39.2 >>10.10.6.2 >>10.10.9.1 >>192.168.2.0/24 >>514 >> >> >> I will move up the 10.10.2.2 up above the /23 in case this is causing it but >> I know we are getting syslog events from all other sources. >> >> Maybe it's the Cisco packet? >> >> On Tuesday, October 15, 2019 at 7:19:23 AM UTC-4, dan (ddpbsd) wrote: >>> >>> On Mon, Oct 14, 2019 at 3:03 PM Nate wrote: >>> > >>> > Hi, >>> > >>> > I've never seen this before but I setup our ASA 5516 to send syslog >>> > events to our OSSEC server to detect SHUN events. >>> > >>> > ossec.conf >>> > >>> >syslog >>> >10.10.2.2 >>> >514 >>> > >>> > >>> > >>> > 0 >>> > 9 >>> > >>> > >>> > >>> > local_rules.xml >>> > >>> > >>> > >>> > >>> > 4100 >>> > ASA-4-73310\d|ASA-4-40100\d >>> > ASA Shun event >>> > >>> > >>> > >>> > >>> > but reviewing the alerts, archives,database no events from our 10.10.2.2 >>> > or ASA show up. Running tcpdump on ossec shows they are received by the >>> > server: >>> > >>> > 14:53:41.611883 IP (tos 0x0, ttl 254, id 54586, offset 0, flags [none], >>> > proto UDP (17), length 140) >>> > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 >>> > Facility local0 (16), Severity warning (4) >>> > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: >>> > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a >>> > 14:53:41.614335 IP (tos 0x0, ttl 254, id 46962, offset 0, flags [none], >>> > proto UDP (17), length 140) >>> > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 >>> > Facility local0 (16), Severity warning (4) >>> > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: >>> > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a >>> > >>> > If I copy out the Msg and paste it into ossec-logtest it does process it >>> > to my rule: >>> > >>> > [USER@ossec~]# /var/ossec/bin/ossec-logtest >>> > 2019/10/14 14:58:37 ossec-testrule: INFO: Reading local decoder file. >>> > 2019/10/14 14:58:37 ossec-testrule: INFO: Started (pid: 29400). >>> > ossec-testrule: Type one log per line. >>> > >>> > Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> >>> > 87.106.71.108 on interface inside\0x0a >>> > >>> > >>> > **Phase 1: Completed pre-decoding. >>> >full event: 'Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned >>> > packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a' >>> >hostname: 'EDT' >>> >program_name: '(null)' >>> >log: 'fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> >>> > 87.106.71.108 on interface inside\0x0a' >>> > >>> > **Phase 2: Completed decoding. >>> >decoder: 'ASA-lanattk' >>> > >>> > **Phase 3: Completed filtering (rules). >>> >Rule id: '100260' >>> >Level: '9' >>> >
Re: [ossec-list] OSSEC receiving syslog alerts from ASA but not processing them
Looking at the syslog packets I see the Cisco ASA only uses local facility codes but my Palo Alto uses User facility codes: 08:55:50.340558 IP (tos 0x0, ttl 64, id 917, offset 0, flags [DF], proto UDP (17), length 329) 10.10.10.151.44375 > 10.10.10.17.syslog: SYSLOG, length: 301 * Facility user (1)*, Severity info (6) Msg: Oct 15 08:55:50 10.10.10.151 1,2019/10/15 08:55:50,012001010622,SYSTEM,userid,0,2019/10/15 08:55:50,,connect-ldap-sever,10.10.10.10,0,0,general,informational,"ldap cfg DOMAIN GMapping FW-Admins connected to server 10.10.10.10:389, initiated by: 10.10.10.152",1204131,0x0,0,0,0,0,,fw2 08:55:50.726480 IP (tos 0x0, ttl 254, id 65458, offset 0, flags [none], proto UDP (17), length 190) 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 162 *Facility local4 (20)*, Severity warning (4) Msg: Oct 15 08:55:50 EDT fw1 : %ASA-4-106023: Deny udp src outside:10.10.201.105/137 dst outside:10.10.201.255/137 by access-group "outside_access_in" [0x0, 0x0]\0x0a I can't change the ASA to be anything other than local facility. On Tuesday, October 15, 2019 at 8:34:52 AM UTC-4, Nate wrote: > > Hi Dan, > > Yes I restarted the OSSEC service with a: service OSSEC restart > > Right now the iptables are wide open due to this issue: > > # iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > # iptables -S > -P INPUT ACCEPT > -P FORWARD ACCEPT > -P OUTPUT ACCEPT > > My full remote connections list is the following: > > >syslog >10.10.10.0/23 >10.10.2.2 >10.10.39.2 >10.10.6.2 >10.10.9.1 >192.168.2.0/24 >514 > > > I will move up the 10.10.2.2 up above the /23 in case this is causing it > but I know we are getting syslog events from all other sources. > > Maybe it's the Cisco packet? > > On Tuesday, October 15, 2019 at 7:19:23 AM UTC-4, dan (ddpbsd) wrote: >> >> On Mon, Oct 14, 2019 at 3:03 PM Nate wrote: >> > >> > Hi, >> > >> > I've never seen this before but I setup our ASA 5516 to send syslog >> events to our OSSEC server to detect SHUN events. >> > >> > ossec.conf >> > >> >syslog >> >10.10.2.2 >> >514 >> > >> > >> > >> > 0 >> > 9 >> > >> > >> > >> > local_rules.xml >> > >> > >> > >> > >> > 4100 >> > ASA-4-73310\d|ASA-4-40100\d >> > ASA Shun event >> > >> > >> > >> > >> > but reviewing the alerts, archives,database no events from our >> 10.10.2.2 or ASA show up. Running tcpdump on ossec shows they are received >> by the server: >> > >> > 14:53:41.611883 IP (tos 0x0, ttl 254, id 54586, offset 0, flags [none], >> proto UDP (17), length 140) >> > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 >> > Facility local0 (16), Severity warning (4) >> > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: >> 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a >> > 14:53:41.614335 IP (tos 0x0, ttl 254, id 46962, offset 0, flags [none], >> proto UDP (17), length 140) >> > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 >> > Facility local0 (16), Severity warning (4) >> > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: >> 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a >> > >> > If I copy out the Msg and paste it into ossec-logtest it does process >> it to my rule: >> > >> > [USER@ossec~]# /var/ossec/bin/ossec-logtest >> > 2019/10/14 14:58:37 ossec-testrule: INFO: Reading local decoder file. >> > 2019/10/14 14:58:37 ossec-testrule: INFO: Started (pid: 29400). >> > ossec-testrule: Type one log per line. >> > >> > Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 >> ==> 87.106.71.108 on interface inside\0x0a >> > >> > >> > **Phase 1: Completed pre-decoding. >> >full event: 'Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned >> packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a' >> >hostname: 'EDT' >> >program_name: '(null)' >> >log: 'fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> >> 87.106.71.108 on interface inside\0x0a' >> > >> > **Phase 2: Completed decoding. >> >decoder: 'ASA-lanattk' >> > >> > **Phase 3: Completed filtering (rules). >> >Rule id: '100260' >> >Level: '9' >> >Description: 'ASA Shun event' >> > **Alert to be generated. >> > >> > I see that UDP port 514 is running: >> > >> > [root@secserv ~]# netstat -anp | grep 514 >> > tcp0 0 127.0.0.1:3306 127.0.0.1:37514 >> ESTABLISHED 5542/mysqld >> > tcp0 0 127.0.0.1:37514 127.0.0.1:3306 >> ESTABLISHED 29340/ossec-dbd >> > udp0 0 :::1514
Re: [ossec-list] OSSEC receiving syslog alerts from ASA but not processing them
Hi Dan, Yes I restarted the OSSEC service with a: service OSSEC restart Right now the iptables are wide open due to this issue: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT My full remote connections list is the following: syslog 10.10.10.0/23 10.10.2.2 10.10.39.2 10.10.6.2 10.10.9.1 192.168.2.0/24 514 I will move up the 10.10.2.2 up above the /23 in case this is causing it but I know we are getting syslog events from all other sources. Maybe it's the Cisco packet? On Tuesday, October 15, 2019 at 7:19:23 AM UTC-4, dan (ddpbsd) wrote: > > On Mon, Oct 14, 2019 at 3:03 PM Nate > > wrote: > > > > Hi, > > > > I've never seen this before but I setup our ASA 5516 to send syslog > events to our OSSEC server to detect SHUN events. > > > > ossec.conf > > > >syslog > >10.10.2.2 > >514 > > > > > > > > 0 > > 9 > > > > > > > > local_rules.xml > > > > > > > > > > 4100 > > ASA-4-73310\d|ASA-4-40100\d > > ASA Shun event > > > > > > > > > > but reviewing the alerts, archives,database no events from our 10.10.2.2 > or ASA show up. Running tcpdump on ossec shows they are received by the > server: > > > > 14:53:41.611883 IP (tos 0x0, ttl 254, id 54586, offset 0, flags [none], > proto UDP (17), length 140) > > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 > > Facility local0 (16), Severity warning (4) > > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a > > 14:53:41.614335 IP (tos 0x0, ttl 254, id 46962, offset 0, flags [none], > proto UDP (17), length 140) > > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 > > Facility local0 (16), Severity warning (4) > > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a > > > > If I copy out the Msg and paste it into ossec-logtest it does process it > to my rule: > > > > [USER@ossec~]# /var/ossec/bin/ossec-logtest > > 2019/10/14 14:58:37 ossec-testrule: INFO: Reading local decoder file. > > 2019/10/14 14:58:37 ossec-testrule: INFO: Started (pid: 29400). > > ossec-testrule: Type one log per line. > > > > Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> > 87.106.71.108 on interface inside\0x0a > > > > > > **Phase 1: Completed pre-decoding. > >full event: 'Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned > packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a' > >hostname: 'EDT' > >program_name: '(null)' > >log: 'fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> > 87.106.71.108 on interface inside\0x0a' > > > > **Phase 2: Completed decoding. > >decoder: 'ASA-lanattk' > > > > **Phase 3: Completed filtering (rules). > >Rule id: '100260' > >Level: '9' > >Description: 'ASA Shun event' > > **Alert to be generated. > > > > I see that UDP port 514 is running: > > > > [root@secserv ~]# netstat -anp | grep 514 > > tcp0 0 127.0.0.1:3306 127.0.0.1:37514 > ESTABLISHED 5542/mysqld > > tcp0 0 127.0.0.1:37514 127.0.0.1:3306 > ESTABLISHED 29340/ossec-dbd > > udp0 0 :::1514 :::* >29373/ossec-remoted > > udp0 0 :::514 :::* >29372/ossec-remoted > > > > > > What obvious thing am I missing to setup an ASA to OSSEC? Our HP > switches and Palo Alto firewall are sending syslogs just fine. > > > > After adding the system to allowed-ips, did you restart the OSSEC > processes on the OSSEC server? > Is there a host firewall (iptables) on the OSSEC server? Is 514UDP > open to 10.10.2.2? > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec...@googlegroups.com . > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/b1faa727-7071-49a0-91da-9fe4b680a724%40googlegroups.com. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit
Re: [ossec-list] OSSEC receiving syslog alerts from ASA but not processing them
On Mon, Oct 14, 2019 at 3:03 PM Nate wrote: > > Hi, > > I've never seen this before but I setup our ASA 5516 to send syslog events to > our OSSEC server to detect SHUN events. > > ossec.conf > >syslog >10.10.2.2 >514 > > > > 0 > 9 > > > > local_rules.xml > > > > > 4100 > ASA-4-73310\d|ASA-4-40100\d > ASA Shun event > > > > > but reviewing the alerts, archives,database no events from our 10.10.2.2 or > ASA show up. Running tcpdump on ossec shows they are received by the server: > > 14:53:41.611883 IP (tos 0x0, ttl 254, id 54586, offset 0, flags [none], proto > UDP (17), length 140) > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 > Facility local0 (16), Severity warning (4) > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a > 14:53:41.614335 IP (tos 0x0, ttl 254, id 46962, offset 0, flags [none], proto > UDP (17), length 140) > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 > Facility local0 (16), Severity warning (4) > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a > > If I copy out the Msg and paste it into ossec-logtest it does process it to > my rule: > > [USER@ossec~]# /var/ossec/bin/ossec-logtest > 2019/10/14 14:58:37 ossec-testrule: INFO: Reading local decoder file. > 2019/10/14 14:58:37 ossec-testrule: INFO: Started (pid: 29400). > ossec-testrule: Type one log per line. > > Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> > 87.106.71.108 on interface inside\0x0a > > > **Phase 1: Completed pre-decoding. >full event: 'Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a' >hostname: 'EDT' >program_name: '(null)' >log: 'fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> > 87.106.71.108 on interface inside\0x0a' > > **Phase 2: Completed decoding. >decoder: 'ASA-lanattk' > > **Phase 3: Completed filtering (rules). >Rule id: '100260' >Level: '9' >Description: 'ASA Shun event' > **Alert to be generated. > > I see that UDP port 514 is running: > > [root@secserv ~]# netstat -anp | grep 514 > tcp0 0 127.0.0.1:3306 127.0.0.1:37514 > ESTABLISHED 5542/mysqld > tcp0 0 127.0.0.1:37514 127.0.0.1:3306 > ESTABLISHED 29340/ossec-dbd > udp0 0 :::1514 :::* > 29373/ossec-remoted > udp0 0 :::514 :::* > 29372/ossec-remoted > > > What obvious thing am I missing to setup an ASA to OSSEC? Our HP switches and > Palo Alto firewall are sending syslogs just fine. > After adding the system to allowed-ips, did you restart the OSSEC processes on the OSSEC server? Is there a host firewall (iptables) on the OSSEC server? Is 514UDP open to 10.10.2.2? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/b1faa727-7071-49a0-91da-9fe4b680a724%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMqVaKyr2A49%3Daf3LA4AodhY677HoGvzguhhZZWGrAO9EA%40mail.gmail.com.
[ossec-list] OSSEC receiving syslog alerts from ASA but not processing them
Hi, I've never seen this before but I setup our ASA 5516 to send syslog events to our OSSEC server to detect SHUN events. *ossec.conf* syslog 10.10.2.2 514 0 9 *local_rules.xml* 4100 ASA-4-73310\d|ASA-4-40100\d ASA Shun event but reviewing the alerts, archives,database no events from our 10.10.2.2 or ASA show up. Running tcpdump on ossec shows they are received by the server: 14:53:41.611883 IP (tos 0x0, ttl 254, id 54586, offset 0, flags [none], proto UDP (17), length 140) 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 Facility local0 (16), Severity warning (4) Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a 14:53:41.614335 IP (tos 0x0, ttl 254, id 46962, offset 0, flags [none], proto UDP (17), length 140) 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 Facility local0 (16), Severity warning (4) Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a If I copy out the Msg and paste it into ossec-logtest it does process it to my rule: [USER@ossec~]# /var/ossec/bin/ossec-logtest 2019/10/14 14:58:37 ossec-testrule: INFO: Reading local decoder file. 2019/10/14 14:58:37 ossec-testrule: INFO: Started (pid: 29400). ossec-testrule: Type one log per line. Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a **Phase 1: Completed pre-decoding. full event: 'Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a' hostname: 'EDT' program_name: '(null)' log: 'fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a' **Phase 2: Completed decoding. decoder: 'ASA-lanattk' **Phase 3: Completed filtering (rules). Rule id: '100260' Level: '9' Description: 'ASA Shun event' ***Alert to be generated.* I see that UDP port 514 is running: [root@secserv ~]# netstat -anp | grep 514 tcp0 0 127.0.0.1:3306 127.0.0.1:37514 ESTABLISHED 5542/mysqld tcp0 0 127.0.0.1:37514 127.0.0.1:3306 ESTABLISHED 29340/ossec-dbd udp0 0 :::1514 :::* 29373/ossec-remoted u*dp0 0 :::514 :::* 29372/ossec-remoted* What obvious thing am I missing to setup an ASA to OSSEC? Our HP switches and Palo Alto firewall are sending syslogs just fine. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/b1faa727-7071-49a0-91da-9fe4b680a724%40googlegroups.com.
