[ossec-list] firewall.log and ICMP?
Hi *, Maybe a stupid question but I'm investigating an issue and I've to browse my history of firewall.log files. Problem: I find only TCP/UDP events and nothing regarding ICMP packets? I tested via ossec-logstest and events are correctly parsed... I never paid attention to this in the past... :-( Any idea? /x -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] firewall.log and ICMP?
I am afraid I don't understand the problem or question, maybe if you explain it a little bit more we can help better. Best On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens wrote: > Hi *, > > Maybe a stupid question but I'm investigating an issue and I've to browse > my history of firewall.log files. Problem: I find only TCP/UDP events and > nothing regarding ICMP packets? > > I tested via ossec-logstest and events are correctly parsed... > > I never paid attention to this in the past... :-( > Any idea? > > /x > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] firewall.log and ICMP?
I'm collected firewall logs from many Ubuntu servers (basically the /var/log/ufw.log). In this log, I can see events about TCP, UDP and ICMP traffic (allowed or dropped). But, on my OSSEC server, in my firewall.log, I don't see any event related to the ICMP protocol... /x On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett < santiago.bass...@gmail.com> wrote: > I am afraid I don't understand the problem or question, maybe if you > explain it a little bit more we can help better. > > Best > > On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens > wrote: > >> Hi *, >> >> Maybe a stupid question but I'm investigating an issue and I've to browse >> my history of firewall.log files. Problem: I find only TCP/UDP events and >> nothing regarding ICMP packets? >> >> I tested via ossec-logstest and events are correctly parsed... >> >> I never paid attention to this in the past... :-( >> Any idea? >> >> /x >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] firewall.log and ICMP?
Xavier, I'm collecting logs from my ASA and I do see ICMP traffic in my firewall.log - 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10254->external.addr:10254 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10510->external.addr:10510 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10766->external.addr:10766 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:11278->external.addr:11278 I'm not sure what the issue might be. Also, thank you for the ossec2dshield script!!! I heard about it on the Internet Storm Center Stormcast, but it might be worth plugging to the list here too :) On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote: > > I'm collected firewall logs from many Ubuntu servers (basically the > /var/log/ufw.log). > In this log, I can see events about TCP, UDP and ICMP traffic (allowed or > dropped). > But, on my OSSEC server, in my firewall.log, I don't see any event related > to the ICMP protocol... > > /x > > On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett > wrote: > >> I am afraid I don't understand the problem or question, maybe if you >> explain it a little bit more we can help better. >> >> Best >> >> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens > > wrote: >> >>> Hi *, >>> >>> Maybe a stupid question but I'm investigating an issue and I've to >>> browse my history of firewall.log files. Problem: I find only TCP/UDP >>> events and nothing regarding ICMP packets? >>> >>> I tested via ossec-logstest and events are correctly parsed... >>> >>> I never paid attention to this in the past... :-( >>> Any idea? >>> >>> /x >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com . >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] firewall.log and ICMP?
Hi Brent, I think that I found the problem! Here is an sample of my ossec-logtest output: **Phase 2: Completed decoding. decoder: 'iptables' action: 'AUDIT' srcip: '92.222.185.1' dstip: '51.254.36.238' proto: 'ICMP' But, while diving into the source code (in analysisd/alert/log.c): /* FW_Log: v0.1, 2005/12/30 */ int FW_Log(Eventinfo *lf) { /* If we don't have the srcip or the * action, there is no point in going * forward over here */ if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport || !lf->dstport || !lf->protocol) { return(0); } I don't have srcport & dstport filled in so no log! I think I'll patch the code and I'm wondering why your ASA firewall provides ports!? About ossec2dshield, I wrote this tool a long time ago to share my logs with DShield.org. Ping me you want details! /x On Tue, Jan 26, 2016 at 9:05 PM, Brent Morris wrote: > Xavier, > > I'm collecting logs from my ASA and I do see ICMP traffic in my > firewall.log - > > 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10254 > ->external.addr:10254 > 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10510 > ->external.addr:10510 > 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10766 > ->external.addr:10766 > 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:11278 > ->external.addr:11278 > > I'm not sure what the issue might be. > > Also, thank you for the ossec2dshield script!!! I heard about it on the > Internet Storm Center Stormcast, but it might be worth plugging to the list > here too :) > > On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote: >> >> I'm collected firewall logs from many Ubuntu servers (basically the >> /var/log/ufw.log). >> In this log, I can see events about TCP, UDP and ICMP traffic (allowed or >> dropped). >> But, on my OSSEC server, in my firewall.log, I don't see any event >> related to the ICMP protocol... >> >> /x >> >> On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett > > wrote: >> >>> I am afraid I don't understand the problem or question, maybe if you >>> explain it a little bit more we can help better. >>> >>> Best >>> >>> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens >>> wrote: >>> Hi *, Maybe a stupid question but I'm investigating an issue and I've to browse my history of firewall.log files. Problem: I find only TCP/UDP events and nothing regarding ICMP packets? I tested via ossec-logstest and events are correctly parsed... I never paid attention to this in the past... :-( Any idea? /x -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] firewall.log and ICMP?
Good catch! I think the ASA provides ports just as part of internal processing of the IP translation. Perhaps they're a sequence number or provide some internal function for IOS. They seem completely random. They change to the real port in the logs when using TCP or UDP. Here are the logs as seen from the ASA ICMP 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18125 laddr external.addr/18125(any) 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302020: Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18126 laddr external.addr/18126(any) 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18126 laddr external.addr/18126(any) In the case of a TCP or UDP connection, you'd see Built outbound TCP connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) to inside:1.2.3.4/11515 (external.ip.addr/11515) On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8, Xavier Mertens wrote: > > Hi Brent, > I think that I found the problem! Here is an sample of my ossec-logtest > output: > > **Phase 2: Completed decoding. >decoder: 'iptables' >action: 'AUDIT' >srcip: '92.222.185.1' >dstip: '51.254.36.238' >proto: 'ICMP' > > But, while diving into the source code (in analysisd/alert/log.c): > > /* FW_Log: v0.1, 2005/12/30 */ > int FW_Log(Eventinfo *lf) > { > /* If we don't have the srcip or the > * action, there is no point in going > * forward over here > */ > if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport || >!lf->dstport || !lf->protocol) > { > return(0); > } > > I don't have srcport & dstport filled in so no log! I think I'll patch the > code and > > I'm wondering why your ASA firewall provides ports!? > > About ossec2dshield, I wrote this tool a long time ago to share my logs > with DShield.org. > Ping me you want details! > > /x > > > On Tue, Jan 26, 2016 at 9:05 PM, Brent Morris > wrote: > >> Xavier, >> >> I'm collecting logs from my ASA and I do see ICMP traffic in my >> firewall.log - >> >> 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP >> 1.2.3.4:10254->external.addr:10254 >> 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP >> 1.2.3.4:10510->external.addr:10510 >> 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP >> 1.2.3.4:10766->external.addr:10766 >> 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP >> 1.2.3.4:11278->external.addr:11278 >> >> I'm not sure what the issue might be. >> >> Also, thank you for the ossec2dshield script!!! I heard about it on the >> Internet Storm Center Stormcast, but it might be worth plugging to the list >> here too :) >> >> On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote: >>> >>> I'm collected firewall logs from many Ubuntu servers (basically the >>> /var/log/ufw.log). >>> In this log, I can see events about TCP, UDP and ICMP traffic (allowed >>> or dropped). >>> But, on my OSSEC server, in my firewall.log, I don't see any event >>> related to the ICMP protocol... >>> >>> /x >>> >>> On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett < >>> santiago...@gmail.com> wrote: >>> I am afraid I don't understand the problem or question, maybe if you explain it a little bit more we can help better. Best On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens wrote: > Hi *, > > Maybe a stupid question but I'm investigating an issue and I've to > browse my history of firewall.log files. Problem: I find only TCP/UDP > events and nothing regarding ICMP packets? > > I tested via ossec-logstest and events are correctly parsed... > > I never paid attention to this in the past... :-( > Any idea? > > /x > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this
Re: [ossec-list] firewall.log and ICMP?
I'll patch my analysisd to provide srcport and dstport with a value of "0" if the protocol is "ICMP"... I need to keep traces of such events... /x On Tue, Jan 26, 2016 at 11:40 PM, Brent Morris wrote: > Good catch! > > I think the ASA provides ports just as part of internal processing of the > IP translation. Perhaps they're a sequence number or provide some internal > function for IOS. They seem completely random. They change to the real > port in the logs when using TCP or UDP. Here are the logs as seen from the > ASA > > ICMP > 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: > Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18125 > laddr external.addr/18125(any) > 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302020: > Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr > external.addr/18126 laddr external.addr/18126(any) > 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: > Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18126 > laddr external.addr/18126(any) > > In the case of a TCP or UDP connection, you'd see Built outbound TCP > connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) to > inside:1.2.3.4/11515 (external.ip.addr/11515) > > > > On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8, Xavier Mertens wrote: >> >> Hi Brent, >> I think that I found the problem! Here is an sample of my ossec-logtest >> output: >> >> **Phase 2: Completed decoding. >>decoder: 'iptables' >>action: 'AUDIT' >>srcip: '92.222.185.1' >>dstip: '51.254.36.238' >>proto: 'ICMP' >> >> But, while diving into the source code (in analysisd/alert/log.c): >> >> /* FW_Log: v0.1, 2005/12/30 */ >> int FW_Log(Eventinfo *lf) >> { >> /* If we don't have the srcip or the >> * action, there is no point in going >> * forward over here >> */ >> if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport || >>!lf->dstport || !lf->protocol) >> { >> return(0); >> } >> >> I don't have srcport & dstport filled in so no log! I think I'll patch >> the code and >> >> I'm wondering why your ASA firewall provides ports!? >> >> About ossec2dshield, I wrote this tool a long time ago to share my logs >> with DShield.org. >> Ping me you want details! >> >> /x >> >> >> On Tue, Jan 26, 2016 at 9:05 PM, Brent Morris >> wrote: >> >>> Xavier, >>> >>> I'm collecting logs from my ASA and I do see ICMP traffic in my >>> firewall.log - >>> >>> 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10254 >>> ->external.addr:10254 >>> 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10510 >>> ->external.addr:10510 >>> 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10766 >>> ->external.addr:10766 >>> 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:11278 >>> ->external.addr:11278 >>> >>> I'm not sure what the issue might be. >>> >>> Also, thank you for the ossec2dshield script!!! I heard about it on the >>> Internet Storm Center Stormcast, but it might be worth plugging to the list >>> here too :) >>> >>> On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote: I'm collected firewall logs from many Ubuntu servers (basically the /var/log/ufw.log). In this log, I can see events about TCP, UDP and ICMP traffic (allowed or dropped). But, on my OSSEC server, in my firewall.log, I don't see any event related to the ICMP protocol... /x On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett < santiago...@gmail.com> wrote: > I am afraid I don't understand the problem or question, maybe if you > explain it a little bit more we can help better. > > Best > > On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens > wrote: > >> Hi *, >> >> Maybe a stupid question but I'm investigating an issue and I've to >> browse my history of firewall.log files. Problem: I find only TCP/UDP >> events and nothing regarding ICMP packets? >> >> I tested via ossec-logstest and events are correctly parsed... >> >> I never paid attention to this in the past... :-( >> Any idea? >> >> /x >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- >>> >>
Re: [ossec-list] firewall.log and ICMP?
Is this worth submitting as an issue to github? https://github.com/ossec/ossec-hids/issues On Wednesday, January 27, 2016 at 12:08:54 AM UTC-8, Xavier Mertens wrote: > > I'll patch my analysisd to provide srcport and dstport with a value of "0" > if the protocol is "ICMP"... I need to keep traces of such events... > > /x > > On Tue, Jan 26, 2016 at 11:40 PM, Brent Morris > wrote: > >> Good catch! >> >> I think the ASA provides ports just as part of internal processing of the >> IP translation. Perhaps they're a sequence number or provide some internal >> function for IOS. They seem completely random. They change to the real >> port in the logs when using TCP or UDP. Here are the logs as seen from the >> ASA >> >> ICMP >> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: >> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18125 >> laddr external.addr/18125(any) >> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302020: >> Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr >> external.addr/18126 laddr external.addr/18126(any) >> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: >> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18126 >> laddr external.addr/18126(any) >> >> In the case of a TCP or UDP connection, you'd see Built outbound >> TCP connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) >> to inside:1.2.3.4/11515 (external.ip.addr/11515) >> >> >> >> On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8, Xavier Mertens wrote: >>> >>> Hi Brent, >>> I think that I found the problem! Here is an sample of my ossec-logtest >>> output: >>> >>> **Phase 2: Completed decoding. >>>decoder: 'iptables' >>>action: 'AUDIT' >>>srcip: '92.222.185.1' >>>dstip: '51.254.36.238' >>>proto: 'ICMP' >>> >>> But, while diving into the source code (in analysisd/alert/log.c): >>> >>> /* FW_Log: v0.1, 2005/12/30 */ >>> int FW_Log(Eventinfo *lf) >>> { >>> /* If we don't have the srcip or the >>> * action, there is no point in going >>> * forward over here >>> */ >>> if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport || >>>!lf->dstport || !lf->protocol) >>> { >>> return(0); >>> } >>> >>> I don't have srcport & dstport filled in so no log! I think I'll patch >>> the code and >>> >>> I'm wondering why your ASA firewall provides ports!? >>> >>> About ossec2dshield, I wrote this tool a long time ago to share my logs >>> with DShield.org. >>> Ping me you want details! >>> >>> /x >>> >>> >>> On Tue, Jan 26, 2016 at 9:05 PM, Brent Morris >>> wrote: >>> Xavier, I'm collecting logs from my ASA and I do see ICMP traffic in my firewall.log - 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10254->external.addr:10254 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10510->external.addr:10510 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10766->external.addr:10766 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:11278->external.addr:11278 I'm not sure what the issue might be. Also, thank you for the ossec2dshield script!!! I heard about it on the Internet Storm Center Stormcast, but it might be worth plugging to the list here too :) On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote: > > I'm collected firewall logs from many Ubuntu servers (basically the > /var/log/ufw.log). > In this log, I can see events about TCP, UDP and ICMP traffic (allowed > or dropped). > But, on my OSSEC server, in my firewall.log, I don't see any event > related to the ICMP protocol... > > /x > > On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett < > santiago...@gmail.com> wrote: > >> I am afraid I don't understand the problem or question, maybe if you >> explain it a little bit more we can help better. >> >> Best >> >> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens >> wrote: >> >>> Hi *, >>> >>> Maybe a stupid question but I'm investigating an issue and I've to >>> browse my history of firewall.log files. Problem: I find only TCP/UDP >>> events and nothing regarding ICMP packets? >>> >>> I tested via ossec-logstest and events are correctly parsed... >>> >>> I never paid attention to this in the past... :-( >>> Any idea? >>> >>> /x >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >>
Re: [ossec-list] firewall.log and ICMP?
Issue submitted! /x On Wed, Jan 27, 2016 at 5:04 PM, Brent Morris wrote: > Is this worth submitting as an issue to github? > > https://github.com/ossec/ossec-hids/issues > > > On Wednesday, January 27, 2016 at 12:08:54 AM UTC-8, Xavier Mertens wrote: >> >> I'll patch my analysisd to provide srcport and dstport with a value of >> "0" if the protocol is "ICMP"... I need to keep traces of such events... >> >> /x >> >> On Tue, Jan 26, 2016 at 11:40 PM, Brent Morris >> wrote: >> >>> Good catch! >>> >>> I think the ASA provides ports just as part of internal processing of >>> the IP translation. Perhaps they're a sequence number or provide some >>> internal function for IOS. They seem completely random. They change to >>> the real port in the logs when using TCP or UDP. Here are the logs as seen >>> from the ASA >>> >>> ICMP >>> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: >>> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18125 >>> laddr external.addr/18125(any) >>> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302020: >>> Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr >>> external.addr/18126 laddr external.addr/18126(any) >>> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: >>> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18126 >>> laddr external.addr/18126(any) >>> >>> In the case of a TCP or UDP connection, you'd see Built outbound >>> TCP connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) >>> to inside:1.2.3.4/11515 (external.ip.addr/11515) >>> >>> >>> >>> On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8, Xavier Mertens wrote: Hi Brent, I think that I found the problem! Here is an sample of my ossec-logtest output: **Phase 2: Completed decoding. decoder: 'iptables' action: 'AUDIT' srcip: '92.222.185.1' dstip: '51.254.36.238' proto: 'ICMP' But, while diving into the source code (in analysisd/alert/log.c): /* FW_Log: v0.1, 2005/12/30 */ int FW_Log(Eventinfo *lf) { /* If we don't have the srcip or the * action, there is no point in going * forward over here */ if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport || !lf->dstport || !lf->protocol) { return(0); } I don't have srcport & dstport filled in so no log! I think I'll patch the code and I'm wondering why your ASA firewall provides ports!? About ossec2dshield, I wrote this tool a long time ago to share my logs with DShield.org. Ping me you want details! /x On Tue, Jan 26, 2016 at 9:05 PM, Brent Morris wrote: > Xavier, > > I'm collecting logs from my ASA and I do see ICMP traffic in my > firewall.log - > > 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10254 > ->external.addr:10254 > 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10510 > ->external.addr:10510 > 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10766 > ->external.addr:10766 > 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:11278 > ->external.addr:11278 > > I'm not sure what the issue might be. > > Also, thank you for the ossec2dshield script!!! I heard about it on > the Internet Storm Center Stormcast, but it might be worth plugging to the > list here too :) > > On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote: >> >> I'm collected firewall logs from many Ubuntu servers (basically the >> /var/log/ufw.log). >> In this log, I can see events about TCP, UDP and ICMP traffic >> (allowed or dropped). >> But, on my OSSEC server, in my firewall.log, I don't see any event >> related to the ICMP protocol... >> >> /x >> >> On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett < >> santiago...@gmail.com> wrote: >> >>> I am afraid I don't understand the problem or question, maybe if you >>> explain it a little bit more we can help better. >>> >>> Best >>> >>> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens >>> wrote: >>> Hi *, Maybe a stupid question but I'm investigating an issue and I've to browse my history of firewall.log files. Problem: I find only TCP/UDP events and nothing regarding ICMP packets? I tested via ossec-logstest and events are correctly parsed... I never paid attention to this in the past... :-( Any idea? /x -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe f