Hmm. Thought I sent this out already, but I don't see it in the mailing
list archives.
This is a decoder I'm using for Fortinet devices using remote syslog
to a linux server running OSSEC 2.6. It's still very new, so there may
be problems, and the regexes are probably not very optimial
This is an experimental decoder for FortiOS 4.0 running on Fortigate
devices
(http://www.fortinet.com), using the syslog remote logging options (with
CSV
format turned off). It is not thoroughly tested, may have odd corner
cases and
can almost certainly be rewritten to be more CPU efficient.
I'm trying to write a rule to match on a regex, but only if it comes from
certain hosts.
It's easy enough to do this:
1002
10.10.10.10
10.10.10.20
[\d+]: this is a false positive
no_email_alert
Don't send email alerts on these bogus false
positives
if there's onl
The "fw" and "logger" commands are available on the Linux
version of Checkpoint. I don't know what the equivalent method
might be on the Windows version.
Dean Takemori
Systems Support Supervisor
TD Food Group
dtakem...@thdfsg.com
loki74
Sent by: ossec-list@googlegroups.com
09/11/2009 09:04
OSSEC-HIDS 1.6.1
libprelude-0.9.21.3
libpreludedb-0.9.15.1
prelude-lml-0.9.14
It appears to me that OSSEC's might not be getting the
assessment.impact.completion
part of the IDMEF path correct.
For example, for this ipmon log of a blocked packet
Jan 22 23:00:00 10.11.12.13 ipmon[94] 23:
Perhaps I'm not looking hard enough, but from what I can tell,
OSSEC-HIDS 1.3 only has rules in firewall_rules.xml for matching
against action=DROP. (one firewall_drop and one multiple_drop)
Shouldn't there also be a pair of rules for action=REJECT?
Something similar to
4100
REJECT
