Thank you very much Daniel - works beautifully, now I can add my second
ASA to this system.
For reference this is what I did to make this work for us. If you can
clean it up or improve it, then please do so. This information is
provided without warranties and carries significant security
implications.
The main one being that the script has to have a username and password
to the Cisco ASA/Pix that is allowed to run the shun & no shun commands.
By default these are level 15 commands and should anyone have access to
this username and password they can do pretty much anything they like on
your Cisco device.
To run a command on the Cisco ASA/Pix I am using "expect" - since I come
from a Windows background I do not know how well known this program is.
However it was already present on the cut-down version of RHEL 4 I am
running. Expect only needs 1 parameter, the command file it is to run.
The following sample assumes the following:
You can connect using ssh to your Cisco ASA/Pix on desired interface
IP to be connected to is: 10.0.0.1
Telnet password: MyPassword1
hostname of ASA/Pix: Firewall
enable password: MyPassword2
IP to be shunned: 172.172.172.172
The default log-in to the Cisco ASA/Pix is used (pix) this can be
changed if you have a different username you want to use.
The command file then looks as follows:
set log_user 0
set timeout 5
match_max 10000
spawn ssh [EMAIL PROTECTED]
expect "Password:"
exp_send -- "MyPassword1\r"
expect "Firewall>"
exp_send -- "en\r"
expect "Password:>"
exp_send -- "MyPassword2\r"
expect "Firewall#"
exp_send -- "
shun 172.172.172.172
\r"
expect "Firewall#"
exp_send -- "exit\r"
interact
This can be saved to a text file (lets assume in
/var/ossec/active-response/bin/ASA/shun.txt) on the OSSEC server and run
by typing:
expect /var/ossec/active-response/bin/ASA/shun.txt
That part explained I can move on to how we get OSSEC to run this. And
here we really are only dealing with 3 parameters:
1. IP address to be shunned
2. IP address of the ASA/Pix
3. Whether to shun or un-shun (no shun)
For the purposes of the active-response part of OSSEC I break this file
up into 3 parts:
shun1.txt which reads:
set log_user 0
set timeout 5
match_max 10000
shun2.txt which reads:
expect "Password:"
exp_send -- "MyPassword1\r"
expect "Firewall>"
exp_send -- "en\r"
expect "Password:>"
exp_send -- "MyPassword2\r"
expect "Firewall#"
exp_send -- "
shun3.txt which reads:
\r"
expect "Firewall#"
exp_send -- "exit\r"
interact
>From these files you can see that 2 lines are missing:
spawn ssh [EMAIL PROTECTED]
shun 172.172.172.172
These need to be generated by the script and can change for each event
that is triggered by OSSEC. I will modify
/var/ossec/active-response/bin/firewall-drop.sh to do this for me.
As mentioned before - I am running on RHEL 4 - hence the
/var/ossec/active-response/bin/firewall-drop.sh has got a section in
there relevant to me starting with:
# We should run on linux
But first things first - as I want to keep some standards the same, I
have added one line to
<..snip..>
ACTION=$1
USER=$2
IP=$3
FWALL=$6 <-- added
<..snip..>
And then I added a few more lines to the Linux section
# We should run on linux
if [ "X${UNAME}" = "XLinux" ]; then
if [ "x${ACTION}" = "xadd" ]; then
ARG1="-I INPUT -s ${IP} -j DROP"
ARG2="-I FORWARD -s ${IP} -j DROP"
# ** writes the shun command with the IP address to be shunned **
echo "shun ${IP}" > /var/ossec/active-response/bin/ASA/${IP}.txt
# ** writes the Firewall IP into the command that is to be connected to
**
echo "spawn ssh [EMAIL PROTECTED]" >
/var/ossec/active-response/bin/ASA/${IP}FWALL.txt
# ** Using cat to concatenate the partial expect commands into 1 file **
cat /var/ossec/active-response/bin/ASA/shun1.txt
/var/ossec/active-response/bin/ASA/${IP}FWALL.txt
/var/ossec/active-response/bin/ASA/shun2.txt
/var/ossec/active-response/bin/ASA/${IP}.txt
/var/ossec/active-response/bin/ASA/shun3.txt >
/var/ossec/active-response/bin/ASA/shun${IP}.txt
# ** Run expect with the newly created command file **
expect /var/ossec/active-response/bin/ASA/shun${IP}.txt
else
ARG1="-D INPUT -s ${IP} -j DROP"
ARG2="-D FORWARD -s ${IP} -j DROP"
echo "no shun ${IP}" >
/var/ossec/active-response/bin/ASA/un${IP}.txt
echo "spawn ssh [EMAIL PROTECTED]" >
/var/ossec/active-response/bin/ASA/${IP}FWALL.txt
cat /var/ossec/active-response/bin/ASA/shun1.txt
/var/ossec/active-response/bin/ASA/${IP}FWALL.txt
/var/ossec/active-response/bin/ASA/shun2.txt
/var/ossec/active-response/bin/ASA/un${IP}.txt
/var/ossec/active-response/bin/ASA/shun3.txt >
/var/ossec/active-response/bin/ASA/unshun${IP}.txt
expect /var/ossec/active-response/bin/ASA/unshun${IP}.txt
fi
And that is it, restart OSSEC and you are good to go.
In regards to Will Metcalf's reply - currently I only have an OSSEC
Server ready to go. Snort will come shortly and then I can look at
extending its capabilities as well.
Ideally I would like to have each IDS/IPS system access the Firewalls
individually so that I can gauge who/what triggered the shun/change. I
have not investigated Snortsam or Samtool so I do not know how
easy/difficult this would be. You are right, those tools may be easier
or even better to use.
Any and all questions/comments/thoughts are welcome.
Regards,
Jens C Harsem
-----Original Message-----
From: Daniel Cid [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 19 June 2007 10:13 AM
To: ossec-list@googlegroups.com
Cc: Harsem, Jens
Subject: Re: [ossec-list] Multiple Cisco Firewalls with Active-Response
Hi Jens,
Reply inline..
On 6/14/07, Harsem, Jens <[EMAIL PROTECTED]> wrote:
>
> Hello all,
>
> thank you for the support & help that this list and the ossec.net web
site
> provides. And I am hoping to stretch this a bit further... please
>
>
> I have got an Cisco ASA that is currently sending its syslogs over to
my
> OSSEC machine. This is running on a cut down version of Red Hat and
running
> very nicely. I get my e-mail alerts as I should when things happen
that
> should not.
Good :)
> # We should run on linux
> ....
> ....
> if [ "X${UNAME}" = "XLinux" ]; then
>
> Not what you expected I am sure, it is a kluge, but it works - and I
am a
> happy man.
The idea is very good, and maybe you could share your script with us?
Are you
using ssh or telnet to log to the ASA? We could clean up it a little
bit and make
it available for everyone (I know external active responses are
something many
people have asked before)...
> And here is my problem - I do not want it to be hard coded, really, I
would
> like this to be picked up from the log entries. I have another ASA
somewhere
> else that I also want to have send its Syslog messages to this OSSEC
Server.
> And I want to have the same goodness on that ASA.
>
> Hence my question (after a half marathon) - is there any way that I
can
> extract the IP of the source of the Syslog files for the shun &
un-shun of
> the hosts for the ASA? I am hoping for a parameter that I can use in
that
> script so that I can parse it to a text file and use it as well.
Yes, you can. If you look at the script, we only use up to the
argument 5 (rule id), but
if you use the argument $6 and $7 they will have the agent (or ip of
the device) that
generated the alert, so based on that you can device where to shun ...
> If anyone has ASAs and wants to know how those text files work with
the ASA
> please let me know - I would be more than happy to help.
Yes, please (see above) :)
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
