Hi, I made some fixes to the cisco IOS decoder and it should work now with the sequence numbers. However, your syslog server should not add additional sequence numbers, because it is against the RFC.
If you can try it out (just run the upgrade option): http://www.ossec.net/files/snapshots/ossec-hids-070902.tar.gz Btw, nice local rules :) Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/31/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Refer to this thread about a similar discussion: > > http://groups.google.com/group/ossec-list/browse_thread/thread/f78e998efb3c108b > > Below is a snip from the thread above which shows you the sequence > numbers. > > Here I have enabled service sequence-numbers on the router. From the > log file, you can > see the sequence numbers of the IOS logs are 000038 and 000039. I > believe the 43 and 44 are sequence numbers generated by the syslog > server (correct me if I am wrong). > > > Aug 21 16:18:23 192.168.1.1 43: 000038: %SYS-5-CONFIG_I: Configured > from console by vty0 (203.10.110.199) > Aug 21 16:29:43 192.168.1.1 44: 000039: %SEC-6-IPACCESSLOGS: list 5 > denied 203.20.69.66 1 packet > > > And here I have entered "no service sequence-numbers" on the router. > >From the log file, you can see there are no longer any IOS sequence > numbers like 0000xx. > > > Aug 21 16:30:24 192.168.1.1 45: %SYS-5-CONFIG_I: Configured from > console by vty0 (203.10.110.199) > Aug 21 16:34:49 192.168.1.1 46: %SEC-6-IPACCESSLOGS: list 5 denied > 203.20.69.66 2 packets > > > Contrast the above four lines of log with what I see on my router > when > I do a "show log": > > 000038: %SYS-5-CONFIG_I: Configured from console by vty0 > (203.10.110.199) > 000039: %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 1 packet > %SYS-5-CONFIG_I: Configured from console by vty0 (203.10.110.199) > %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 2 packets > > ----- > > I haven't been able to get the OSSEC decoder to properly understand > cisco-ios_rules.xml. None of the rules fire at all even after I follow > what's on the wiki: > > http://www.ossec.net/wiki/index.php/PIX_and_IOS_Syslog_Config_examples#Step-by-Step_Cisco_IOS_config > > I'm not really a coder nor have extensive regex experience so I've > given up. To get Ossec to read my cisco logs I just create my rules > and place them inside the local_rules.xml and then restart OSSEC. You > will also have to edit the "BAD_WORDS" list in syslog_rules.xml and > remove the word "denied" else rule id 100003 below won't fire. > > Example: > > <rule id="100002" level="5"> > <match>%SYS-5-CONFIG_I</match> > <description>Configuration change detected.</description> > </rule> > > <rule id="100003" level="7"> > <match>%SEC-6-IPACCESSLOGS</match> > <description>Unauthorized access.</description> > </rule> > > <rule id="100004" level="9"> > <match>%LINEPROTO-5-UPDOWN</match> > <description>Line protocol UP/DOWN.</description> > </rule> > > <rule id="100004" level="9"> > <match>%LINK-3-UPDOWN</match> > <description>Link state UP/DOWN.</description> > </rule> > > I haven't loaded /bin/ossec-remoted as outlined in the wiki and simply > told Ossec to monitor my cisco log file (/var/log/cisco.log). This is > because I also log a lot of other things on the system and do not want > to disable the syslog daemon so that Ossec can use UDP port 514 to > monitor incoming Cisco IOS logs. > > Edit and add to /etc/ossec.conf the cisco log file to monitor. > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/cisco.log</location> > </localfile> > > If you want to use /bin/ossec-remoted , this wiki entry might help you > out: > > http://www.ossec.net/wiki/index.php/Know_How:Syslog_Config > > As far as I know Cisco IOS doesn't give you the option to send IOS > logs on a different UDP port so you either turn off syslog and let > OSSEC use UDP port 514 or you keep syslog running and tell Ossec which > log file to monitor. > > Hope that helps some people. > >
