Dan, Thanks for the followup. I made the changes you suggested and it's detecting the rules as expected. Now, last step is to actually get it to issue the active-response with a firewall drop. Thank you!
-JA- On Wednesday, May 3, 2017 at 4:40:18 PM UTC-5, dan (ddpbsd) wrote: > > On Wed, May 3, 2017 at 4:58 PM, dan (ddp) <ddp...@gmail.com <javascript:>> > wrote: > > On Wed, May 3, 2017 at 12:55 PM, Jason Aleksi <jason....@gmail.com > <javascript:>> wrote: > >> I am attempting to get OSSEC to read my ufw.log for port scan attempts. > The > >> ufw.log is reading and logging potential port scans. I've created a > decoder > >> to identify the log entries. I've also created a rule in the > >> local_rules.xml. I'm OK with it using a firewall drop or host-deny. > >> > >> I have two problems: > >> > >> When I go to add the frequency and timeframe in the local_rules.xml, > ossec > >> does not like the configs and will not start. I remove those settings > and > >> it starts like a champ. > >> Although the ossec-logtest is reading and decoding the logs correctly, > the > >> block is not occurring. > >> > >> I know I'm missing something, but I just can't pinpoint where I need to > be > >> looking. Can anyone offer any suggestions? Below are the configs and > >> results. > >> > >> sudo vi /var/ossec/etc/ossec.conf > >> <localfile> > >> <log_format>syslog</log_format> > >> <location>/var/log/ufw.log</location> > >> </localfile> > >> > >> sudo vi /var/ossec/etc/decoder.xml > >> <decoder name="ufw-log"> > >> <parent>iptables</parent> > >> <prematch>^\.+ SRC=</prematch> > >> <regex>^\.+ SRC=(\S+) DST=(\S+) \.+ </regex> > >> <regex>\.+ PROTO=(\w+) </regex> > >> <regex>\.+ DPT=(\w+) </regex> > >> <order>srcip,dstip,protocol,dstport</order> > >> </decoder> > >> > >> sudo vi /var/ossec/rules/local_rules.xml > >> <group name="syslog,"> > >> <rule id="4100" level="0" overwrite="yes"> > >> <category>firewall</category> > >> <description>Firewall rules grouped.</description> > >> </rule> > >> > >> <rule id="100101" level="10" frequency="3" timeframe="60"> > >> <if_sid>4100</if_sid> > >> <action>DROP</action> > > > > Your decoder does not decode "action." > > So this should never match. > > > > Here is a decoder with action filled out: > <decoder name="ufw-log"> > <parent>iptables</parent> > <prematch>^\.+ SRC=</prematch> > <regex>^\.+ [UFW (\S+)] \.+ SRC=(\S+) DST=(\S+) \.+ </regex> > <regex>\.+ PROTO=(\w+) </regex> > <regex>\.+ DPT=(\w+) </regex> > <order>action,srcip,dstip,protocol,dstport</order> > </decoder> > > And the rules when running ossec-logtest: > # cat /tmp/xxx | /var/ossec/bin/ossec-logtest -q > 2017/05/03 17:30:43 ossec-testrule: INFO: Reading the lists file: > 'rules/lists/ossec.block' > 2017/05/03 17:30:43 ossec-analysisd: Invalid use of frequency/context > options. Missing if_matched on rule '100101'. > 2017/05/03 17:30:43 ossec-testrule(1220): ERROR: Error loading the > rules: 'rules/rules.d//99-local_rules.xml'. > > I'm not sure what you've changed in 4100, so I'm removing it from my > tests. > It also doesn't look like the log message is matching 4100, so I'll > modify the decoder again: > <decoder name="ufw-log"> > <parent>iptables</parent> > <prematch>^\.+ SRC=</prematch> > <regex>^\.+ [UFW (\S+)] \.+ SRC=(\S+) DST=(\S+) \.+ </regex> > <regex>\.+ PROTO=(\w+) </regex> > <regex>\.+ DPT=(\w+) </regex> > <order>action,srcip,dstip,protocol,dstport</order> > <type>firewall</type> > </decoder> > > Now it matches: > **Phase 1: Completed pre-decoding. > full event: 'May 1 05:04:07 buzzell kernel: [2133233.578654] > [UFW BLOCK] IN=enp5s0 OUT= > MAC=b8:97:5a:b1:0b:c6:04:18:d6:f0:7d:51:08:00 SRC=192.168.18.53 > DST=192.168.17.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46997 DF > PROTO=TCP SPT=47144 DPT=8880 WINDOW=29200 RES=0x00 SYN URGP=0' > hostname: 'buzzell' > program_name: 'kernel' > log: '[2133233.578654] [UFW BLOCK] IN=enp5s0 OUT= > MAC=b8:97:5a:b1:0b:c6:04:18:d6:f0:7d:51:08:00 SRC=192.168.18.53 > DST=192.168.17.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46997 DF > PROTO=TCP SPT=47144 DPT=8880 WINDOW=29200 RES=0x00 SYN URGP=0' > > **Phase 2: Completed decoding. > decoder: 'iptables' > action: 'BLOCK' > srcip: '192.168.18.53' > dstip: '192.168.17.8' > proto: 'TCP' > dstport: '8880' > > **Phase 3: Completed filtering (rules). > Rule id: '4100' > Level: '0' > Description: 'Firewall rules grouped.' > > The sample logs I've used have BLOCK instead of DROP, so I'd modify > the rule like this: > <rule id="100101" level="10" frequency="3" timeframe="60"> > <if_matched_sid>4100</if_matched_sid> > <action>BLOCK</action> > <options>alert_by_email</options> > <description>Firewall drop event.</description> > <group>firewall_drop,</group> > </rule> > > Notice I also changed the if_sid to if_matched_sid, as indicated in the > error. > > >> <options>alert_by_email</options> > >> <description>Firewall drop event.</description> > >> <group>firewall_drop,</group> > >> </rule> > >> </group> > >> > >> > >> root@node-01:/var/ossec# bin/ossec-logtest > >> 2017/05/03 11:47:16 ossec-testrule: INFO: Reading local decoder file. > >> 2017/05/03 11:47:16 ossec-testrule: INFO: Started (pid: 10779). > >> ossec-testrule: Type one log per line. > >> > >> Apr 25 16:48:26 nodel-01 kernel: [89761.953207] [UFW BLOCK] IN=ens33 > OUT= > >> MAC=00:0c:29:37:7b:ce:00:50:56:c0:00:08:08:00 SRC=10.0.1.1 > DST=10.0.1.25 > >> LEN=44 TOS=0x00 PREC=0x00 TTL=44 ID=47998 PROTO=TCP SPT=47528 DPT=443 > >> WINDOW=1024 RES=0x00 SYN URGP=0 > >> > >> > >> **Phase 1: Completed pre-decoding. > >> full event: 'Apr 25 16:48:26 node-01 kernel: [89761.953207] [UFW > >> BLOCK] IN=ens33 OUT= MAC=00:0c:29:37:7b:ce:00:50:56:c0:00:08:08:00 > >> SRC=10.0.1.1 DST=10.0.1.25 LEN=44 TOS=0x00 PREC=0x00 TTL=44 ID=47998 > >> PROTO=TCP SPT=47528 DPT=443 WINDOW=1024 RES=0x00 SYN URGP=0' > >> hostname: 'node-01' > >> program_name: 'kernel' > >> log: '[89761.953207] [UFW BLOCK] IN=ens33 OUT= > >> MAC=00:0c:29:37:7b:ce:00:50:56:c0:00:08:08:00 SRC=10.0.1.1 > DST=10.0.1.25 > >> LEN=44 TOS=0x00 PREC=0x00 TTL=44 ID=47998 PROTO=TCP SPT=47528 DPT=443 > >> WINDOW=1024 RES=0x00 SYN URGP=0' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'iptables' > >> srcip: '10.0.1.1' > >> dstip: '10.0.1.25' > >> proto: 'TCP' > >> dstport: '443' > >> > >> > >> Suggestions on where to look? > >> > >> FWIW: I have been using PSAD for portscan detection, but I would like > to > >> just use OSSEC and eliminate an additional service running; keeping all > my > >> security logs and security troubleshooting in one place. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to ossec-list+...@googlegroups.com <javascript:>. > >> For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.