[ossec-list] Firewall Decoder ...

[G E Scott Knauss]

        I've read the posts on the decoder.xml, but I still can't quite figure out what is going on here... As I understand it, the second rule in the default firewall rules should fire if there are more than 16 hits in from the same IP in 45 seconds. So if I insane nmap from a machine, it should get blocked right ?

        Its not ...

        I think the decoder is missing the srcip from my firewall log. I'm runing SuSE10.1 and the default SuSEfirewall2. Nothing fancy on this box for the firewall rules.  Here's a sample from the syslog firewall.log:

Aug 17 10:03:37 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC="" DST=1.2.3.194 LEN=28 TOS=0x00 PREC=0x00 TTL=44 ID=60200 PROTO=ICMP TYPE=8 CODE=0 ID=10466 SEQ=21229
Aug 17 10:03:37 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC="" DST=1.2.3.194 LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=46512 PROTO=TCP SPT=56113 DPT=80 WINDOW=3072 RES=0x00 ACK URGP=0
Aug 17 10:03:37 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC="" DST=1.2.3.194 LEN=28 TOS=0x00 PREC=0x00 TTL=51 ID=11781 PROTO=ICMP TYPE=8 CODE=0 ID=10466 SEQ=21485
Aug 17 10:03:37 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC="" DST=1.2.3.194 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=55879 PROTO=TCP SPT=56109 DPT=80 WINDOW=3072 RES=0x00 ACK URGP=0
Aug 17 10:03:58 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC="" DST=1.2.3.194 LEN=28 TOS=0x00 PREC=0x00 TTL=55 ID=18094 PROTO=ICMP TYPE=8 CODE=0 ID=33513 SEQ=11805
Aug 17 10:03:58 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC="" DST=1.2.3.194 LEN=40 TOS=0x00 PREC=0x00 TTL=44 ID=48370 PROTO=TCP SPT=54589 DPT=80 WINDOW=2048 RES=0x00 ACK URGP=0
Aug 17 10:03:58 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC="" DST=1.2.3.194 LEN=28 TOS=0x00 PREC=0x00 TTL=44 ID=39406 PROTO=ICMP TYPE=8 CODE=0 ID=33513 SEQ=12061
Aug 17 10:03:58 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC="" DST=1.2.3.194 LEN=40 TOS=0x00 PREC=0x00 TTL=41 ID=15291 PROTO=TCP SPT=54590 DPT=80 WINDOW=3072 RES=0x00 ACK URGP=0
Aug 17 10:05:01 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC="" DST=1.2.3.194 LEN=446 TOS=0x00 PREC=0x00 TTL=45 ID=23451 DF PROTO=TCP SPT=80 DPT=10634 WINDOW=1716 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080A6B711D860028094B)
Aug 17 10:05:09 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC="" DST=1.2.3.194 LEN=446 TOS=0x00 PREC=0x00 TTL=45 ID=38538 DF PROTO=TCP SPT=80 DPT=1595 WINDOW=1716 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080A6B713B4F002813F7)




      However, if I look  at  the ossec firewall log in /opt/ossec/logs/firewall/firewall.log, all of the entries look like this .....

2006 Aug 17 10:02:19 UNKNOWN 80 1.2.3.194:10634->TCP:(null)
2006 Aug 17 10:02:29 UNKNOWN 80 1.2.3.194:1595->TCP:(null)
2006 Aug 17 10:03:13 UNKNOWN 80 1.2.3.194:10634->TCP:(null)
2006 Aug 17 10:03:23 UNKNOWN 80 1.2.3.194:1595->TCP:(null)
2006 Aug 17 10:03:39 UNKNOWN 56113 1.2.3.194:80->TCP:(null)
2006 Aug 17 10:03:39 UNKNOWN 56109 1.2.3.194:80->TCP:(null)
2006 Aug 17 10:03:59 UNKNOWN 54589 1.2.3.194:80->TCP:(null)
2006 Aug 17 10:03:59 UNKNOWN 54590 1.2.3.194:80->TCP:(null)
2006 Aug 17 10:05:03 UNKNOWN 80 1.2.3.194:10634->TCP:(null)
2006 Aug 17 10:05:11 UNKNOWN 80 1.2.3.194:1595->TCP:(null)

        I'm guessing this may have something to do with the options SuSE gives to all of the log statements ? (LOG flags 6 level 4 prefix someprefix)


Thanks,

G E Scott Knauss [EMAIL PROTECTED]  or  [EMAIL PROTECTED] ECRNOC Naples, IT [EMAIL PROTECTED] Lead Network Engineer   DSN: 314-626-4854 Comm: 39-333-224-9323 Cell: 39-333-224-9323