Hey I posted my findings when I ran the upgrade.
Why wasn't my findings allowed to be posted???

On Sep 3, 11:27 am, "Daniel Cid" <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I made some fixes to the cisco IOS decoder and it should work now with the
> sequence numbers. However, your syslog server should not add
> additional sequence numbers, because it is against the RFC.
>
> If you can try it out (just run the upgrade option):
>
> http://www.ossec.net/files/snapshots/ossec-hids-070902.tar.gz
>
> Btw, nice local rules :)
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 8/31/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
>
>
>
>
> > Refer to this thread about a similar discussion:
>
> >http://groups.google.com/group/ossec-list/browse_thread/thread/f78e99...
>
> > Below is a snip from the thread above which shows you the sequence
> > numbers.
>
> > Here I have enabled service sequence-numbers on the router. From the
> > log file, you can
> > see the sequence numbers of the IOS logs are 000038 and 000039. I
> > believe the 43 and 44 are sequence numbers generated by the syslog
> > server (correct me if I am wrong).
>
> > Aug 21 16:18:23 192.168.1.1 43: 000038: %SYS-5-CONFIG_I: Configured
> > from console by vty0 (203.10.110.199)
> > Aug 21 16:29:43 192.168.1.1 44: 000039: %SEC-6-IPACCESSLOGS: list 5
> > denied 203.20.69.66 1 packet
>
> > And here I have entered "no service sequence-numbers" on the router.
> > >From the log file, you can see there are no longer any IOS sequence
> > numbers like 0000xx.
>
> > Aug 21 16:30:24 192.168.1.1 45: %SYS-5-CONFIG_I: Configured from
> > console by vty0 (203.10.110.199)
> > Aug 21 16:34:49 192.168.1.1 46: %SEC-6-IPACCESSLOGS: list 5 denied
> > 203.20.69.66 2 packets
>
> > Contrast the above four lines of log with what I see on my router
> > when
> > I do a "show log":
>
> > 000038: %SYS-5-CONFIG_I: Configured from console by vty0
> > (203.10.110.199)
> > 000039: %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 1 packet
> > %SYS-5-CONFIG_I: Configured from console by vty0 (203.10.110.199)
> > %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 2 packets
>
> > -----
>
> > I haven't been able to get the OSSEC decoder to properly understand
> > cisco-ios_rules.xml. None of the rules fire at all even after I follow
> > what's on the wiki:
>
> >http://www.ossec.net/wiki/index.php/PIX_and_IOS_Syslog_Config_example...
>
> > I'm not really a coder nor have extensive regex experience so I've
> > given up. To get Ossec to read my cisco logs I just create my rules
> > and place them inside the local_rules.xml and then restart OSSEC. You
> > will also have to edit the "BAD_WORDS" list in syslog_rules.xml and
> > remove the word "denied" else rule id 100003 below won't fire.
>
> > Example:
>
> > <rule id="100002" level="5">
> >     <match>%SYS-5-CONFIG_I</match>
> >     <description>Configuration change detected.</description>
> > </rule>
>
> > <rule id="100003" level="7">
> >     <match>%SEC-6-IPACCESSLOGS</match>
> >     <description>Unauthorized access.</description>
> > </rule>
>
> > <rule id="100004" level="9">
> >     <match>%LINEPROTO-5-UPDOWN</match>
> >     <description>Line protocol UP/DOWN.</description>
> > </rule>
>
> > <rule id="100004" level="9">
> >     <match>%LINK-3-UPDOWN</match>
> >     <description>Link state UP/DOWN.</description>
> > </rule>
>
> > I haven't loaded /bin/ossec-remoted as outlined in the wiki and simply
> > told Ossec to monitor my cisco log file (/var/log/cisco.log). This is
> > because I also log a lot of other things on the system and do not want
> > to disable the syslog daemon so that Ossec can use UDP port 514 to
> > monitor incoming Cisco IOS logs.
>
> > Edit and add to /etc/ossec.conf the cisco log file to monitor.
>
> >   <localfile>
> >     <log_format>syslog</log_format>
> >     <location>/var/log/cisco.log</location>
> >   </localfile>
>
> > If you want to use /bin/ossec-remoted , this wiki entry might help you
> > out:
>
> >http://www.ossec.net/wiki/index.php/Know_How:Syslog_Config
>
> > As far as I know Cisco IOS doesn't give you the option to send IOS
> > logs on a different UDP port so you either turn off syslog and let
> > OSSEC use UDP port 514 or you keep syslog running and tell Ossec which
> > log file to monitor.
>
> > Hope that helps some people.- Hide quoted text -
>
> - Show quoted text -

Reply via email to