Hey I posted my findings when I ran the upgrade. Why wasn't my findings allowed to be posted???
On Sep 3, 11:27 am, "Daniel Cid" <[EMAIL PROTECTED]> wrote: > Hi, > > I made some fixes to the cisco IOS decoder and it should work now with the > sequence numbers. However, your syslog server should not add > additional sequence numbers, because it is against the RFC. > > If you can try it out (just run the upgrade option): > > http://www.ossec.net/files/snapshots/ossec-hids-070902.tar.gz > > Btw, nice local rules :) > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On 8/31/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > > > > Refer to this thread about a similar discussion: > > >http://groups.google.com/group/ossec-list/browse_thread/thread/f78e99... > > > Below is a snip from the thread above which shows you the sequence > > numbers. > > > Here I have enabled service sequence-numbers on the router. From the > > log file, you can > > see the sequence numbers of the IOS logs are 000038 and 000039. I > > believe the 43 and 44 are sequence numbers generated by the syslog > > server (correct me if I am wrong). > > > Aug 21 16:18:23 192.168.1.1 43: 000038: %SYS-5-CONFIG_I: Configured > > from console by vty0 (203.10.110.199) > > Aug 21 16:29:43 192.168.1.1 44: 000039: %SEC-6-IPACCESSLOGS: list 5 > > denied 203.20.69.66 1 packet > > > And here I have entered "no service sequence-numbers" on the router. > > >From the log file, you can see there are no longer any IOS sequence > > numbers like 0000xx. > > > Aug 21 16:30:24 192.168.1.1 45: %SYS-5-CONFIG_I: Configured from > > console by vty0 (203.10.110.199) > > Aug 21 16:34:49 192.168.1.1 46: %SEC-6-IPACCESSLOGS: list 5 denied > > 203.20.69.66 2 packets > > > Contrast the above four lines of log with what I see on my router > > when > > I do a "show log": > > > 000038: %SYS-5-CONFIG_I: Configured from console by vty0 > > (203.10.110.199) > > 000039: %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 1 packet > > %SYS-5-CONFIG_I: Configured from console by vty0 (203.10.110.199) > > %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 2 packets > > > ----- > > > I haven't been able to get the OSSEC decoder to properly understand > > cisco-ios_rules.xml. None of the rules fire at all even after I follow > > what's on the wiki: > > >http://www.ossec.net/wiki/index.php/PIX_and_IOS_Syslog_Config_example... > > > I'm not really a coder nor have extensive regex experience so I've > > given up. To get Ossec to read my cisco logs I just create my rules > > and place them inside the local_rules.xml and then restart OSSEC. You > > will also have to edit the "BAD_WORDS" list in syslog_rules.xml and > > remove the word "denied" else rule id 100003 below won't fire. > > > Example: > > > <rule id="100002" level="5"> > > <match>%SYS-5-CONFIG_I</match> > > <description>Configuration change detected.</description> > > </rule> > > > <rule id="100003" level="7"> > > <match>%SEC-6-IPACCESSLOGS</match> > > <description>Unauthorized access.</description> > > </rule> > > > <rule id="100004" level="9"> > > <match>%LINEPROTO-5-UPDOWN</match> > > <description>Line protocol UP/DOWN.</description> > > </rule> > > > <rule id="100004" level="9"> > > <match>%LINK-3-UPDOWN</match> > > <description>Link state UP/DOWN.</description> > > </rule> > > > I haven't loaded /bin/ossec-remoted as outlined in the wiki and simply > > told Ossec to monitor my cisco log file (/var/log/cisco.log). This is > > because I also log a lot of other things on the system and do not want > > to disable the syslog daemon so that Ossec can use UDP port 514 to > > monitor incoming Cisco IOS logs. > > > Edit and add to /etc/ossec.conf the cisco log file to monitor. > > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/log/cisco.log</location> > > </localfile> > > > If you want to use /bin/ossec-remoted , this wiki entry might help you > > out: > > >http://www.ossec.net/wiki/index.php/Know_How:Syslog_Config > > > As far as I know Cisco IOS doesn't give you the option to send IOS > > logs on a different UDP port so you either turn off syslog and let > > OSSEC use UDP port 514 or you keep syslog running and tell Ossec which > > log file to monitor. > > > Hope that helps some people.- Hide quoted text - > > - Show quoted text -
