Hi Sherwin, OSSEC parses this data and you can see them at /var/ossec/logs/firewall/firewall.log, but currently it is not storing that in the database. It only stores whatever is written at the alerts.log, which does not include the dstip, ports, etc. However, it is in our todo list, to handle that for the next release.
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Jan 11, 2008 1:57 PM, Sherwin P. William Abocejo <[EMAIL PROTECTED]> wrote: > > Hi All, > > I just wondering why ossec 1.4 did not parse the Destination IP, Source > Port and Destination Port and throw in the database? I have this > > alert.... > > OSSEC HIDS Notification. > 2008 Jan 11 10:20:39 > > Received From: sdnasim->192.168.32.1 > Rule: 4151 fired (level 10) -> "Multiple Firewall drop events from same > source." > Portion of the log(s): > > %PIX-7-710005: UDP request discarded from 192.168.32.43/138 to > inside:192.168.32.255/netbios-dgm > %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to > inside:192.168.32.255/netbios-ns > %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to > inside:192.168.32.255/netbios-ns > %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to > inside:192.168.32.255/netbios-ns > %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to > inside:192.168.32.255/netbios-ns > %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to > inside:192.168.32.255/netbios-ns > %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to > inside:192.168.32.255/netbios-ns > %PIX-7-710005: UDP request discarded from 192.168.32.43/138 to > inside:192.168.32.255/netbios-dgm > %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to > inside:192.168.32.255/netbios-ns > %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to > inside:192.168.32.255/netbios-ns > > > > --END OF NOTIFICATION > > ------------------- > > Is it the design of the ossec that it wont parse those info? Why there > are such fields in the database and the values always NULL? > > Sherwin >
