Hey, Good work on this! Do you have more rules, decoders to share (or any fixes to these)? Also, is it alright for you if we include that on ossec?
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Sat, Mar 7, 2009 at 4:10 PM, cryogen <[email protected]> wrote: > Greetings, > > I've made decoders for the ZoneAlarm firewall version 8+ and thought > it might be useful to someone else too. I have some decoders for > some of the program control aspects of ZoneAlarm, but I'm still > testing them. I'm also still testing rules for all these. Both > those will probably be posted later if anyone's interested. Feedback > is appreciated. > > For fwpktlog.txt: > > Log samples: > > 965140 Packet DROPPED: Proto: IP_TCP Flags: 0x0000000a Src: 10.0.0.5 > Dest: 10.0.0.1 SrcPort: 80 DstPort: 59687 > 2050156 Packet DROPPED: Proto: IP_UDP Flags: 0x00000002 Src: 10.0.0.3 > Dest: 10.0.0.4 SrcPort: 137 DstPort: 137 > 3204609 Packet DROPPED: Proto: IP_ICMP Flags: 0x0000000a Src: > 10.0.0.2 Dest: 10.0.0.1 Type ICMP_ECHO > > <decoder name="zonealarm-fwpktlog"> > <prematch>^\d+ Packet \w+: Proto: </prematch> > <type>firewall</type> > </decoder> > <decoder name="zonealarm-fwpktlog-1"> > <parent>zonealarm-fwpktlog</parent> > <type>firewall</type> > <regex>^\d+ Packet (\w+): Proto: IP_(\w+) Flags: \w+ </regex> > <regex>Src: (\d+.\d+.\d+.\d+) Dest: (\d+.\d+.\d+.\d+) </regex> > <order>action,protocol,srcip,dstip</order> > </decoder> > <decoder name="zonealarm-fwpktlog-1"> > <parent>zonealarm-fwpktlog</parent> > <type>firewall</type> > <regex offset="after_regex">^SrcPort: (\d+) DstPort: (\d+)</regex> > <order>srcport,dstport</order> > </decoder> > > > For ZALog.txt: > > The ZALog.txt file can be delimited by commas (default), semicolons > or tabs. These cover all possibilities. These should work on > ZoneAlarm v7 as well but this hasn't been tested. This is included > mainly for completeness, since the fwpktlog.txt file is much more > useful. > > Note: for ZoneAlarm to log to the ZALog.txt file, you must set it to > "Archive log files daily" in the Alerts and Logs preferences, > otherwise, this file will not appear. > > Note 2: FYI, there may be double counting of packets between the > fwpktlog.txt and ZALog.txt files. ZoneAlarm is rather militant about > logging to fwpktlog.txt but not so much to ZALog.txt. Personally, I > don't really care if the packets are counted twice since it typically > isn't enough to trigger lockouts unexpectedly. If you care, just use > the fwpktlog.txt decoder above instead of this one. > > Log samples (inbound and outbound traffic): > > FWIN,2008/09/22,15:04:34 -7:00 GMT, > 10.97.238.229:1493,10.12.67.21:1027,UDP > FWIN,2008/09/22,22:22:08 -7:00 GMT, > 10.50.112.166:2413,10.18.69.21:5900,TCP (flags:S) > FWOUT,2009/01/23,10:48:56 -8:00 GMT,10.12.67.21:138,10.18.69.21:138,UDP > FWIN,2009/01/23,10:49:06 -8:00 GMT,10.12.67.21:0,10.13.68.22:0,ICMP > (type:8/subtype:0) > > <decoder name="zonealarm-firewall"> > <prematch>^FWIN|^FWOUT</prematch> > <type>firewall</type> > </decoder> > <decoder name="zonealarm-firewall-1"> > <parent>zonealarm-firewall</parent> > <type>firewall</type> > <regex offset="after_parent">^,\d\d\d\d/\d\d/\d\d,\d+:\d+:\d+\.+,(\d > +.\d+.\d+.\d+):(\d+),(\d+.\d+.\d+.\d+):(\d+),(\w+)|</regex> > <regex>^\t\d\d\d\d/\d\d/\d\d\t\d+:\d+:\d+\.+\t(\d+.\d+.\d+.\d+):(\d > +)\t(\d+.\d+.\d+.\d+):(\d+)\t(\w+)|</regex> > <regex>^;\d\d\d\d/\d\d/\d\d;\d+:\d+:\d+\.+;(\d+.\d+.\d+.\d+):(\d+); > (\d+.\d+.\d+.\d+):(\d+);(\w+)</regex> > <order>srcip,srcport,dstip,dstport,protocol</order> > </decoder> > > Windows agent config: > > <localfile> > <location>C:\WINDOWS/Internet Logs/fwpktlog.txt</location> > <log_format>syslog</log_format> > </localfile> > <localfile> > <location>C:\WINDOWS/Internet Logs/ZALog.txt</location> > <log_format>syslog</log_format> > </localfile> > > --cryogen >
