Greetings Daniel, Thank you for the feedback: these can certainly be included in Ossec.
Here are the decoders that I'm using for the PE events in ZALog.txt: <!-- Popup events: these indicate new or changed programs and so are treated more seriously --> <!-- PE,2009/01/23,11:39:32 -8:00 GMT,ssmtp.exe,C:\cygwin\usr\sbin \ssmtp.exe,10.5.10.1:53,N/A --> <decoder name="zonealarm-popup-event"> <prematch>^PE</prematch> <type>ids</type> </decoder> <decoder name="zonealarm-popup-event-1"> <parent>zonealarm-popup-event</parent> <type>ids</type> <regex offset="after_parent">^,\d\d\d\d/\d\d/\d\d,\d+:\d+:\d+\.+,(\. +),(\.+),(\d+.\d+.\d+.\d+):(\d+)|</regex> <regex>^\t\d\d\d\d/\d\d/\d\d\t\d+:\d+:\d+\.+\t(\.+)\t(\.+)\t(\d+.\d +.\d+.\d+):(\d+)|</regex> <regex>^;\d\d\d\d/\d\d/\d\d;\d+:\d+:\d+\.+;(\.+);(\.+);(\d+.\d+.\d+. \d+):(\d+)</regex> <order>id,extra_data,dstip,dstport</order> <fts>id,extra_data,location,dstip</fts> <ftscomment>First time program asked for internet access.</ftscomment> </decoder> These types of events are are where the firewall asks the user for confirmation before allowing a program to connect to the network. In my experience these are always new or changed programs and hence are very suspicious. Often you'll see a string of two or more of these, the first to connect to your trusted zone, typically for your DNS server, and the next the actual destinations on the internet. In the interest of completeness, I have noticed that ZoneAlarm appears to quit adding events to its logs after about 24 hours. This appears to be some kind of log management issue. As far as I can tell, periodically ZoneAlarm attempts to clear fwpktlog.txt and archive ZALog.txt. However, since ossec is using these files ZoneAlarm can't complete its log management routine and chokes by not logging anything. This can be temporarily fixed either by rebooting or by stopping both ZoneAlarm and ossec and then starting ZoneAlarm followed by ossec. I haven't gotten around to trying to track the problem down further than that though. It hasn't been terribly annoying since we reboot the windows boxes a lot anyway. --cryogen On Mar 25, 2009, at 6:55 AM, Daniel Cid wrote: > > Hey, > > Good work on this! Do you have more rules, decoders to share (or any > fixes to these)? Also, is it alright for you > if we include that on ossec? > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > On Sat, Mar 7, 2009 at 4:10 PM, cryogen <[email protected]> wrote: >> Greetings, >> >> I've made decoders for the ZoneAlarm firewall version 8+ and thought >> it might be useful to someone else too. I have some decoders for >> some of the program control aspects of ZoneAlarm, but I'm still >> testing them. I'm also still testing rules for all these. Both >> those will probably be posted later if anyone's interested. Feedback >> is appreciated. >> >> For fwpktlog.txt: >> >> Log samples: >> >> 965140 Packet DROPPED: Proto: IP_TCP Flags: 0x0000000a Src: 10.0.0.5 >> Dest: 10.0.0.1 SrcPort: 80 DstPort: 59687 >> 2050156 Packet DROPPED: Proto: IP_UDP Flags: 0x00000002 Src: 10.0.0.3 >> Dest: 10.0.0.4 SrcPort: 137 DstPort: 137 >> 3204609 Packet DROPPED: Proto: IP_ICMP Flags: 0x0000000a Src: >> 10.0.0.2 Dest: 10.0.0.1 Type ICMP_ECHO >> >> <decoder name="zonealarm-fwpktlog"> >> <prematch>^\d+ Packet \w+: Proto: </prematch> >> <type>firewall</type> >> </decoder> >> <decoder name="zonealarm-fwpktlog-1"> >> <parent>zonealarm-fwpktlog</parent> >> <type>firewall</type> >> <regex>^\d+ Packet (\w+): Proto: IP_(\w+) Flags: \w+ </regex> >> <regex>Src: (\d+.\d+.\d+.\d+) Dest: (\d+.\d+.\d+.\d+) </regex> >> <order>action,protocol,srcip,dstip</order> >> </decoder> >> <decoder name="zonealarm-fwpktlog-1"> >> <parent>zonealarm-fwpktlog</parent> >> <type>firewall</type> >> <regex offset="after_regex">^SrcPort: (\d+) DstPort: (\d+)</regex> >> <order>srcport,dstport</order> >> </decoder> >> >> >> For ZALog.txt: >> >> The ZALog.txt file can be delimited by commas (default), semicolons >> or tabs. These cover all possibilities. These should work on >> ZoneAlarm v7 as well but this hasn't been tested. This is included >> mainly for completeness, since the fwpktlog.txt file is much more >> useful. >> >> Note: for ZoneAlarm to log to the ZALog.txt file, you must set it to >> "Archive log files daily" in the Alerts and Logs preferences, >> otherwise, this file will not appear. >> >> Note 2: FYI, there may be double counting of packets between the >> fwpktlog.txt and ZALog.txt files. ZoneAlarm is rather militant about >> logging to fwpktlog.txt but not so much to ZALog.txt. Personally, I >> don't really care if the packets are counted twice since it typically >> isn't enough to trigger lockouts unexpectedly. If you care, just use >> the fwpktlog.txt decoder above instead of this one. >> >> Log samples (inbound and outbound traffic): >> >> FWIN,2008/09/22,15:04:34 -7:00 GMT, >> 10.97.238.229:1493,10.12.67.21:1027,UDP >> FWIN,2008/09/22,22:22:08 -7:00 GMT, >> 10.50.112.166:2413,10.18.69.21:5900,TCP (flags:S) >> FWOUT,2009/01/23,10:48:56 -8:00 GMT, >> 10.12.67.21:138,10.18.69.21:138,UDP >> FWIN,2009/01/23,10:49:06 -8:00 GMT,10.12.67.21:0,10.13.68.22:0,ICMP >> (type:8/subtype:0) >> >> <decoder name="zonealarm-firewall"> >> <prematch>^FWIN|^FWOUT</prematch> >> <type>firewall</type> >> </decoder> >> <decoder name="zonealarm-firewall-1"> >> <parent>zonealarm-firewall</parent> >> <type>firewall</type> >> <regex offset="after_parent">^,\d\d\d\d/\d\d/\d\d,\d+:\d+:\d+\.+,(\d >> +.\d+.\d+.\d+):(\d+),(\d+.\d+.\d+.\d+):(\d+),(\w+)|</regex> >> <regex>^\t\d\d\d\d/\d\d/\d\d\t\d+:\d+:\d+\.+\t(\d+.\d+.\d+.\d+):(\d >> +)\t(\d+.\d+.\d+.\d+):(\d+)\t(\w+)|</regex> >> <regex>^;\d\d\d\d/\d\d/\d\d;\d+:\d+:\d+\.+;(\d+.\d+.\d+.\d+):(\d+); >> (\d+.\d+.\d+.\d+):(\d+);(\w+)</regex> >> <order>srcip,srcport,dstip,dstport,protocol</order> >> </decoder> >> >> Windows agent config: >> >> <localfile> >> <location>C:\WINDOWS/Internet Logs/fwpktlog.txt</location> >> <log_format>syslog</log_format> >> </localfile> >> <localfile> >> <location>C:\WINDOWS/Internet Logs/ZALog.txt</location> >> <log_format>syslog</log_format> >> </localfile> >> >> --cryogen >>
