Hi, you can pass a whole logfile to logtest by running cat [path to logfile] | /var/ossec/bin/ossec-logtest but afaik it will not show aggregate rule (in this case 4151)matches this way, only simple rule matches (e.g. 16 times 4101). You could try leaving out the "ignore" part from the rule, just to see if it works then. Other than that I have no idea atm.
On Mon, Feb 15, 2010 at 10:27 PM, GPLExpert <[email protected]> wrote: > Hello, > Thanks for your answer > > All logs comes in one file called all.log and i received alert and > email for auth, snort etc ... so for me it's working > > As i said before, it's matching rule 4100 and 4101 when i paste it in > logtest. > > Feb 15 22:13:22 rtr-mel pf: 000011 rule 153/0(match): block in on em4: > (tos 0x0, ttl 51, id 28366, offset 0, flags [none], proto TCP (6), > length 44) 172.24.0.9.52992 > 10.0.0.10.9535: S, cksum 0x686t), > 1947861302:1947861302(0) win 4096 <mss 1460> > > **Phase 1: Completed pre-decoding. > full event: 'Feb 15 22:13:22 rtr-mel pf: 000011 rule > 153/0(match): block in on em4: (tos 0x0, ttl 51, id 28366, offset 0, > flags [none], proto TCP (6), length 44) 172.24.0.9.52992 > > 10.0.0.10.9535: S, cksum 0x686' > hostname: 'rtr-mel' > program_name: 'pf' > log: '000011 rule 153/0(match): block in on em4: (tos 0x0, ttl > 51, id 28366, offset 0, flags [none], proto TCP (6), length 44) > 172.24.0.9.52992 > 10.0.0.10.9535: S, cksum 0x686' > > **Phase 2: Completed decoding. > decoder: 'pf' > > **Phase 3: Completed filtering (rules). > Rule id: '4101' > Level: '5' > Description: 'Firewall drop event.' > **Alert to be generated. > > examples for the firewall log: > > Feb 15 22:13:22 rtr-mel pf: 000011 rule 153/0(match): block in on em4: > (tos 0x0, ttl 51, id 28366, offset 0, flags [none], proto TCP (6), > length 44) 172.24.0.9.52992 > 10.0.0.10.9535: S, cksum 0x686t), > 1947861302:1947861302(0) win 4096 <mss 1460> > Feb 15 22:13:22 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > (tos 0x0, ttl 40, id 48633, offset 0, flags [none], proto TCP (6), > length 44) 172.24.0.9.52992 > 10.0.0.10.111: S, cksum 0x993b), > 1947861302:1947861302(0) win 1024 <mss 1460> > Feb 15 22:13:22 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > (tos 0x0, ttl 42, id 21401, offset 0, flags [none], proto TCP (6), > length 44) 172.24.0.9.52992 > 10.0.0.10.8082: S, cksum 0x721t), > 1947861302:1947861302(0) win 3072 <mss 1460> > Feb 15 22:13:22 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > (tos 0x0, ttl 56, id 22484, offset 0, flags [none], proto TCP (6), > length 44) 172.24.0.9.52992 > 10.0.0.10.44443: S, cksum 0xecct), > 1947861302:1947861302(0) win 1024 <mss 1460> > Feb 15 22:13:22 rtr-mel pf: 000011 rule 153/0(match): block in on em4: > (tos 0x0, ttl 47, id 18595, offset 0, flags [none], proto TCP (6), > length 44) 172.24.0.9.52992 > 10.0.0.10.1666: S, cksum 0x872t), > 1947861302:1947861302(0) win 4096 <mss 1460> > Feb 15 22:13:22 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > (tos 0x0, ttl 43, id 15356, offset 0, flags [none], proto TCP (6), > length 44) 172.24.0.9.52992 > 10.0.0.10.485: S, cksum 0x8bc5), > 1947861302:1947861302(0) win 4096 <mss 1460> > Feb 15 22:13:23 rtr-mel pf: 1. 003815 rule 153/0(match): block in on > em4: (tos 0x0, ttl 57, id 13185, offset 0, flags [none], proto TCP > (6), length 44) 172.24.0.9.52991 > 10.0.0.10.61440: S, cksum 0rrect), > 1947926839:1947926839(0) win 2048 <mss 1460> > Feb 15 22:13:23 rtr-mel pf: 000012 rule 153/0(match): block in on em4: > (tos 0x0, ttl 53, id 25584, offset 0, flags [none], proto TCP (6), > length 44) 172.24.0.9.52991 > 10.0.0.10.200: S, cksum 0x94e1), > 1947926839:1947926839(0) win 2048 <mss 1460> > Feb 15 22:13:23 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > (tos 0x0, ttl 59, id 57057, offset 0, flags [none], proto TCP (6), > length 44) 172.24.0.9.52991 > 10.0.0.10.1534: S, cksum 0x87at), > 1947926839:1947926839(0) win 4096 <mss 1460> > Feb 15 22:13:23 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > (tos 0x0, ttl 44, id 41136, offset 0, flags [none], proto TCP (6), > length 44) 172.24.0.9.52991 > 10.0.0.10.196: S, cksum 0x98e5), > 1947926839:1947926839(0) win 1024 <mss 1460> > Feb 15 22:13:23 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > (tos 0x0, ttl 54, id 57321, offset 0, flags [none], proto TCP (6), > length 44) 172.24.0.9.52991 > 10.0.0.10.2065: S, cksum 0x899t), > 1947926839:1947926839(0) win 3072 <mss 1460> > Feb 15 22:13:23 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > (tos 0x0, ttl 51, id 14566, offset 0, flags [none], proto TCP (6), > length 44) 172.24.0.9.52991 > 10.0.0.10.1542: S, cksum 0x87at), > 1947926839:1947926839(0) win 4096 <mss 1460> > Feb 15 22:13:23 rtr-mel pf: 000011 rule 153/0(match): block in on em4: > (tos 0x0, ttl 56, id 53153, offset 0, flags [none], proto TCP (6), > length 44) 172.24.0.9.52991 > 10.0.0.10.6701: S, cksum 0x7f7t), > 1947926839:1947926839(0) win 1024 <mss 1460> > Feb 15 22:13:23 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > (tos 0x0, ttl 47, id 42434, offset 0, flags [none], proto TCP (6), > length 44) 172.24.0.9.52991 > 10.0.0.10.487: S, cksum 0x8bc2), > 1947926839:1947926839(0) win 4096 <mss 1460> > Feb 15 22:13:23 rtr-mel pf: 000013 rule 153/0(match): block in on em4: > (tos 0x0, ttl 56, id 2794, offset 0, flags [none], proto TCP (6), > length 44) 172.24.0.9.52991 > 10.0.0.10.960: S, cksum 0x95e9, > 1947926839:1947926839(0) win 1024 <mss 1460> > Feb 15 22:13:23 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > (tos 0x0, ttl 42, id 28324, offset 0, flags [none], proto TCP (6), > length 44) 172.24.0.9.52991 > 10.0.0.10.2111: S, cksum 0x896t), > 1947926839:1947926839(0) win 3072 <mss 1460> > > PS i don't know how to pass the lines to logtest to match 4151 > > But it should work because one rule past match 4101 and when i'm > scanning with nmap i've got more than 16 drops in 45 seconds. > > Hope that you can help me. > > Regards > Thomas BRETON > > > On 11 fév, 18:48, oscar schneider <[email protected]> wrote: > > Hi, > > > > if you have a default ossec.conf with your e.mail adress and smtp server > > configured correctly you should get an email if 16 drops occur in 45 > > seconds. Of course you also need to make sure that the firewall messages > are > > passed to ossec, e.g. by configuring it in ossec.conf as localfile. > > > > To see if the drop messages of your firewall match these ossec rules, run > > them through ossec logtest. > > > > If that turns out not to help, post the result of ossec logtest and post > > some example messages for packet drops for your irewall. > > > > > > > > On Thu, Feb 11, 2010 at 12:51 PM, GPLExpert <[email protected]> > wrote: > > > Hello, > > > > > It seems that ossec support PF rules but when there is multiple drops, > > > i would like to have an email. > > > > > There is this in the decoder.xml > > > > > <decoder name="pf"> > > > <type>firewall</type> > > > <program_name>^pf$</program_name> > > > <plugin_decoder>PF_Decoder</plugin_decoder> > > > </decoder> > > > > > And when i past a pf log inside ossec-logtest > > > It's matching rules > > > > > **Phase 2: Completed decoding. > > > decoder: 'pf' > > > > > **Phase 3: Completed filtering (rules). > > > Rule id: '4100' > > > Level: '0' > > > Description: 'Firewall rules grouped.' > > > > > and this in firewall.rules > > > > > <rule id="4101" level="5"> > > > <if_sid>4100</if_sid> > > > <!--<action>DROP</action> --> > > > <!--<action>block</action>--> > > > <match>block</match> > > > <!-- > > > <options>no_log</options>-- > > > > > <description>Firewall drop event.</description> > > > <group>firewall_drop,</group> > > > </rule> > > > > > <rule id="4151" level="10" frequency="16" timeframe="45" > > > ignore="240"> > > > <if_matched_sid>4101</if_matched_sid> > > > <same_source_ip /> > > > <description>Multiple Firewall drop events from same > > > source.</description> > > > <group>multiple_drops,</group> > > > </rule> > > > > > I've tried to write a rule in local_rules.xml but with no success. > > > > > Have you got a solution to send mail when a scan is done? > > > > > Regards > > > Thomas BRETON >
