Hello Thanks for your help. Thanks for the tip on the ossec-logtest. I've removed the ignore part but there is no change. :(
Regards Thomas On 17 fév, 13:07, oscar schneider <[email protected]> wrote: > Hi, > > you can pass a whole logfile to logtest by running cat [path to logfile] | > /var/ossec/bin/ossec-logtest but afaik it will not show aggregate rule (in > this case 4151)matches this way, only simple rule matches (e.g. 16 times > 4101). You could try leaving out the "ignore" part from the rule, just to > see if it works then. Other than that I have no idea atm. > > > > On Mon, Feb 15, 2010 at 10:27 PM, GPLExpert <[email protected]> wrote: > > Hello, > > Thanks for your answer > > > All logs comes in one file called all.log and i received alert and > > email for auth, snort etc ... so for me it's working > > > As i said before, it's matching rule 4100 and 4101 when i paste it in > > logtest. > > > Feb 15 22:13:22 rtr-mel pf: 000011 rule 153/0(match): block in on em4: > > (tos 0x0, ttl 51, id 28366, offset 0, flags [none], proto TCP (6), > > length 44) 172.24.0.9.52992 > 10.0.0.10.9535: S, cksum 0x686t), > > 1947861302:1947861302(0) win 4096 <mss 1460> > > > **Phase 1: Completed pre-decoding. > > full event: 'Feb 15 22:13:22 rtr-mel pf: 000011 rule > > 153/0(match): block in on em4: (tos 0x0, ttl 51, id 28366, offset 0, > > flags [none], proto TCP (6), length 44) 172.24.0.9.52992 > > > 10.0.0.10.9535: S, cksum 0x686' > > hostname: 'rtr-mel' > > program_name: 'pf' > > log: '000011 rule 153/0(match): block in on em4: (tos 0x0, ttl > > 51, id 28366, offset 0, flags [none], proto TCP (6), length 44) > > 172.24.0.9.52992 > 10.0.0.10.9535: S, cksum 0x686' > > > **Phase 2: Completed decoding. > > decoder: 'pf' > > > **Phase 3: Completed filtering (rules). > > Rule id: '4101' > > Level: '5' > > Description: 'Firewall drop event.' > > **Alert to be generated. > > > examples for the firewall log: > > > Feb 15 22:13:22 rtr-mel pf: 000011 rule 153/0(match): block in on em4: > > (tos 0x0, ttl 51, id 28366, offset 0, flags [none], proto TCP (6), > > length 44) 172.24.0.9.52992 > 10.0.0.10.9535: S, cksum 0x686t), > > 1947861302:1947861302(0) win 4096 <mss 1460> > > Feb 15 22:13:22 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > > (tos 0x0, ttl 40, id 48633, offset 0, flags [none], proto TCP (6), > > length 44) 172.24.0.9.52992 > 10.0.0.10.111: S, cksum 0x993b), > > 1947861302:1947861302(0) win 1024 <mss 1460> > > Feb 15 22:13:22 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > > (tos 0x0, ttl 42, id 21401, offset 0, flags [none], proto TCP (6), > > length 44) 172.24.0.9.52992 > 10.0.0.10.8082: S, cksum 0x721t), > > 1947861302:1947861302(0) win 3072 <mss 1460> > > Feb 15 22:13:22 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > > (tos 0x0, ttl 56, id 22484, offset 0, flags [none], proto TCP (6), > > length 44) 172.24.0.9.52992 > 10.0.0.10.44443: S, cksum 0xecct), > > 1947861302:1947861302(0) win 1024 <mss 1460> > > Feb 15 22:13:22 rtr-mel pf: 000011 rule 153/0(match): block in on em4: > > (tos 0x0, ttl 47, id 18595, offset 0, flags [none], proto TCP (6), > > length 44) 172.24.0.9.52992 > 10.0.0.10.1666: S, cksum 0x872t), > > 1947861302:1947861302(0) win 4096 <mss 1460> > > Feb 15 22:13:22 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > > (tos 0x0, ttl 43, id 15356, offset 0, flags [none], proto TCP (6), > > length 44) 172.24.0.9.52992 > 10.0.0.10.485: S, cksum 0x8bc5), > > 1947861302:1947861302(0) win 4096 <mss 1460> > > Feb 15 22:13:23 rtr-mel pf: 1. 003815 rule 153/0(match): block in on > > em4: (tos 0x0, ttl 57, id 13185, offset 0, flags [none], proto TCP > > (6), length 44) 172.24.0.9.52991 > 10.0.0.10.61440: S, cksum 0rrect), > > 1947926839:1947926839(0) win 2048 <mss 1460> > > Feb 15 22:13:23 rtr-mel pf: 000012 rule 153/0(match): block in on em4: > > (tos 0x0, ttl 53, id 25584, offset 0, flags [none], proto TCP (6), > > length 44) 172.24.0.9.52991 > 10.0.0.10.200: S, cksum 0x94e1), > > 1947926839:1947926839(0) win 2048 <mss 1460> > > Feb 15 22:13:23 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > > (tos 0x0, ttl 59, id 57057, offset 0, flags [none], proto TCP (6), > > length 44) 172.24.0.9.52991 > 10.0.0.10.1534: S, cksum 0x87at), > > 1947926839:1947926839(0) win 4096 <mss 1460> > > Feb 15 22:13:23 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > > (tos 0x0, ttl 44, id 41136, offset 0, flags [none], proto TCP (6), > > length 44) 172.24.0.9.52991 > 10.0.0.10.196: S, cksum 0x98e5), > > 1947926839:1947926839(0) win 1024 <mss 1460> > > Feb 15 22:13:23 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > > (tos 0x0, ttl 54, id 57321, offset 0, flags [none], proto TCP (6), > > length 44) 172.24.0.9.52991 > 10.0.0.10.2065: S, cksum 0x899t), > > 1947926839:1947926839(0) win 3072 <mss 1460> > > Feb 15 22:13:23 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > > (tos 0x0, ttl 51, id 14566, offset 0, flags [none], proto TCP (6), > > length 44) 172.24.0.9.52991 > 10.0.0.10.1542: S, cksum 0x87at), > > 1947926839:1947926839(0) win 4096 <mss 1460> > > Feb 15 22:13:23 rtr-mel pf: 000011 rule 153/0(match): block in on em4: > > (tos 0x0, ttl 56, id 53153, offset 0, flags [none], proto TCP (6), > > length 44) 172.24.0.9.52991 > 10.0.0.10.6701: S, cksum 0x7f7t), > > 1947926839:1947926839(0) win 1024 <mss 1460> > > Feb 15 22:13:23 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > > (tos 0x0, ttl 47, id 42434, offset 0, flags [none], proto TCP (6), > > length 44) 172.24.0.9.52991 > 10.0.0.10.487: S, cksum 0x8bc2), > > 1947926839:1947926839(0) win 4096 <mss 1460> > > Feb 15 22:13:23 rtr-mel pf: 000013 rule 153/0(match): block in on em4: > > (tos 0x0, ttl 56, id 2794, offset 0, flags [none], proto TCP (6), > > length 44) 172.24.0.9.52991 > 10.0.0.10.960: S, cksum 0x95e9, > > 1947926839:1947926839(0) win 1024 <mss 1460> > > Feb 15 22:13:23 rtr-mel pf: 000010 rule 153/0(match): block in on em4: > > (tos 0x0, ttl 42, id 28324, offset 0, flags [none], proto TCP (6), > > length 44) 172.24.0.9.52991 > 10.0.0.10.2111: S, cksum 0x896t), > > 1947926839:1947926839(0) win 3072 <mss 1460> > > > PS i don't know how to pass the lines to logtest to match 4151 > > > But it should work because one rule past match 4101 and when i'm > > scanning with nmap i've got more than 16 drops in 45 seconds. > > > Hope that you can help me. > > > Regards > > Thomas BRETON > > > On 11 fév, 18:48, oscar schneider <[email protected]> wrote: > > > Hi, > > > > if you have a default ossec.conf with your e.mail adress and smtp server > > > configured correctly you should get an email if 16 drops occur in 45 > > > seconds. Of course you also need to make sure that the firewall messages > > are > > > passed to ossec, e.g. by configuring it in ossec.conf as localfile. > > > > To see if the drop messages of your firewall match these ossec rules, run > > > them through ossec logtest. > > > > If that turns out not to help, post the result of ossec logtest and post > > > some example messages for packet drops for your irewall. > > > > On Thu, Feb 11, 2010 at 12:51 PM, GPLExpert <[email protected]> > > wrote: > > > > Hello, > > > > > It seems that ossec support PF rules but when there is multiple drops, > > > > i would like to have an email. > > > > > There is this in the decoder.xml > > > > > <decoder name="pf"> > > > > <type>firewall</type> > > > > <program_name>^pf$</program_name> > > > > <plugin_decoder>PF_Decoder</plugin_decoder> > > > > </decoder> > > > > > And when i past a pf log inside ossec-logtest > > > > It's matching rules > > > > > **Phase 2: Completed decoding. > > > > decoder: 'pf' > > > > > **Phase 3: Completed filtering (rules). > > > > Rule id: '4100' > > > > Level: '0' > > > > Description: 'Firewall rules grouped.' > > > > > and this in firewall.rules > > > > > <rule id="4101" level="5"> > > > > <if_sid>4100</if_sid> > > > > <!--<action>DROP</action> --> > > > > <!--<action>block</action>--> > > > > <match>block</match> > > > > <!-- > > > > <options>no_log</options>-- > > > > > <description>Firewall drop event.</description> > > > > <group>firewall_drop,</group> > > > > </rule> > > > > > <rule id="4151" level="10" frequency="16" timeframe="45" > > > > ignore="240"> > > > > <if_matched_sid>4101</if_matched_sid> > > > > <same_source_ip /> > > > > <description>Multiple Firewall drop events from same > > > > source.</description> > > > > <group>multiple_drops,</group> > > > > </rule> > > > > > I've tried to write a rule in local_rules.xml but with no success. > > > > > Have you got a solution to send mail when a scan is done? > > > > > Regards > > > > Thomas BRETON
