On Mon, Jul 26, 2010 at 10:30 AM, Muraleedaran Kanapathy
<[email protected]> wrote:
>
> Hi All
>
>
>
> We are collecting the logs PIX on ossec, using the remoted I can see the
> below alerts as below.
>
>
>
> Unknown problem somewhere in the system.
>
> test-box %PIX-2-106001: Inbound TCP connection denied from x.x.x.x/4453 to
> y.y.y.y/6000 flags SYN on interface my-test
>
>
>
>
>
> Why it is showing as Unknown problem …. How can I overcome this issue?
>
>
>
> Also when I use the WebUI and select the Log format as Pix nothing is showing
> up ( I need to set the format as All logs Format)
>
>
>
>
>
> Can any body help me on this
>
>
>
> Best regards,
>
>
>
> Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS Department
>
> Voice +966(1) 2888136 | Fax +966(1) 288-8899 ext 1422
> Integrated Networks | Faisaliah Tower | Level 7A |
>
> PO Box 53553, Riyadh 11593, KSA | GMT +3 |
>
> Email [email protected]
>
> Disclaimer: This electronic mail message contains information that (a) is or
> may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR OTHERWISE
> PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the use of the
> Addressee(s) named herein. If you are not the intended recipient, an
> addressee, or the person responsible for delivering this to an addressee, you
> are hereby notified that reading, using, copying, or distributing any part of
> this message is strictly prohibited. If you have received this electronic
> mail message in error, please contact us immediately and take the steps
> necessary to delete the message completely from your computer system. Unless
> explicitly attributed, the opinions expressed in this message do not
> necessarily represent the official position or opinions of Integrated
> Networks LLC., whilst all care has been taken, Integrated Networks LLC.
> disclaims all liability for loss or damage to person or property arising from
> this message being infected by computer virus or any type of contamination.
>
>
Running the above log through ossec-logtest I get the following:
**Phase 1: Completed pre-decoding.
full event: 'Jul 27 08:36:21 test-box %PIX-2-106001: Inbound
TCP connection denied from 192.168.1.1/4453 to 192.168.2.1/6000 flags
SYN on interface my-test'
hostname: 'test-box'
program_name: '(null)'
log: '%PIX-2-106001: Inbound TCP connection denied from
192.168.1.1/4453 to 192.168.2.1/6000 flags SYN on interface my-test'
**Phase 2: Completed decoding.
decoder: 'pix'
id: '2-106001'
proto: 'TCP'
action: 'denied'
srcip: '192.168.1.1'
srcport: '4453'
dstip: '192.168.2.1'
dstport: '6000'
**Phase 3: Completed filtering (rules).
Rule id: '4100'
Level: '0'
Description: 'Firewall rules grouped.'
So it seems like there may not be a rule for this. Something like the
following might help:
<rule id="xxxxx" level="something">
<if_sid>4100</if_sid>
<action>denied</action>
<description>TCP connection denied.</description>
</rule>
I'm not sure how useful this would be in the long run though.
