Thanks Dan For the input
But my concern is that all the alerts related to PIX comes with "Unknown problem somewhere in the system" Also in Web UI I when I filter the logs type as Pix nothing is showing up. Is there any workaround to solve this issue Best regards, Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS Department Voice +966(1) 288-8888 ext 1422 | Fax +966(1) 288-8899 ext 1422 Integrated Networks | Faisaliah Tower | Level 7A | PO Box 53553, Riyadh 11593, KSA | GMT +3 | Email [email protected] Disclaimer: This electronic mail message contains information that (a) is or may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR OTHERWISE PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the use of the Addressee(s) named herein. If you are not the intended recipient, an addressee, or the person responsible for delivering this to an addressee, you are hereby notified that reading, using, copying, or distributing any part of this message is strictly prohibited. If you have received this electronic mail message in error, please contact us immediately and take the steps necessary to delete the message completely from your computer system. Unless explicitly attributed, the opinions expressed in this message do not necessarily represent the official position or opinions of Integrated Networks LLC., whilst all care has been taken, Integrated Networks LLC. disclaims all liability for loss or damage to person or property arising from this message being infected by computer virus or any type of contamination. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Tuesday, July 27, 2010 6:05 PM To: [email protected] Subject: Re: [ossec-list] PIX Logging with OSSEC On Mon, Jul 26, 2010 at 10:30 AM, Muraleedaran Kanapathy <[email protected]> wrote: > > Hi All > > > > We are collecting the logs PIX on ossec, using the remoted I can see the > below alerts as below. > > > > Unknown problem somewhere in the system. > > test-box %PIX-2-106001: Inbound TCP connection denied from x.x.x.x/4453 to > y.y.y.y/6000 flags SYN on interface my-test > > > > > > Why it is showing as Unknown problem .... How can I overcome this issue? > > > > Also when I use the WebUI and select the Log format as Pix nothing is showing > up ( I need to set the format as All logs Format) > > > > > > Can any body help me on this > > > > Best regards, > > > > Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS Department > > Voice +966(1) 2888136 | Fax +966(1) 288-8899 ext 1422 > Integrated Networks | Faisaliah Tower | Level 7A | > > PO Box 53553, Riyadh 11593, KSA | GMT +3 | > > Email [email protected] > > Disclaimer: This electronic mail message contains information that (a) is or > may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR OTHERWISE > PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the use of the > Addressee(s) named herein. If you are not the intended recipient, an > addressee, or the person responsible for delivering this to an addressee, you > are hereby notified that reading, using, copying, or distributing any part of > this message is strictly prohibited. If you have received this electronic > mail message in error, please contact us immediately and take the steps > necessary to delete the message completely from your computer system. Unless > explicitly attributed, the opinions expressed in this message do not > necessarily represent the official position or opinions of Integrated > Networks LLC., whilst all care has been taken, Integrated Networks LLC. > disclaims all liability for loss or damage to person or property arising from > this message being infected by computer virus or any type of contamination. > > Running the above log through ossec-logtest I get the following: **Phase 1: Completed pre-decoding. full event: 'Jul 27 08:36:21 test-box %PIX-2-106001: Inbound TCP connection denied from 192.168.1.1/4453 to 192.168.2.1/6000 flags SYN on interface my-test' hostname: 'test-box' program_name: '(null)' log: '%PIX-2-106001: Inbound TCP connection denied from 192.168.1.1/4453 to 192.168.2.1/6000 flags SYN on interface my-test' **Phase 2: Completed decoding. decoder: 'pix' id: '2-106001' proto: 'TCP' action: 'denied' srcip: '192.168.1.1' srcport: '4453' dstip: '192.168.2.1' dstport: '6000' **Phase 3: Completed filtering (rules). Rule id: '4100' Level: '0' Description: 'Firewall rules grouped.' So it seems like there may not be a rule for this. Something like the following might help: <rule id="xxxxx" level="something"> <if_sid>4100</if_sid> <action>denied</action> <description>TCP connection denied.</description> </rule> I'm not sure how useful this would be in the long run though.
