Re: [ossec-list] trouble with cisco ios switches

[dan (ddp)]

Strangely enough it works for me (running the latest source, I don't
have a copy of 2.5.1):

# echo '%SYS-5-CONFIG_I: Configured from console by admin on vty0
(1.1.1.1)' | /var/ossec/bin/ossec-logtest
2011/04/06 10:31:48 ossec-testrule: INFO: Reading local decoder file.
2011/04/06 10:31:49 ossec-testrule: INFO: Started (pid: 14371).
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
       full event: '%SYS-5-CONFIG_I: Configured from console by admin
on vty0 (1.1.1.1)'
       hostname: 'arrakis'
       program_name: '(null)'
       log: '%SYS-5-CONFIG_I: Configured from console by admin on vty0
(1.1.1.1)'

**Phase 2: Completed decoding.
       decoder: 'cisco-ios'
       id: '%SYS-5-CONFIG_I'

**Phase 3: Completed filtering (rules).
       Rule id: '4721'
       Level: '3'
       Description: 'Cisco IOS router configuration changed.'
**Alert to be generated.

Try replacing the cisco rules file with a fresh copy. The rules file
hasn't changed in a while, and our output looks basically the same.
Not sure why it wouldn't work.
Also, you could try copying the rule (with a different rule id) to
local_rules.xml. Maybe that would work...

On Tue, Apr 5, 2011 at 5:03 PM, Jeremy Wilson <jwil...@mydccu.com> wrote:
> Sorry,
> Just caught on to how to use the ossec-logtest.  My bad.  But here is
> the output:
>
> echo "%SYS-5-CONFIG_I: Configured from console by admin on vty0
> (x.x.x.x)" | /var/ossec/bin/ossec-logtest -f
> 2011/04/05 16:59:51 ossec-testrule: INFO: Reading local decoder file.
> 2011/04/05 16:59:51 ossec-testrule: INFO: Started (pid: 11506).
> ossec-testrule: Type one log per line.
>
>
>
> **Phase 1: Completed pre-decoding.
>       full event: '%SYS-5-CONFIG_I: Configured from console by admin on
> vty0 (x.x.x.x)'
>       hostname: 'watcher'
>       program_name: '(null)'
>       log: '%SYS-5-CONFIG_I: Configured from console by admin on vty0
> (x.x.x.x)'
>
> **Phase 2: Completed decoding.
>       decoder: 'cisco-ios'
>       id: '%SYS-5-CONFIG_I'
>
> **Rule debugging:
>    Trying rule: 1 - Generic template for all syslog rules.
>       *Rule 1 matched.
>       *Trying child rules.
>    Trying rule: 5500 - Grouping of the pam_unix rules.
>    Trying rule: 5700 - SSHD messages grouped.
>    Trying rule: 5600 - Grouping for the telnetd rules
>    Trying rule: 2100 - NFS rules grouped.
>    Trying rule: 2550 - rshd messages grouped.
>    Trying rule: 2701 - Ignoring procmail messages.
>    Trying rule: 2800 - Pre-match rule for smartd.
>    Trying rule: 5100 - Pre-match rule for kernel messages
>    Trying rule: 5200 - Ignoring hpiod for producing useless logs.
>    Trying rule: 2830 - Crontab rule group.
>    Trying rule: 5300 - Initial grouping for su messages.
>    Trying rule: 5400 - Initial group for sudo messages
>    Trying rule: 9100 - PPTPD messages grouped
>    Trying rule: 9200 - Squid syslog messages grouped
>    Trying rule: 2900 - Dpkg (Debian Package) log.
>    Trying rule: 2930 - Yum logs.
>    Trying rule: 2931 - Yum logs.
>    Trying rule: 7200 - Grouping of the arpwatch rules.
>    Trying rule: 7300 - Grouping of Symantec AV rules.
>    Trying rule: 7400 - Grouping of Symantec Web Security rules.
>    Trying rule: 4300 - Grouping of PIX rules
>    Trying rule: 12100 - Grouping of the named rules
>    Trying rule: 13100 - Grouping for the smbd rules.
>    Trying rule: 11400 - Grouping for the vsftpd rules.
>    Trying rule: 11300 - Grouping for the pure-ftpd rules.
>    Trying rule: 11200 - Grouping for the proftpd rules.
>    Trying rule: 11500 - Grouping for the Microsoft ftp rules.
>    Trying rule: 11100 - Grouping for the ftpd rules.
>    Trying rule: 9300 - Grouping for the Horde imp rules.
>    Trying rule: 9400 - Roundcube messages groupe.d
>    Trying rule: 9500 - Wordpress messages grouped.
>    Trying rule: 9600 - cimserver messages grouped.
>    Trying rule: 9900 - Grouping for the vpopmail rules.
>    Trying rule: 9800 - Grouping for the vm-pop3d rules.
>    Trying rule: 3900 - Grouping for the courier rules.
>    Trying rule: 30100 - Apache messages grouped.
>    Trying rule: 31300 - Nginx messages grouped.
>    Trying rule: 31404 - PHP Warning message.
>    Trying rule: 31405 - PHP Fatal error.
>    Trying rule: 31406 - PHP Parse error.
>    Trying rule: 50100 - MySQL messages grouped.
>    Trying rule: 50500 - PostgreSQL messages grouped.
>    Trying rule: 4700 - Grouping of Cisco IOS rules.
>       *Rule 4700 matched.
>       *Trying child rules.
>    Trying rule: 4715 - Cisco IOS notification message.
>       *Rule 4715 matched.
>       *Trying child rules.
>    Trying rule: 4721 - Cisco IOS router configuration changed.
>    Trying rule: 4722 - Successful login to the router.
>
> **Phase 3: Completed filtering (rules).
>       Rule id: '4715'
>       Level: '0'
>       Description: 'Cisco IOS notification message.'
>
>
>
> --------------------------------------------------------------------------
> Jeremy Wilson
> Network Supervisor
> DuPont Community Credit Union
> Tel: 540.946.3200 x3103
> Fax: 540.946.3212
> http://www.mydccu.com/
>
> Personal Information: DCCU will never send unsolicited e-mails asking for 
> your personal or account information such as account numbers, passwords, 
> social security numbers, PINs, credit or debit card numbers, or other 
> confidential information. Visit 
> http://www.mydccu.com/asp/services/service_6.asp to learn more about fraud 
> and protecting your accounts.
>
> Confidentiality Note: This e-mail message is intended solely for the 
> individual or individuals named above. This e-mail and any attachments are 
> confidential. If the reader of this message is not the intended recipient, 
> you are requested not to read, copy or distribute it or any of the 
> information it contains. Please delete it immediately and notify us by return 
> e-mail or by telephone at (540)946-3200
>
>
> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
> On Behalf Of Jeremy Wilson
> Sent: Tuesday, April 05, 2011 4:46 PM
> To: ossec-list@googlegroups.com
> Subject: RE: [ossec-list] trouble with cisco ios switches
>
> Hi dan,
> I am not sure if I understand you correctly but if I do sh logging on
> the cisco switch I get this:
>
> %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)
> %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)
> %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host x.x.x.x Port 1025 started
> - reconnection
> %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)
> %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)
> %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)
> %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)
>
> If I do a cat /var/ossec/logs/archives/archives.log | grep x.x.x.x (ip
> address of cisco switch) on the ossec server, I get:
>
> 2011 Apr 05 14:27:13 watcher->10.0.250.30 438: %SYS-5-CONFIG_I:
> Configured from console by admin on vty0 (x.x.x.x)
> 2011 Apr 05 14:27:14 watcher->10.0.250.30 439:
> %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host x.x.x.x Port 1025 started
> - reconnection
> 2011 Apr 05 14:36:40 watcher->10.0.250.30 440: %SYS-5-CONFIG_I:
> Configured from console by admin on vty0 (x.x.x.x)
> 2011 Apr 05 14:47:12 watcher->10.0.250.30 441: %SYS-5-CONFIG_I:
> Configured from console by admin on vty0 (x.x.x.x)
> 2011 Apr 05 16:31:05 watcher->10.0.250.30 442: %SYS-5-CONFIG_I:
> Configured from console by admin on vty0 (x.x.x.x)
> 2011 Apr 05 16:31:50 watcher->10.0.250.30 443: %SYS-5-CONFIG_I:
> Configured from console by admin on vty0 (x.x.x.x)
>
> @gurtaj, I did not make the rule.  It is the one that comes with ossec
> "cisco-ios_rules.xml" in /var/ossec/rules
>
> Since the switch is running ios software image then I thought it would
> work.  Maybe I am wrong?
>
>
>
>
> ------------------------------------------------------------------------
> --
> Jeremy Wilson
> Network Supervisor
> DuPont Community Credit Union
> Tel: 540.946.3200 x3103
> Fax: 540.946.3212
> http://www.mydccu.com/
>
> Personal Information: DCCU will never send unsolicited e-mails asking
> for your personal or account information such as account numbers,
> passwords, social security numbers, PINs, credit or debit card numbers,
> or other confidential information. Visit
> http://www.mydccu.com/asp/services/service_6.asp to learn more about
> fraud and protecting your accounts.
>
> Confidentiality Note: This e-mail message is intended solely for the
> individual or individuals named above. This e-mail and any attachments
> are confidential. If the reader of this message is not the intended
> recipient, you are requested not to read, copy or distribute it or any
> of the information it contains. Please delete it immediately and notify
> us by return e-mail or by telephone at (540)946-3200
>
>
> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
> On Behalf Of dan (ddp)
> Sent: Tuesday, April 05, 2011 4:33 PM
> To: ossec-list@googlegroups.com
> Subject: Re: [ossec-list] trouble with cisco ios switches
>
> Hi Jeremy,
>
> On Tue, Apr 5, 2011 at 4:19 PM, Jeremy Wilson <jwil...@mydccu.com>
> wrote:
>> Ok I ran cat /var/ossec/logs/archives/archives.log |
> /var/ossec/bin/ossec-logtest -a and did receive 2 alerts, but neither
> alert was about the switch configuration being changed.
>>
>
> You need the actual syslog message from the cisco. Without digging
> into the decoder I'd guess it would be something like:
> "echo '00:00:44: %SYS-5-CONFIG_I: Configured from console by admin on
> vty0 (x.x.x.x)' | /var/ossec/bin/ossec-logtest"
>
> I'm not exactly sure how that message comes through though. I can try
> to look into it tomorrow though instead of guessing.
>
>> Could be more along the lines of the decoder not decoding it properly?
>>
>>
>>
>
> Don't know, can't see the output from ossec-logtest.
>
>
>