On Mon, Aug 1, 2011 at 4:15 AM, Blauch Armand <[email protected]> wrote: > Hello, > > Thanks for your advices. > The purpose of rule 100001 it's to alert when there is a port scan > detection on the host. > I tried to active <logall> option on, and I my symantec logs don't > arrive to ossec server. I don't know why. > In parallel I work on email alert via symantec endpoint protection > manager, maybe it's simplest than try to read symantec non-conforming > logs with ossec. >
That's always an option. Did you restart the manager's OSSEC processes after you added the <logall> option to the manager's ossec.conf? You need to restart the processes for the setting to take effect. > > On 29 juil, 15:44, "dan (ddp)" <[email protected]> wrote: >> On Thu, Jul 28, 2011 at 8:07 AM, Blauch Armand <[email protected]> wrote: >> > Hello, >> >> > I want to check a symantec end point protection log file without >> > succes. >> >> > This file (seclog.log) is here: >> > C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\sec.log >> >> > So, I first add on the ossec.conf this lines (on the agent): >> > *********************************************************** >> > <localfile> >> > <location>C:\Program Files (x86)\Symantec\Symantec Endpoint >> > Protection\seclog.log</location> >> > <log_format>syslog</log_format> >> > </localfile> >> > *********************************************************** >> >> > I've restarted ossec service and put full control for all user on the >> > file sec.log. >> >> > I have theses lines on the ossec.log on the agent: >> > 2011/07/28 03:54:12 ossec-agent(1950): INFO: Analyzing file: 'C: >> > \Program Files (x86)\Symantec\Symantec Endpoint Protection >> > \seclog.log'. >> > 2011/07/28 03:54:12 ossec-agent: INFO: Started (pid: 1308). >> >> > On the ossec server, I've added a decoder: >> > ******************************************************** >> > <decoder name="symantec-EndpointProtection-SP"> >> > <prematch>have been scanned from </prematch> >> > <regex offset="after_prematch">(\S+)</regex> >> > <order>srcip</order> >> > </decoder> >> > ********************************************************* >> >> > I've added to 3 rules: >> > ********************************************************* >> > <group name="symantecEP,"> >> > <rule id="100000" level="5"> >> > <decoded_as>symantec-EndpointProtection-SP</decoded_as> >> > <description>Grouping of Symantec Endpoint Protection Rules.</ >> > description> >> > </rule> >> >> > <rule id="100001" level="5"> >> > <category>windows</category> >> > <description>Grouping of Symantec EP rules from file sec.log.</ >> > description> >> > </rule> >> >> What's the purpose of rule 100001? >> >> >> >> >> >> >> >> >> >> > <rule id="100002" level="15"> >> > <if_sid>100000, 100001</if_sid> >> > <group>recon</group> >> > <description>Scan Port detected.</description> >> > </rule> >> >> > </group> <!-- symantec --> >> > ************************************************************* >> > I've restarted ossec service on the server. >> >> > My seclog.log is like this: >> > ************************************************************* >> > 00000151 01cc4d09b71eCef1 000000ca 0000000b 460da2c0 >> > 451da2c0 00000002 00000000 00000001 01cc42095af2e918 >> > 01cc4d099113dfe8 000009c1 00000000 Somebody is scanning your >> > computer. >> > Your computer's TCP ports: >> > 2068, 13705, 115, 83 and 1358 have been scanned from >> > 192.168.25.69. PV¶ 6 PV¶ PV¶ >> > ø[ Default test DOMAIN >> > 00000151 01cc4d14fdV17f78 000000ca 0000000b 460da2c0 >> > 450d28c0 00000002 00000000 00000001 01cc4d14af92e151 >> > 01cc4d14d682ae78 000004b7 00000000 Somebody is scanning your >> > computer. >> > Your computer's TCP ports: >> > 9999, 39, 3001, 254 and 22273 have been scanned from >> > 192.168.25.69. PV¶ 6 PV¶ PV¶ >> > ø[ Default test DOMAIN >> > 00000151 01cc4d16b42e1e74 000000ca 0000000b 460d28c0 >> > 450da2c0 00000002 00000000 00000001 01cc4d16592a2768 >> > 01cc4d1690651668 00000800 00000000 Somebody is scanning your >> > computer. >> > Your computer's TCP ports: >> > 627, 5432, 569, 1396 and 5901 have been scanned from >> > 192.168.25.69. PV¶ 6 PV¶ PV¶ >> > ø[ Default test DOMAIN >> > 00000152 01cc4d17156723e4 000000ca 0000000b 462da2c0 >> > 450da2c0 00000002 00000000 00000001 01cc4d16d0da2838 >> > 01cc4d16edefed08 0000027a 00000000 Somebody is scanning your >> > computer. >> > Your computer's TCP ports: >> > 340, 487, 220, 4660 and 5803 have been scanned from >> > 192.168.25.69. PV¶ 6 PV¶ PV¶ >> > ø[ Default test DOMAIN >> > ************************************************************** >> >> Unfortunately, due to line wrapping I'm not sure where the logs begin an end. >> >> > And ossec-logtest is ok for this kind of line: "340, 487, 220, 4660 >> > and 5803 have been scanned from 192.168.25.69." >> >> > Does anyone has an idea with my issue? How can I check that the ossec >> > server has the informations on the seclog.log? >> >> What is your issue? >> If you want to make sure the logs are making it to the manager, turn >> the <logall> option on. You can then check >> /var/ossec/logs/archives/archives.log to see what log messages are >> being >> processed.http://www.ossec.net/doc/syntax/head_ossec_config.reports.html#elemen...
