[ossec-list] Firewall alerts and iptables log-prefix

Sat, 14 Jul 2012 11:36:18 -0700 

Hi All,

I recently set up firewall logging in our infrastructure. We use
netfilter system-wide, and ossec has been configured to read the
firewall logs on each system.

But no alerts was being triggered by ossec when multiple drops were
occuring.

So I read the source, and stumbled upong the `FW_log` function, that
does this:

------------------------------------------------
/* FW_Log: v0.1, 2005/12/30 */
int FW_Log(Eventinfo *lf)
{
    /* If we don't have the srcip or the
     * action, there is no point in going
     * forward over here
     */
    if(!lf->action || !lf->srcip)
    {
        return(0);
    }


    /* Setting the actions */
    switch(*lf->action)
    {
        /* discard, drop, deny, */
        case 'd':
        case 'D':
        /* reject, */
        case 'r':
        case 'R':
        /* block */
        case 'b':
        case 'B':
            os_free(lf->action);
            os_strdup("DROP", lf->action);
            break;
        /* Closed */
[.....]
------------------------------------------------

As I understand it, my log-prefix *must* start with the letter D
to be considered a DROP. It was initially set to "AFW_INPUT_DROP"
and that explains why my alerts would appear as "ALLOW" in
ossec's own firewall.log.

Could someone please confirm this ?


Another question: I'm trying to define custom alerts for the
firewall. Do I need to overwrite alerts 4101 and 4151, or can I
have another set of frequency/timeframe alerts inherit from 4100 ?

------------------------------------------------
  <rule id="100015" level="1">
    <action>DROP</action>
    <options>no_log</options>
    <description>Firewall Input Drop</description>
    <if_sid>4100</if_sid>
  </rule>
  <rule id="100016" level="7" frequency="200" timeframe="3600">
    <if_matched_sid>100015</if_matched_sid>
    <description>Multiple Firewall Input Drop from same IP</description>
    <same_source_ip />
    <same_dst_port />
  </rule>
  <rule id="100017"  level="10" frequency="100" timeframe="60">
    <if_matched_sid>100015</if_matched_sid>
    <description>High Firewall Input Drop in 60 seconds</description>
    <same_source_ip />
    <same_location />
  </rule>
------------------------------------------------


And finally: I have 2 types of firewall logs: DROP_INPUT and DROP_OUTPUT.
As far as I can tell, ossec sees both as DROP. Is there a way, using a
match or something similar, to differentiate my alerts on the log-prefix ?

Thanks a lot,
Julien


--
Julien Vehent
Security Engineer
AWeber Communications

Reply via email to