On Sat, Jul 14, 2012 at 1:06 PM, Julien Vehent <[email protected]> wrote: > Hi All, > > I recently set up firewall logging in our infrastructure. We use > netfilter system-wide, and ossec has been configured to read the > firewall logs on each system. > > But no alerts was being triggered by ossec when multiple drops were > occuring. > > So I read the source, and stumbled upong the `FW_log` function, that > does this: > > ------------------------------------------------ > /* FW_Log: v0.1, 2005/12/30 */ > int FW_Log(Eventinfo *lf) > { > /* If we don't have the srcip or the > * action, there is no point in going > * forward over here > */ > if(!lf->action || !lf->srcip) > { > return(0); > } > > > /* Setting the actions */ > switch(*lf->action) > { > /* discard, drop, deny, */ > case 'd': > case 'D': > /* reject, */ > case 'r': > case 'R': > /* block */ > case 'b': > case 'B': > os_free(lf->action); > os_strdup("DROP", lf->action); > break; > /* Closed */ > [.....] > ------------------------------------------------ > > As I understand it, my log-prefix *must* start with the letter D > to be considered a DROP. It was initially set to "AFW_INPUT_DROP" > and that explains why my alerts would appear as "ALLOW" in > ossec's own firewall.log. > > Could someone please confirm this ? > > > Another question: I'm trying to define custom alerts for the > firewall. Do I need to overwrite alerts 4101 and 4151, or can I > have another set of frequency/timeframe alerts inherit from 4100 ? > > ------------------------------------------------ > <rule id="100015" level="1"> > <action>DROP</action> > <options>no_log</options> > <description>Firewall Input Drop</description> > <if_sid>4100</if_sid> > </rule> > <rule id="100016" level="7" frequency="200" timeframe="3600"> > <if_matched_sid>100015</if_matched_sid> > <description>Multiple Firewall Input Drop from same IP</description> > <same_source_ip /> > <same_dst_port /> > </rule> > <rule id="100017" level="10" frequency="100" timeframe="60"> > <if_matched_sid>100015</if_matched_sid> > <description>High Firewall Input Drop in 60 seconds</description> > <same_source_ip /> > <same_location /> > </rule> > ------------------------------------------------ > > > And finally: I have 2 types of firewall logs: DROP_INPUT and DROP_OUTPUT. > As far as I can tell, ossec sees both as DROP. Is there a way, using a > match or something similar, to differentiate my alerts on the log-prefix ? > > Thanks a lot, > Julien > > > -- > Julien Vehent > Security Engineer > AWeber Communications
What does AFW stand for?
