On Fri 20.Jul'12 at 9:20:00 -0400, dan (ddp) wrote: > On Sat, Jul 14, 2012 at 1:06 PM, Julien Vehent <[email protected]> wrote: > > Hi All, > > > > I recently set up firewall logging in our infrastructure. We use > > netfilter system-wide, and ossec has been configured to read the > > firewall logs on each system. > > > > But no alerts was being triggered by ossec when multiple drops were > > occuring. > > > > So I read the source, and stumbled upong the `FW_log` function, that > > does this: > > > > ------------------------------------------------ > > /* FW_Log: v0.1, 2005/12/30 */ > > int FW_Log(Eventinfo *lf) > > { > > /* If we don't have the srcip or the > > * action, there is no point in going > > * forward over here > > */ > > if(!lf->action || !lf->srcip) > > { > > return(0); > > } > > > > > > /* Setting the actions */ > > switch(*lf->action) > > { > > /* discard, drop, deny, */ > > case 'd': > > case 'D': > > /* reject, */ > > case 'r': > > case 'R': > > /* block */ > > case 'b': > > case 'B': > > os_free(lf->action); > > os_strdup("DROP", lf->action); > > break; > > /* Closed */ > > [.....] > > ------------------------------------------------ > > > > As I understand it, my log-prefix *must* start with the letter D > > to be considered a DROP. It was initially set to "AFW_INPUT_DROP" > > and that explains why my alerts would appear as "ALLOW" in > > ossec's own firewall.log. > > > > Could someone please confirm this ? > > > > > > Another question: I'm trying to define custom alerts for the > > firewall. Do I need to overwrite alerts 4101 and 4151, or can I > > have another set of frequency/timeframe alerts inherit from 4100 ? > > > > ------------------------------------------------ > > <rule id="100015" level="1"> > > <action>DROP</action> > > <options>no_log</options> > > <description>Firewall Input Drop</description> > > <if_sid>4100</if_sid> > > </rule> > > <rule id="100016" level="7" frequency="200" timeframe="3600"> > > <if_matched_sid>100015</if_matched_sid> > > <description>Multiple Firewall Input Drop from same IP</description> > > <same_source_ip /> > > <same_dst_port /> > > </rule> > > <rule id="100017" level="10" frequency="100" timeframe="60"> > > <if_matched_sid>100015</if_matched_sid> > > <description>High Firewall Input Drop in 60 seconds</description> > > <same_source_ip /> > > <same_location /> > > </rule> > > ------------------------------------------------ > > > > > > And finally: I have 2 types of firewall logs: DROP_INPUT and DROP_OUTPUT. > > As far as I can tell, ossec sees both as DROP. Is there a way, using a > > match or something similar, to differentiate my alerts on the log-prefix ? > > > > Thanks a lot, > > Julien > > > > > > -- > > Julien Vehent > > Security Engineer > > AWeber Communications > > What does AFW stand for?
It's the name of the firewall cookbook that we use in our chef environment. I need to open source that stuff... - Julien
