Re: [ossec-list] Re: help with writing decoder rules for clavister firewall

Tue, 20 Nov 2012 01:49:57 -0800 

2012/11/19 dan (ddp) <[email protected]>

> <snip>
>
> The decoder is clavister, not clavister-alert.
>
> Before changing the decoder name:
> **Phase 1: Completed pre-decoding.
>        full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08]
> EFW: RULE: prio=6 id=06000051 rev=1 event=ruleset_drop_packet
> action=drop rule=d_all_any_to_external recvif=cpub1003
> srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP ipdatalen=20
> srcport=80 destport=49511 ack=1 fin=1'
>        hostname: '10.170.80.3'
>        program_name: '(null)'
>        log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=06000051 rev=1
> event=ruleset_drop_packet action=drop rule=d_all_any_to_external
> recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP
> ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1'
>
> **Phase 2: Completed decoding.
>        decoder: 'clavister'
>        action: 'drop'
>        srcip: '10.170.83.14'
>        dstip: '81.83.145.188'
>        srcport: '80'
>        dstport: '49511'
>        extra_data: 'ack=1 fin=1'
>
>
> After changing the decoder name:
> **Phase 1: Completed pre-decoding.
>        full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08]
> EFW: RULE: prio=6 id=06000051 rev=1 event=ruleset_drop_packet
> action=drop rule=d_all_any_to_external recvif=cpub1003
> srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP ipdatalen=20
> srcport=80 destport=49511 ack=1 fin=1'
>        hostname: '10.170.80.3'
>        program_name: '(null)'
>        log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=06000051 rev=1
> event=ruleset_drop_packet action=drop rule=d_all_any_to_external
> recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP
> ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1'
>
> **Phase 2: Completed decoding.
>        decoder: 'clavister'
>        action: 'drop'
>        srcip: '10.170.83.14'
>        dstip: '81.83.145.188'
>        srcport: '80'
>        dstport: '49511'
>        extra_data: 'ack=1 fin=1'
>
> **Phase 3: Completed filtering (rules).
>        Rule id: '700006'
>        Level: '12'
>        Description: 'Clavister drop firewall!'
> **Alert to be generated.
>
>
> <snip>
>

Ok, thanks, I can see now via logtest that it will alert. I don't see
anything appearing in the alert.log logfile on the manager.
Could the syntax be wrong of the agent.conf and location :
<agent_config name="*machine*">
<localfile>
<log_format>syslog</log_format>
<location>/data/logs/host/fw-10.170.80.*.log</location>
</localfile>

Notice I use fw-10.170.80.*.log, will the wildcard work?
(the firewall logfiles are named fw-10.170.80.2.log, fw-10.170.80.3.log, fw-
10.170.80.4.log, etc.

Michiel

Reply via email to