Friends,
Apologies for the long mail, I have started sending syslog from my Cisco
ASA to my OSSEC 2.6 server, logs received okay but the issue is that the
ASA syslog message, " Dec 10 2012 10:21:33 xxx-xxx-fw1 : %ASA-3-710003: TCP
access denied by ACL from x.x.x.x/35606 to external:x.x.x.x/80" is being
categorized as Unknown Problem somewhere in the system, rule 1002.
Firewall name and ip's purposefully changed to protect the innocent.
When I run logtest I see this:
**Phase 1: Completed pre-decoding.
full event: 'Dec 10 2012 10:21:33 xxx-xxx-fw1 : %ASA-3-710003: TCP
access denied by ACL from x.x.x.x/35606 to external:x.x.x.x/80'
hostname: 'xxx-xxx-bastion-001' !(OSSEC server)!
program_name: '(null)'
log: ''Dec 10 2012 10:21:33 xxx-xxx-fw1 : %ASA-3-710003: TCP access
denied by ACL from x.x.x.x/35606 to external:x.x.x.x/80'
**Phase 2: Completed decoding.
decoder: 'pix'
id: '3-710003'
proto: 'TCP'
action: 'd'
srcip: 'x.x.x.x'
srcport: '35606'
dstip: 'x.x.x.x'
dstport: '80'
**Rule debugging:
Trying rule: 2 - Generic template for all firewall rules.
*Rule 2 matched.
*Trying child rules.
Trying rule: 4100 - Firewall rules grouped.
*Rule 4100 matched.
*Trying child rules.
Trying rule: 4101 - Firewall drop event.
**Phase 3: Completed filtering (rules).
Rule id: '4100'
Level: '0'
Description: 'Firewall rules grouped.'
I did modify the decoder a bit as the out of the box ASA and PIX decoders
didn't recognize the messages at all, so I added this to decoder.xml with
the intention of moving it to local_decoder.xml as soon as I get it working:
<decoder name="pix">
<prematch>^%PIX-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %PIX-|</prematch>
<prematch>^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d vdc-ccp-fw1 :
%ASA-|</prematch>
<!-- <prematch>^%ASA-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d:
%ASA-|</prematch> -->
<prematch>^%FWSM-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %FWSM-</prematch>
</decoder>
and the decoder I think it should match looks like this:
<decoder name="pix-fw2">
<parent>pix</parent>
<type>firewall</type>
<prematch offset="after_parent">^3-710003|^7-710002|^7-710005</prematch>
<regex offset="after_parent">^(\S+): (\S+) \w+ (\D+)\.+from </regex>
<regex>(\S+)/(\S+) to \w+:(\S+)/(\S+)</regex>
<order>id, protocol, action, srcip, srcport, dstip, dstport</order>
</decoder>
Not sure why it is not identifying this syslog message as a firewall drop
event? Also not sure why it is only pulling out the "d" in the action field
instead of the whole word? I have played around with the regex there but
it doesn't seem to matter...and I even created a new rule in the
firewall_rules.xml:
<rule id="4102" level="5">
<if_sid>4100</if_sid>
<action>d</action>
<options>no_log</options>
<description>Firewall drop event.</description>
<group>firewall_drop,</group>
</rule>
Which logtest shows:
*Rule debugging:
Trying rule: 2 - Generic template for all firewall rules.
*Rule 2 matched.
*Trying child rules.
Trying rule: 4100 - Firewall rules grouped.
*Rule 4100 matched.
*Trying child rules.
Trying rule: 4101 - Firewall drop event.
Trying rule: 4102 - Firewall drop event.
*Rule 4102 matched.
**Phase 3: Completed filtering (rules).
Rule id: '4102'
Level: '5'
Description: 'Firewall drop event.'
So I thought, woohoo!
But it still shows up in alerts as:
** Alert 1355878006.21227: mail - syslog,errors,
2012 Dec 18 19:46:46 xxx-xxx-bastion-001->x.x.x.x
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
Dec 19 2012 00:46:46 xxx-xxx-fw1 : %ASA-3-710003: TCP access denied by ACL
from x.x.x.x/43145 to external:x.x.x.x/22
Any idea how to make Ossec identify this syslog message as what it is?
-Thanks
