On Tuesday, December 18, 2012 4:58:06 PM UTC-8, funwithossec wrote:
>
> Friends,
> Apologies for the long mail, I have started sending syslog from my
> Cisco ASA to my OSSEC 2.6 server, logs received okay but the issue is that
> the ASA syslog message, " Dec 10 2012 10:21:33 xxx-xxx-fw1 : %ASA-3-710003:
> TCP access denied by ACL from x.x.x.x/35606 to external:x.x.x.x/80" is
> being categorized as Unknown Problem somewhere in the system, rule 1002.
> Firewall name and ip's purposefully changed to protect the innocent.
>
> When I run logtest I see this:
>
> **Phase 1: Completed pre-decoding.
> full event: 'Dec 10 2012 10:21:33 xxx-xxx-fw1 : %ASA-3-710003: TCP
> access denied by ACL from x.x.x.x/35606 to external:x.x.x.x/80'
> hostname: 'xxx-xxx-bastion-001' !(OSSEC server)!
> program_name: '(null)'
> log: ''Dec 10 2012 10:21:33 xxx-xxx-fw1 : %ASA-3-710003: TCP access
> denied by ACL from x.x.x.x/35606 to external:x.x.x.x/80'
>
> **Phase 2: Completed decoding.
> decoder: 'pix'
> id: '3-710003'
> proto: 'TCP'
> action: 'd'
> srcip: 'x.x.x.x'
> srcport: '35606'
> dstip: 'x.x.x.x'
> dstport: '80'
>
> **Rule debugging:
> Trying rule: 2 - Generic template for all firewall rules.
> *Rule 2 matched.
> *Trying child rules.
> Trying rule: 4100 - Firewall rules grouped.
> *Rule 4100 matched.
> *Trying child rules.
> Trying rule: 4101 - Firewall drop event.
>
> **Phase 3: Completed filtering (rules).
> Rule id: '4100'
> Level: '0'
> Description: 'Firewall rules grouped.'
>
>
> I did modify the decoder a bit as the out of the box ASA and PIX decoders
> didn't recognize the messages at all, so I added this to decoder.xml with
> the intention of moving it to local_decoder.xml as soon as I get it working:
>
> <decoder name="pix">
> <prematch>^%PIX-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %PIX-|</prematch>
> <prematch>^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d vdc-ccp-fw1 :
> %ASA-|</prematch>
> <!-- <prematch>^%ASA-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d:
> %ASA-|</prematch> -->
> <prematch>^%FWSM-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %FWSM-</prematch>
> </decoder>
>
> and the decoder I think it should match looks like this:
>
> <decoder name="pix-fw2">
> <parent>pix</parent>
> <type>firewall</type>
> <prematch offset="after_parent">^3-710003|^7-710002|^7-710005</prematch>
> <regex offset="after_parent">^(\S+): (\S+) \w+ (\D+)\.+from </regex>
> <regex>(\S+)/(\S+) to \w+:(\S+)/(\S+)</regex>
> <order>id, protocol, action, srcip, srcport, dstip, dstport</order>
> </decoder>
>
>
> Not sure why it is not identifying this syslog message as a firewall drop
> event? Also not sure why it is only pulling out the "d" in the action field
> instead of the whole word? I have played around with the regex there but
> it doesn't seem to matter...and I even created a new rule in the
> firewall_rules.xml:
>
> <rule id="4102" level="5">
> <if_sid>4100</if_sid>
> <action>d</action>
> <options>no_log</options>
> <description>Firewall drop event.</description>
> <group>firewall_drop,</group>
> </rule>
>
> Which logtest shows:
>
> *Rule debugging:
> Trying rule: 2 - Generic template for all firewall rules.
> *Rule 2 matched.
> *Trying child rules.
> Trying rule: 4100 - Firewall rules grouped.
> *Rule 4100 matched.
> *Trying child rules.
> Trying rule: 4101 - Firewall drop event.
> Trying rule: 4102 - Firewall drop event.
> *Rule 4102 matched.
>
> **Phase 3: Completed filtering (rules).
> Rule id: '4102'
> Level: '5'
> Description: 'Firewall drop event.'
>
>
> So I thought, woohoo!
> But it still shows up in alerts as:
>
> ** Alert 1355878006.21227: mail - syslog,errors,
> 2012 Dec 18 19:46:46 xxx-xxx-bastion-001->x.x.x.x
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> Dec 19 2012 00:46:46 xxx-xxx-fw1 : %ASA-3-710003: TCP access denied by ACL
> from x.x.x.x/43145 to external:x.x.x.x/22
>
> Any idea how to make Ossec identify this syslog message as what it is?
>
> -Thanks
>
> All,
>
Thanks for any looks on this, it appears to be working now.
-Thanks
