Thanks Dan. I have it mostly working, but maybe you could clarify a point or 2
for me.
A couple typical log entries looks like:
Jan 15 19:58:43 wc20399 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT=
MAC=e8:39:35:4d:d6:2d:00:01:e8:8b:14:e9:08:00 SRC=x.x.x.x DST=x.x.x.x LEN=60
TOS=0x00 PREC=0x20 TTL=40 ID=19542 DF PROTO=TCP SPT=52340 DPT=80 WINDOW=5840
RES=0x00 SYN URGP=0
Jan 15 19:42:00 wc20399 kernel: Firewall: *Port Flood* IN=eth0 OUT=
MAC=e8:39:35:4d:d6:2d:00:01:e8:8b:14:e9:08:00 SRC=x.x.x.x DST=x.x.x.x LEN=48
TOS=0x00 PREC=0x00 TTL=237 ID=924 DF PROTO=TCP SPT=23581 DPT=80 WINDOW=24848
RES=0x00 SYN URGP=0
I copied the shorewall decoders and made a couple changes:
<decoder name="iptables-csf">
<parent>iptables</parent>
<type>firewall</type>
<prematch>^Firewall: </prematch>
<regex offset="after_prematch">^*\S+ (\S+)* \.+ SRC=(\S+) DST=(\S+) \.+
</regex>
<regex>PROTO=(\w+) </regex>
<order>action,srcip,dstip,protocol</order>
</decoder>
<decoder name="iptables-csf">
<parent>iptables</parent>
<type>firewall</type>
<regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex>
<order>srcport,dstport</order>
</decoder>
This makes the "action" = "Blocked" or "Flood".
Then I overwrote rule 4101:
<rule id="4101" level="5" overwrite="yes">
<if_sid>4100</if_sid>
<action>Blocked</action>
<options>no_log</options>
<description>Firewall drop event.</description>
<group>firewall_drop,</group>
</rule>
What I'm still wondering though, is if it is possible to test for multiple
"actions" (either "Blocked" OR "Flood")....to be used in:
<rule id="4151" level="10" frequency="16" timeframe="45" ignore="240">
<if_matched_sid>4101</if_matched_sid>
<same_source_ip />
<description>Multiple Firewall drop events from same source.</description>
<group>multiple_drops,</group>
</rule>
Thanks again!
----- Original Message -----
From: "dan (ddp)" <[email protected]>
To: [email protected]
Sent: Tuesday, January 15, 2013 9:54:30 AM
Subject: Re: [ossec-list] csf firewall
On Mon, Jan 14, 2013 at 4:22 PM, Chris Warren
<[email protected]> wrote:
> Hi all,
> Has anyone set up a decoder for csf firewall logs? They are pretty similar
> to the shorewall logs, but with a few differences. I'm not great with the
> regex's and whatnot, so I haven't been able to decode the "action".
>
> Any help appreciated.
>
> Chris
If you provide samples I can help.
