On Fri, Jan 25, 2013 at 2:10 PM, dan (ddp) <[email protected]> wrote: >> >> > > I'm not seeing this with any of my systems. What syslog daemon are you > using? If you turn on logall, do you see the "missing" messages in > archives.log? I don't know what facilities there are on FreeBSD for > debugging things like this. Any chance there's an strace or ktrace you > can do and see if you spot an issue? >
I have do it several checks without luck ... Logs are sended from FreeBSD to ossec server without problems, but my alerts are not triggered. For example this: 2013/01/28 11:02:02 ossec-testrule: INFO: Reading local decoder file. 2013/01/28 11:02:02 ossec-testrule: INFO: Reading the lists file: 'lists/dshield_list' 2013/01/28 11:02:02 ossec-testrule: INFO: Reading the lists file: 'lists/dragon_list' 2013/01/28 11:02:02 ossec-testrule: INFO: Reading the lists file: 'lists/rbn_host_list' 2013/01/28 11:02:02 ossec-testrule: INFO: Reading the lists file: 'lists/rbn_subnet_list' 2013/01/28 11:02:02 ossec-testrule: INFO: Reading the lists file: 'lists/zeustracker_list' 2013/01/28 11:02:02 ossec-testrule: INFO: Started (pid: 23967). ossec-testrule: Type one log per line. Jan 28 11:01:46 172.31.0.2 2013-01-28T12:01:45.572 INET-FW-SRX RT_FLOW - RT_FLOW_SESSION_CLOSE [[email protected] reason="TCP FIN" source-address="10.196.129.26" source-port="59012" destination-address="174.127.127.152" destination-port="80" service-name="junos-http" nat-source-address="212.31.40.37" nat-source-port="56918" nat-destination-address="174.127.127.152" nat-destination-port="80" src-nat-rule-name="r1" dst-nat-rule-name="None" protocol-id="6" policy-name="UTM_trust-to-untrust" source-zone-name="trust" destination-zone-name="untrust" session-id-32="38153" packets-from-client="8" bytes-from-client="337" packets-from-server="8" bytes-from-server="567" elapsed-time="3"] **Phase 1: Completed pre-decoding. full event: 'Jan 28 11:01:46 172.31.0.2 2013-01-28T12:01:45.572 INET-FW-SRX RT_FLOW - RT_FLOW_SESSION_CLOSE [[email protected] reason="TCP FIN" source-address="10.196.129.26" source-port="59012" destination-address="174.127.127.152" destination-port="80" service-name="junos-http" nat-source-address="212.31.40.37" nat-source-port="56918" nat-destination-address="174.127.127.152" nat-destination-port="80" src-nat-rule-name="r1" dst-nat-rule-name="None" protocol-id="6" policy-name="UTM_trust-to-untrust" source-zone-name="trust" destination-zone-name="untrust" session-id-32="38153" packets-from-client="8" bytes-from-client="337" packets-from-server="8" bytes-from-server="567" elapsed-time="3"]' hostname: '172.31.0.2' program_name: '(null)' log: ' 2013-01-28T12:01:45.572 INET-FW-SRX RT_FLOW - RT_FLOW_SESSION_CLOSE [[email protected] reason="TCP FIN" source-address="10.196.129.26" source-port="59012" destination-address="174.127.127.152" destination-port="80" service-name="junos-http" nat-source-address="212.31.40.37" nat-source-port="56918" nat-destination-address="174.127.127.152" nat-destination-port="80" src-nat-rule-name="r1" dst-nat-rule-name="None" protocol-id="6" policy-name="UTM_trust-to-untrust" source-zone-name="trust" destination-zone-name="untrust" session-id-32="38153" packets-from-client="8" bytes-from-client="337" packets-from-server="8" bytes-from-server="567" elapsed-time="3"]' **Phase 2: Completed decoding. decoder: 'custom-juniper-srx' action: 'TCP FIN' srcip: '10.196.129.26' srcport: '59012' dstip: '174.127.127.152' dstport: '80' extra_data: 'junos-http' proto: '6' extra_data: 'UTM_trust-to-untrust' **Phase 3: Completed filtering (rules). Rule id: '113002' Level: '14' Description: 'Connection to an IP listed under ZeusTracker Reputation IP lists !!!. Please, review your logs' **Alert to be generated. As you can see, my rules works and an alert needs to be generated, but not .... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
