On Fri, Jan 25, 2013 at 2:10 PM, dan (ddp) <[email protected]> wrote:
>>
>>
>
> I'm not seeing this with any of my systems. What syslog daemon are you
> using? If you turn on logall, do you see the "missing" messages in
> archives.log?  I don't know what facilities there are on FreeBSD for
> debugging things like this. Any chance there's an strace or ktrace you
> can do and see if you spot an issue?
>

I have do it several checks without luck ... Logs are sended from
FreeBSD to ossec server without problems, but my alerts are not
triggered. For example this:

2013/01/28 11:02:02 ossec-testrule: INFO: Reading local decoder file.
2013/01/28 11:02:02 ossec-testrule: INFO: Reading the lists file:
'lists/dshield_list'
2013/01/28 11:02:02 ossec-testrule: INFO: Reading the lists file:
'lists/dragon_list'
2013/01/28 11:02:02 ossec-testrule: INFO: Reading the lists file:
'lists/rbn_host_list'
2013/01/28 11:02:02 ossec-testrule: INFO: Reading the lists file:
'lists/rbn_subnet_list'
2013/01/28 11:02:02 ossec-testrule: INFO: Reading the lists file:
'lists/zeustracker_list'
2013/01/28 11:02:02 ossec-testrule: INFO: Started (pid: 23967).
ossec-testrule: Type one log per line.

Jan 28 11:01:46 172.31.0.2  2013-01-28T12:01:45.572 INET-FW-SRX
RT_FLOW - RT_FLOW_SESSION_CLOSE [[email protected] reason="TCP
FIN" source-address="10.196.129.26" source-port="59012"
destination-address="174.127.127.152" destination-port="80"
service-name="junos-http" nat-source-address="212.31.40.37"
nat-source-port="56918" nat-destination-address="174.127.127.152"
nat-destination-port="80" src-nat-rule-name="r1"
dst-nat-rule-name="None" protocol-id="6"
policy-name="UTM_trust-to-untrust" source-zone-name="trust"
destination-zone-name="untrust" session-id-32="38153"
packets-from-client="8" bytes-from-client="337"
packets-from-server="8" bytes-from-server="567" elapsed-time="3"]


**Phase 1: Completed pre-decoding.
       full event: 'Jan 28 11:01:46 172.31.0.2
2013-01-28T12:01:45.572 INET-FW-SRX RT_FLOW - RT_FLOW_SESSION_CLOSE
[[email protected] reason="TCP FIN" source-address="10.196.129.26"
source-port="59012" destination-address="174.127.127.152"
destination-port="80" service-name="junos-http"
nat-source-address="212.31.40.37" nat-source-port="56918"
nat-destination-address="174.127.127.152" nat-destination-port="80"
src-nat-rule-name="r1" dst-nat-rule-name="None" protocol-id="6"
policy-name="UTM_trust-to-untrust" source-zone-name="trust"
destination-zone-name="untrust" session-id-32="38153"
packets-from-client="8" bytes-from-client="337"
packets-from-server="8" bytes-from-server="567" elapsed-time="3"]'
       hostname: '172.31.0.2'
       program_name: '(null)'
       log: ' 2013-01-28T12:01:45.572 INET-FW-SRX RT_FLOW -
RT_FLOW_SESSION_CLOSE [[email protected] reason="TCP FIN"
source-address="10.196.129.26" source-port="59012"
destination-address="174.127.127.152" destination-port="80"
service-name="junos-http" nat-source-address="212.31.40.37"
nat-source-port="56918" nat-destination-address="174.127.127.152"
nat-destination-port="80" src-nat-rule-name="r1"
dst-nat-rule-name="None" protocol-id="6"
policy-name="UTM_trust-to-untrust" source-zone-name="trust"
destination-zone-name="untrust" session-id-32="38153"
packets-from-client="8" bytes-from-client="337"
packets-from-server="8" bytes-from-server="567" elapsed-time="3"]'

**Phase 2: Completed decoding.
       decoder: 'custom-juniper-srx'
       action: 'TCP FIN'
       srcip: '10.196.129.26'
       srcport: '59012'
       dstip: '174.127.127.152'
       dstport: '80'
       extra_data: 'junos-http'
       proto: '6'
       extra_data: 'UTM_trust-to-untrust'

**Phase 3: Completed filtering (rules).
       Rule id: '113002'
       Level: '14'
       Description: 'Connection to an IP listed under ZeusTracker
Reputation IP lists !!!. Please, review your logs'
**Alert to be generated.

As you can see, my rules works and an alert needs to be generated, but not ....

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.


Reply via email to