Hello,
OSSEC 2.7 in server mode.
I just noticed that OSSEC isn't delimiting the groups for firewall rules
at /var/ossec/logs/alerts/alerts.log. I've reviewed my rules and decoders
but can't figure out why "firewall" and "multiple_drops"
aren't separated by a "," (example below).
I've checked the rest of the logs and they are all correctly delimited:
** Alert 1362113102.65145: - pam,syslog,
** Alert 1362113389.71102: - windows,
I am also curious to know what "mail" stands for on the logs examples
below. :D
============================================================================================================
RULE THAT TRIGGERED THE LOG:
<rule id="100011" level="10" frequency="7" timeframe="90" ignore="900">
<if_matched_sid>4101</if_matched_sid>
<same_source_ip />
<description>Multiple Firewall drop events from same source IP.
</description>
<description>This SRCIP will be ignored for the next 15
minutes.</description>
<group>multiple_drops,</group>
</rule>
LOG:
** Alert 1362110830.8719: mail - firewallmultiple_drops,
2013 Mar 01 00:07:10 172.16.1.2->/var/log/remote_syslog/routerX/CatchAll.log
Rule: 100011 (level 10) -> 'Multiple Firewall drop events from same source
IP.'
Src IP: 1.1.1.1
Src Port: 36460
Dst IP: 2.2.2.2
Dst Port: 1243
Mar 1 00:07:10 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/36460
dst INSIDE:2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0]
Mar 1 00:07:10 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/34191
dst INSIDE:2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0]
Mar 1 00:07:04 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/36460
dst INSIDE:2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0]
Mar 1 00:07:04 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/34191
dst INSIDE:2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0]
============================================================================================================
NOTE:
I searched our archives and found that this used to be correctly delimited
back in 2010(didn't continue searching due to the massive amount of logs):
** Alert 1276806013.3464908: mail - firewall,multiple_drops,
2010 Jun 17 16:20:13 TheServer->/var/log/syslog
Rule: 4151 (level 10) -> 'Multiple Firewall drop events from same source.'
Src IP: 1.1.1.1
User: (none)
Jun 17 16:20:12 GarbageC kernel: [9056501.812924] [UFW BLOCK] IN=eth1 OUT=
MAC=00:26:b9:2a:7c:02:00:1f:f3:8a:f8:a9:08:00 SRC=2.2.2.2 DST=1.1.1.1
LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=46590 DF PROTO=TCP SPT=57278 DPT=139
WINDOW=65535 RES=0x00 SYN URGP=0
any suggestions would be greatly appreciated, thanks in advance !
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
