Ok, looks like this is definitely an error on my side and not a bug since I have not received any replies yet.
Can anyone confirm this is not happening to them on version 2.7 ? I'll try to setup a VM and test this on a clean 2.7. On Friday, March 1, 2013 4:44:51 PM UTC-4, Jean-Pierre Zurbrugg wrote: > > Hello, > > OSSEC 2.7 in server mode. > > I just noticed that OSSEC isn't delimiting the groups for firewall rules > at /var/ossec/logs/alerts/alerts.log. I've reviewed my rules and decoders > but can't figure out why "firewall" and "multiple_drops" > aren't separated by a "," (example below). > > I've checked the rest of the logs and they are all correctly delimited: > ** Alert 1362113102.65145: - pam,syslog, > ** Alert 1362113389.71102: - windows, > > I am also curious to know what "mail" stands for on the logs examples > below. :D > > > ============================================================================================================ > RULE THAT TRIGGERED THE LOG: > <rule id="100011" level="10" frequency="7" timeframe="90" ignore="900"> > <if_matched_sid>4101</if_matched_sid> > <same_source_ip /> > <description>Multiple Firewall drop events from same source IP. > </description> > <description>This SRCIP will be ignored for the next 15 > minutes.</description> > <group>multiple_drops,</group> > </rule> > > > LOG: > ** Alert 1362110830.8719: mail - firewallmultiple_drops, > 2013 Mar 01 00:07:10 > 172.16.1.2->/var/log/remote_syslog/routerX/CatchAll.log > Rule: 100011 (level 10) -> 'Multiple Firewall drop events from same source > IP.' > Src IP: 1.1.1.1 > Src Port: 36460 > Dst IP: 2.2.2.2 > Dst Port: 1243 > Mar 1 00:07:10 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/36460dst > INSIDE: > 2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0] > Mar 1 00:07:10 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/34191dst > INSIDE: > 2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0] > Mar 1 00:07:04 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/36460dst > INSIDE: > 2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0] > Mar 1 00:07:04 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/34191dst > INSIDE: > 2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0] > > ============================================================================================================ > > NOTE: > I searched our archives and found that this used to be correctly delimited > back in 2010(didn't continue searching due to the massive amount of logs): > > ** Alert 1276806013.3464908: mail - firewall,multiple_drops, > 2010 Jun 17 16:20:13 TheServer->/var/log/syslog > Rule: 4151 (level 10) -> 'Multiple Firewall drop events from same source.' > Src IP: 1.1.1.1 > User: (none) > Jun 17 16:20:12 GarbageC kernel: [9056501.812924] [UFW BLOCK] IN=eth1 OUT= > MAC=00:26:b9:2a:7c:02:00:1f:f3:8a:f8:a9:08:00 SRC=2.2.2.2 DST=1.1.1.1 > LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=46590 DF PROTO=TCP SPT=57278 DPT=139 > WINDOW=65535 RES=0x00 SYN URGP=0 > > > > > any suggestions would be greatly appreciated, thanks in advance ! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
