On Tue, Mar 5, 2013 at 7:16 AM, Jean-Pierre Zurbrugg <[email protected]> wrote: > Ok, looks like this is definitely an error on my side and not a bug since I > have not received any replies yet. >
That's all it takes to make it not a bug? I don't know why no one else has responded, but I don't use OSSEC to monitor firewall logs and I've been on travel. > Can anyone confirm this is not happening to them on version 2.7 ? I'll try > to setup a VM and test this on a clean 2.7. > It doesn't even show up as a firewall event for me (2.7+): ** Alert 1362525041.24487: mail - local,syslog,multiple_drops, 2013 Mar 05 18:10:41 3.3.3.3->/var/log/test.log Rule: 100011 (level 10) -> 'Multiple Firewall drop events from same source IP. This SRCIP will be ignored for the next 15 minutes.' Src IP: 1.1.1.1 Src Port: 34191 Dst IP: 2.2.2.2 Dst Port: 1243 Mar 1 00:07:39 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/34191 dst INSIDE:2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0] Mar 1 00:07:38 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/34191 dst INSIDE:2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0] Mar 1 00:07:37 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/34191 dst INSIDE:2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0] Mar 1 00:07:36 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/34191 dst INSIDE:2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0] Mar 1 00:07:35 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/34191 dst INSIDE:2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0] Mar 1 00:07:34 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/34191 dst INSIDE:2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0] Mar 1 00:07:24 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/36460 dst INSIDE:2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0] Mar 1 00:07:11 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/34191 dst INSIDE:2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0] Mar 1 00:07:10 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/36460 dst INSIDE:2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0] Make sure any "<group>firewall,</group>" in /var/ossec/rules/*_rules.xml actually have the comma. > > On Friday, March 1, 2013 4:44:51 PM UTC-4, Jean-Pierre Zurbrugg wrote: >> >> Hello, >> >> OSSEC 2.7 in server mode. >> >> I just noticed that OSSEC isn't delimiting the groups for firewall rules >> at /var/ossec/logs/alerts/alerts.log. I've reviewed my rules and decoders >> but can't figure out why "firewall" and "multiple_drops" >> aren't separated by a "," (example below). >> >> I've checked the rest of the logs and they are all correctly delimited: >> ** Alert 1362113102.65145: - pam,syslog, >> ** Alert 1362113389.71102: - windows, >> >> I am also curious to know what "mail" stands for on the logs examples >> below. :D >> >> >> ============================================================================================================ >> RULE THAT TRIGGERED THE LOG: >> <rule id="100011" level="10" frequency="7" timeframe="90" ignore="900"> >> <if_matched_sid>4101</if_matched_sid> >> <same_source_ip /> >> <description>Multiple Firewall drop events from same source IP. >> </description> >> <description>This SRCIP will be ignored for the next 15 >> minutes.</description> >> <group>multiple_drops,</group> >> </rule> >> >> >> LOG: >> ** Alert 1362110830.8719: mail - firewallmultiple_drops, >> 2013 Mar 01 00:07:10 >> 172.16.1.2->/var/log/remote_syslog/routerX/CatchAll.log >> Rule: 100011 (level 10) -> 'Multiple Firewall drop events from same source >> IP.' >> Src IP: 1.1.1.1 >> Src Port: 36460 >> Dst IP: 2.2.2.2 >> Dst Port: 1243 >> Mar 1 00:07:10 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/36460 >> dst INSIDE:2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0] >> Mar 1 00:07:10 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/34191 >> dst INSIDE:2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0] >> Mar 1 00:07:04 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/36460 >> dst INSIDE:2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0] >> Mar 1 00:07:04 3.3.3.3 %ASA-4-106023: Deny tcp src OUTSIDE:1.1.1.1/34191 >> dst INSIDE:2.2.2.2/1243 by access-group "OUTSIDE" [0x0, 0x0] >> >> ============================================================================================================ >> >> NOTE: >> I searched our archives and found that this used to be correctly delimited >> back in 2010(didn't continue searching due to the massive amount of logs): >> >> ** Alert 1276806013.3464908: mail - firewall,multiple_drops, >> 2010 Jun 17 16:20:13 TheServer->/var/log/syslog >> Rule: 4151 (level 10) -> 'Multiple Firewall drop events from same source.' >> Src IP: 1.1.1.1 >> User: (none) >> Jun 17 16:20:12 GarbageC kernel: [9056501.812924] [UFW BLOCK] IN=eth1 OUT= >> MAC=00:26:b9:2a:7c:02:00:1f:f3:8a:f8:a9:08:00 SRC=2.2.2.2 DST=1.1.1.1 LEN=64 >> TOS=0x00 PREC=0x00 TTL=64 ID=46590 DF PROTO=TCP SPT=57278 DPT=139 >> WINDOW=65535 RES=0x00 SYN URGP=0 >> >> >> >> >> any suggestions would be greatly appreciated, thanks in advance ! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
