On Thu, Mar 7, 2013 at 7:38 AM, Jean-Pierre Zurbrugg <[email protected]> wrote: > Hello Jb, > > Yeah I have noticed too; It initially led me to believe the comma was more > of a good practice than a requirement but I removed it from > rules/firewall_rules.xml, commented out the no log option on rule 4101, and > confirmed that the comma was indeed needed. > > Anyways, I've stumbled upon another issue that I hope isn't me screwing up > again. I've been trying to make some firewall rules work ever since I > started this thread and couldn't get the Alerts to show up on > /var/ossec/logs/alerts/alerts.log. ossec-logtest would report everything > triggered correctly but no alerts were being sent to the alerts.log file. > > It all points to the same firewall rule, 4101 inside > rules/firewall_rules.xml. > > Steps to recreate my issue: > 1. Edit rules/firewall_rules.xml on your lab environment. Comment out > "<options>no_log</options>"
That's a bad way to go about it. I tested this by recreating the rule in local_rules.xml and adding the overwrite option. > 2. Save, restart OSSEC and send the following log to /var/log/messages or > syslog: > > Mar 6 16:17:47 ubuntu kernel: [546741.275556] DROP IN=eth1 OUT= > MAC=00:00:20:57:10:41:08:00:f3:0b:80:40:00:00 SRC=1.1.1.1 DST=2.2.2.2 LEN=48 > TOS=0x00 PREC=0x00 TTL=127 ID=11702 DF PROTO=TCP SPT=16966 DPT=80 > WINDOW=8192 RES=0x00 SYN URGP=0 > > 3. Confirm you get the firewall log at /var/ossec/logs/alerts/alerts. > ...all good so far. > 4. Update rule 4101 inside rules/firewall_rules.xml again, this time remove > "DROP" and type in "TEST". OSSEC's iptables decoder will still tag test as > an action. > 5. send out this log: > > Mar 6 16:17:47 ubuntu kernel: [546741.275556] TEST IN=eth1 OUT= > MAC=00:00:20:57:10:41:08:00:f3:0b:80:40:00:00 SRC=1.1.1.1 DST=2.2.2.2 LEN=48 > TOS=0x00 PREC=0x00 TTL=127 ID=11702 DF PROTO=TCP SPT=16966 DPT=80 > WINDOW=8192 RES=0x00 SYN URGP=0 > > 6. Notice how no logs are sent to /var/ossec/alerts/alerts.log > *** /var/ossec/logs/firewall/firewall.log gets populated with a new entry: > 2013 Mar 07 08:17:59 ubuntu->/var/log/messages CLOSED TCP > 1.1.1.1:16966->2.2.2.2:80 > END. > I see the same thing, no idea why. Instead of breaking rule 4101 I created a new rule looking for TEST. It's possible there's something in the firewall code path making this happen. Before I consider digging into it, what's the real world application of the TEST action? Is it worth caring about? (I'd suspect you'd need to mess with src/analysis/alerts/log.c, specifically the case after " /* Setting the actions */") > Tested on version 2.7 (server mode) under ubuntu 10.04.3 LTS. No > local_decoders and no local_rules(dummy rule inside). > > > Thanks in advance, > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
