On Fri, Mar 8, 2013 at 9:06 AM, Jean-Pierre Zurbrugg <[email protected]> wrote: > > > On Friday, March 8, 2013 9:39:56 AM UTC-4, dan (ddpbsd) wrote: >> >> On Fri, Mar 8, 2013 at 7:07 AM, Jean-Pierre Zurbrugg >> <[email protected]> wrote: > > >> >> > The test action was just to confirm OSSEC somehow only works with "DROP" >> > and >> > nothing else. In our prod environment we use iptables with the following >> > log >> > suffixes: >> > >> > "[UFW: CatchAll]: " >> > "[UFW: ILEGAL PKT]: " >> > "[UFW: ChainFilter]: " >> > "[UFW: SCAN]: " >> > >> >> Do you have a link to the documentation dealing with these actions? I >> can't quite wrap my head around what they mean. >> I'm probably just being old. Back in my day firewalls pretty much only >> passed or rejected packets. :P > > > don't have any documentation, these are just tags I created to distinguish > firewall events from the default DROP,REJECT,PASS actions. I posted a few > decoders on my local_decoder so that I can handle each type of event and > make a decision on whether or not I should send a notification to my mobile > ( high lvl alert). > > From iptables' manual page: > --log-prefix prefix Prefix log messages with the specified prefix; up to 29 > letters long, and useful for distinguishing messages in the logs.
Thanks. That seems like a very odd way of going about adding this information IMO. Why would it remove the action performed by the firewall instead of just adding the information to the end of the message? Oh well, it's iptables. I don't expect it to make sense. :P >> >> >> > >> > I'll check src/analysis/alerts/log.c but I have zip experience with that >> > language. Its taken me a month to get ossec2snorby.pl working and its >> > made >> > up of simplistic changes :( but it doesnt hurt to try. >> > >> >> TEST might be more difficult since T is already used, and U seems to >> be used a lot (every action you posted above starts with U). >> > I'm not following, lets forget all about TEST or UFW as actions. Do firewall > event actions need to be specifically tied to "DROP" or stated in > /src/analysis/alerts/log.c ? What I'm hopping can be accomplished is the > ability to match a firewall type rule against a log entry and have it fire'n > log to alerts.log based on an action I can state with local_rules.xml and > control with local_decoders.xml. > It looks like firewall log messages need to have easily distinguishable actions: discard, drop, deny, reject, block, Closed, Teardown, allow, accept, pass/permitted, or open. Without these, it doesn't look like OSSEC cares anything about the firewall log. You could add your custom prefixes in there, but that might be difficult. And it would definitely complicate things at upgrade time. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
