Hello, I've been working with Cisco logs recently and had to do a few updates to the OSSEC decoders.
I'm sharing them here in case anyone is interested: ---------------- NOTE: the following decoder complements an already existing "cisco-ios-generic" decoder that extracts the ID only. The following decoder was tested on cisco switches\routers with SSH authentication. <!-- Cisco IOS - Extracts all posible data from cisco generic ios messages. - Examples: - Mar 26 08:00:06 12.6.2.3 693982: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: TEST] [Source: 192.168.1.1] [localport: 22] [Reason: Login Authentication Failed] at 08:00:06 GMT Tue Mar 26 2013 --> <decoder name="cisco-ios-generic"> <parent>cisco-ios</parent> <type>firewall</type> <regex>^\.+ [user: (\S+)] [Source: (\d+.\d+.\d+.\d+)] </regex> <regex>[localport: (\d+)]</regex> <order>srcuser,srcip,dstport</order> </decoder> ------------ NOTE: The decoders below replace the initial "cisco-ios-acl" decoder as it could not decode srcip, srcport from logs that had vlan information. Please note that I had to replace the original decoder with the three posted below as I could not make them work if placed on etc/local_decoders.xml. ---------- original decoder that was commented out: <decoder name="cisco-ios-acl"> <parent>cisco-ios</parent> <type>firewall</type> <prematch>^%SEC-6-IPACCESSLOGP: </prematch> <regex offset="after_prematch">^list \S+ (\w+) (\w+) </regex> <regex>(\S+)\((\d+)\) -> (\S+)\((\d+)\),</regex> <order>action, protocol, srcip, srcport, dstip, dstport</order> </decoder> --------------------------------- <!-- Cisco IOS - Will extract the action, srcip, srcport, dstip and dstport - Samples: - - %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.6.56(3067) -> 172.36.4.7(139), 1 packet - %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1477) -> 10.0.127.20(445), 1 packet - %SEC-6-IPACCESSLOGP: list 102 denied tcp 192.168.3.2(49662) (Vlan1 0111.096d.1111) -> 1.1.1.22(3389), 3 packets --> <decoder name="cisco-ios-acl"> <parent>cisco-ios</parent> <type>firewall</type> <prematch>^%SEC-6-IPACCESSLOGP: </prematch> <regex offset="after_prematch">^list \S+ (\w+) (\w+) </regex> <regex>(\S+)\((\d+)\) </regex> <order>action,protocol,srcip,srcport</order> </decoder> <decoder name="cisco-ios-acl"> <parent>cisco-ios</parent> <type>firewall</type> <regex offset="after_regex">^-> (\S+)\((\d+)\),</regex> <order>dstip, dstport</order> </decoder> <decoder name="cisco-ios-acl"> <parent>cisco-ios</parent> <type>firewall</type> <regex offset="after_regex">^\.+ -> (\S+)\((\d+)\),</regex> <order>dstip, dstport</order> </decoder> Please let me know if I have an error somewhere. thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
