Hi all,

Im experience the same issue when trying to setup ossec monitoring for a 
Juniper Netscreen SSG-320M.
Failed web user login is hitting the 1002 rule, info from archives.log 
provided below:

014 Apr 02 23:59:59 #ossec-hostname# -> #FW_IP# #FW_hostname#: NetScreen 
device_id=#FW_hostname#  [Root]system-warning-00518: Admin user 
"#username#" login attempt for Web(https) management (port 47873) from 
#client_IP#:54031 failed. (2014-04-02 23:59:59)

Any help appreciated!

Regards,
Daniel

On Thursday, August 16, 2012 2:52:42 PM UTC+2, dan (ddpbsd) wrote:
>
> On Thu, Aug 16, 2012 at 6:48 AM, oorhan <[email protected] <javascript:>> 
> wrote: 
> > hi Dan, 
> > 
> > Thank you for your reply. 
> > 
> > The original netscreen log message has timestamp. Log is taken from 
> another 
> > syslog server. 
> > 
>
>
> According to your alert.log entry the log message does not have a 
> timestamp. 
>
> An example of an alert.log entry complete with a timestamp: 
> ** Alert 1336394319.2684: - syslog,sudo 
> 2012 May 07 08:38:39 arrakis->/var/log/secure 
> Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed' 
> User: ddp 
> 2012-05-07T08:38:38.338172-04:00 arrakis sudo:      ddp : TTY=ttyp1 ; 
> PWD=/home/ddp ; USER=root ; COMMAND=/sbin/ifconfig em0 down 
>
>
> You can enable the logall option to make sure though. 
>
> Looking at the sample you gave me though (the one in alerts.log since 
> I don't trust the other one), I can see why it isn't decoded as a 
> netscreen entry.  The decoder thinks the first parts of the log will 
> be "NetScreen device_id." In your sample it starts with: "SSG350M: 
> NetScreen device_id." So find out why the SSG350M is showing up 
> instead of a timestamp and you should be golden. 
>
> Otherwise if the log sample you provided is incorrect, post a sample 
> from the archives.log so we can try and track this down. 
>
>
> > 
> > " 
> > 
> > Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen device_id=Juniper111 
> > [Root]system-warning-00518: Admin user "userid" login attempt for 
> Web(http) 
> > management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 
> 11:33:36) 
> > 
> > " 
> > 
> > Log message on your test was a part of alert.log. 
> > 
> > here is my Logtest results..but we are still unable to decode it. Any 
> idea? 
> > 
> > 
> > Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen device_id=Juniper111 
> > [Root]system-warning-00518: Admin user "userid" login attempt for 
> Web(http) 
> > management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 
> 11:33:36) 
> > 
> > 
> > **Phase 1: Completed pre-decoding. 
> >        full event: 'Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen 
> > device_id=Juniper111  [Root]system-warning-00518: Admin user "userid" 
> login 
> > attempt for Web(http) management (port 20480) from 1.1.1.1:22560failed. 
> > (2012-08-15 11:33:36)' 
> >        hostname: '136.10.247.130' 
> > 
> >        program_name: 'SSG350M' 
> >        log: 'NetScreen device_id=Juniper111  [Root]system-warning-00518: 
> > Admin user "userid" login attempt for Web(http) management (port 20480) 
> from 
> > 1.1.1.1:22560 failed. (2012-08-15 11:33:36)' 
> > 
> > **Phase 2: Completed decoding. 
> >        decoder: 'netscreenfw' 
> >        action: 'warning' 
> >        id: '00518' 
> > 
>
> Looks like it's being decoded to me. I must be misunderstanding something. 
>
> > **Phase 3: Completed filtering (rules). 
> >        Rule id: '4502' 
> >        Level: '9' 
> >        Description: 'Netscreen warning message.' 
> > **Alert to be generated. 
> > 
> > 
> > 
> > 
> > 15 Ağustos 2012 Çarşamba 16:20:34 UTC+3 tarihinde dan (ddpbsd) yazdı: 
> >> 
> >> On Wed, Aug 15, 2012 at 7:03 AM, Ozgur Orhan <[email protected]> 
> wrote: 
> >> > 
> >> > 
> >> > 
> >> > Hi All, 
> >> > 
> >> > 
> >> > 
> >> > We have issues configuring Ossec server to receive Netscreen firewall 
> >> > logs. Logs are decoded as syslog not netscreen firewall. 
> >> > 
> >> > 
> >> > 
> >> > Here are my configuration steps; 
> >> > 
> >> > First, firewalls are configured sending audit logs via syslog. 
> >> > 
> >> > We changed ossec.conf file as below to allow syslog; 
> >> > 
> >> > 
> >> > 
> >> > <remote> 
> >> > 
> >> >     <connection>syslog</connection> 
> >> > 
> >> >     <allowed-ips>firewall ip</allowed-ips> 
> >> > 
> >> >   </remote> 
> >> > 
> >> > 
> >> > 
> >> > Ossec services restarted without problem. 
> >> > 
> >> > 
> >> > 
> >> > I checked with tcpdump that firewall syslog traffic is received by 
> Ossec 
> >> > Server. 
> >> > 
> >> > 
> >> > 
> >> > Here is my sample log. 
> >> > 
> >> > 
> >> > 
> >> > Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen 
> device_id=Juniper111 
> >> > [Root]system-warning-00518: Admin user "userid" login attempt for 
> >> > Web(http) 
> >> > management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 
> 11:33:36) 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > /var/ossec/bin/ossec-logtest shows logs from netscreen device decoded 
> >> > properly. 
> >> > 
> >> > 
> >> > 
> >> > **Phase 1: Completed pre-decoding. 
> >> > 
> >> >        full event: 'Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen 
> >> > device_id=Juniper111  [Root]system-warning-00518: Admin user "userid" 
> >> > login 
> >> > attempt for Web(http) management (port 20480) from 1.1.1.1:22560failed. 
> >> > (2012-08-15 11:33:36)' 
> >> > 
> >> >        hostname: '1.1.1.1' 
> >> > 
> >> >        program_name: 'SSG350M' 
> >> > 
> >> >        log: 'NetScreen device_id=Juniper111 
> [Root]system-warning-00518: 
> >> > Admin user "userid" login attempt for Web(http) management (port 
> 20480) 
> >> > from 
> >> > 1.1.1.1:22560 failed. (2012-08-15 11:33:36)' 
> >> > 
> >> > 
> >> > 
> >> > **Phase 2: Completed decoding. 
> >> > 
> >> >        decoder: 'netscreenfw' 
> >> > 
> >> >        action: 'warning' 
> >> > 
> >> >        id: '00518' 
> >> > 
> >> > 
> >> > 
> >> > **Phase 3: Completed filtering (rules). 
> >> > 
> >> >        Rule id: '4502' 
> >> > 
> >> >        Level: '9' 
> >> > 
> >> >        Description: 'Netscreen warning message.' 
> >> > 
> >> > **Alert to be generated. 
> >> > 
> >> > 
> >> > 
> >> > No logs/alerts occured on /var/ossec/logs/firewall/firewall.log. 
> >> > 
> >> > I checked /var/ossec/logs/alerts/alerts.log and a log about syslog 
> >> > process. It seems log is decoded as syslog. 
> >> > 
> >> > 
> >> > 
> >> > ** Alert 1345026945.197836: - 
> >> > syslog,access_control,authentication_failed, 
> >> > 
> >> > 2012 Aug 15 13:35:45 logyon->1.1.1.1 
> >> > 
> >> > Rule: 2501 (level 5) -> 'User authentication failure.' 
> >> > 
> >> > SSG350M: NetScreen device_id=Juniper111 [Root]system-warning-00518: 
> ADM: 
> >> > Local admin authentication failed for login name userid: invalid 
> >> > password 
> >> > (2012-08-15 14:39:22) 
> >> > 
> >> 
> >> It looks like the log message sent to OSSEC is different than the log 
> >> message you tested above. This log message doesn't have the timestamp 
> >> at the beginning. 
> >> 
> >> **Phase 1: Completed pre-decoding. 
> >>        full event: 'SSG350M: NetScreen device_id=Juniper111 
> >> [Root]system-warning-00518: ADM: Local admin authentication failed for 
> >> login name userid: invalid password (2012-08-15 14:39:22)' 
> >>        hostname: 'arrakis' 
> >>        program_name: '(null)' 
> >>        log: 'SSG350M: NetScreen device_id=Juniper111 
> >> [Root]system-warning-00518: ADM: Local admin authentication failed for 
> >> login name userid: invalid password (2012-08-15 14:39:22)' 
> >> 
> >> **Phase 2: Completed decoding. 
> >>        No decoder matched. 
> >> 
> >> **Phase 3: Completed filtering (rules). 
> >>        Rule id: '2501' 
> >>        Level: '5' 
> >>        Description: 'User authentication failure.' 
> >> **Alert to be generated. 
> >> 
> >> 
> >> > 
> >> > 
> >> > I couldn't find what I am missing.  Any help would be greatly 
> >> > appreciated.. 
> >> > 
> >> > 
> >> > 
> >> > Regards, 
> >> > 
> >> > 
> >> > 
> >> > Ozgur 
> >> > 
> >> > Bu e-posta icindeki bilgiler ve/veya mesajla iletilen butun dosyalar 
> >> > sadece gondericisi tarafindan almasi amaclanan yetkili kisinin 
> kullanimi 
> >> > icindir ve gizlilik icerebilir. Eger bu e-posta size yanlislikla 
> >> > ulasmissa, 
> >> > icerigini hicbir sekilde kullanmayiniz. Bu durumda lutfen ilgili 
> >> > e-postayi 
> >> > mesaj kutunuzdan siliniz ve gonderen kisiyi uyariniz. 
> >> > 
> >> > The information in this message and/or attachments is intended solely 
> >> > for 
> >> > the attention and use of the named addressee and may be confidential. 
> If 
> >> > you 
> >> > are not the intended recipient, you are hereby notified that you have 
> >> > received this transmittal in error and that any use of it is strictly 
> >> > prohibited. In such a case please delete this message and kindly 
> notify 
> >> > the 
> >> > sender accordingly. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to