Hi all, Im experience the same issue when trying to setup ossec monitoring for a Juniper Netscreen SSG-320M. Failed web user login is hitting the 1002 rule, info from archives.log provided below:
014 Apr 02 23:59:59 #ossec-hostname# -> #FW_IP# #FW_hostname#: NetScreen device_id=#FW_hostname# [Root]system-warning-00518: Admin user "#username#" login attempt for Web(https) management (port 47873) from #client_IP#:54031 failed. (2014-04-02 23:59:59) Any help appreciated! Regards, Daniel On Thursday, August 16, 2012 2:52:42 PM UTC+2, dan (ddpbsd) wrote: > > On Thu, Aug 16, 2012 at 6:48 AM, oorhan <[email protected] <javascript:>> > wrote: > > hi Dan, > > > > Thank you for your reply. > > > > The original netscreen log message has timestamp. Log is taken from > another > > syslog server. > > > > > According to your alert.log entry the log message does not have a > timestamp. > > An example of an alert.log entry complete with a timestamp: > ** Alert 1336394319.2684: - syslog,sudo > 2012 May 07 08:38:39 arrakis->/var/log/secure > Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed' > User: ddp > 2012-05-07T08:38:38.338172-04:00 arrakis sudo: ddp : TTY=ttyp1 ; > PWD=/home/ddp ; USER=root ; COMMAND=/sbin/ifconfig em0 down > > > You can enable the logall option to make sure though. > > Looking at the sample you gave me though (the one in alerts.log since > I don't trust the other one), I can see why it isn't decoded as a > netscreen entry. The decoder thinks the first parts of the log will > be "NetScreen device_id." In your sample it starts with: "SSG350M: > NetScreen device_id." So find out why the SSG350M is showing up > instead of a timestamp and you should be golden. > > Otherwise if the log sample you provided is incorrect, post a sample > from the archives.log so we can try and track this down. > > > > > > " > > > > Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen device_id=Juniper111 > > [Root]system-warning-00518: Admin user "userid" login attempt for > Web(http) > > management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 > 11:33:36) > > > > " > > > > Log message on your test was a part of alert.log. > > > > here is my Logtest results..but we are still unable to decode it. Any > idea? > > > > > > Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen device_id=Juniper111 > > [Root]system-warning-00518: Admin user "userid" login attempt for > Web(http) > > management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 > 11:33:36) > > > > > > **Phase 1: Completed pre-decoding. > > full event: 'Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen > > device_id=Juniper111 [Root]system-warning-00518: Admin user "userid" > login > > attempt for Web(http) management (port 20480) from 1.1.1.1:22560failed. > > (2012-08-15 11:33:36)' > > hostname: '136.10.247.130' > > > > program_name: 'SSG350M' > > log: 'NetScreen device_id=Juniper111 [Root]system-warning-00518: > > Admin user "userid" login attempt for Web(http) management (port 20480) > from > > 1.1.1.1:22560 failed. (2012-08-15 11:33:36)' > > > > **Phase 2: Completed decoding. > > decoder: 'netscreenfw' > > action: 'warning' > > id: '00518' > > > > Looks like it's being decoded to me. I must be misunderstanding something. > > > **Phase 3: Completed filtering (rules). > > Rule id: '4502' > > Level: '9' > > Description: 'Netscreen warning message.' > > **Alert to be generated. > > > > > > > > > > 15 Ağustos 2012 Çarşamba 16:20:34 UTC+3 tarihinde dan (ddpbsd) yazdı: > >> > >> On Wed, Aug 15, 2012 at 7:03 AM, Ozgur Orhan <[email protected]> > wrote: > >> > > >> > > >> > > >> > Hi All, > >> > > >> > > >> > > >> > We have issues configuring Ossec server to receive Netscreen firewall > >> > logs. Logs are decoded as syslog not netscreen firewall. > >> > > >> > > >> > > >> > Here are my configuration steps; > >> > > >> > First, firewalls are configured sending audit logs via syslog. > >> > > >> > We changed ossec.conf file as below to allow syslog; > >> > > >> > > >> > > >> > <remote> > >> > > >> > <connection>syslog</connection> > >> > > >> > <allowed-ips>firewall ip</allowed-ips> > >> > > >> > </remote> > >> > > >> > > >> > > >> > Ossec services restarted without problem. > >> > > >> > > >> > > >> > I checked with tcpdump that firewall syslog traffic is received by > Ossec > >> > Server. > >> > > >> > > >> > > >> > Here is my sample log. > >> > > >> > > >> > > >> > Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen > device_id=Juniper111 > >> > [Root]system-warning-00518: Admin user "userid" login attempt for > >> > Web(http) > >> > management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 > 11:33:36) > >> > > >> > > >> > > >> > > >> > > >> > /var/ossec/bin/ossec-logtest shows logs from netscreen device decoded > >> > properly. > >> > > >> > > >> > > >> > **Phase 1: Completed pre-decoding. > >> > > >> > full event: 'Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen > >> > device_id=Juniper111 [Root]system-warning-00518: Admin user "userid" > >> > login > >> > attempt for Web(http) management (port 20480) from 1.1.1.1:22560failed. > >> > (2012-08-15 11:33:36)' > >> > > >> > hostname: '1.1.1.1' > >> > > >> > program_name: 'SSG350M' > >> > > >> > log: 'NetScreen device_id=Juniper111 > [Root]system-warning-00518: > >> > Admin user "userid" login attempt for Web(http) management (port > 20480) > >> > from > >> > 1.1.1.1:22560 failed. (2012-08-15 11:33:36)' > >> > > >> > > >> > > >> > **Phase 2: Completed decoding. > >> > > >> > decoder: 'netscreenfw' > >> > > >> > action: 'warning' > >> > > >> > id: '00518' > >> > > >> > > >> > > >> > **Phase 3: Completed filtering (rules). > >> > > >> > Rule id: '4502' > >> > > >> > Level: '9' > >> > > >> > Description: 'Netscreen warning message.' > >> > > >> > **Alert to be generated. > >> > > >> > > >> > > >> > No logs/alerts occured on /var/ossec/logs/firewall/firewall.log. > >> > > >> > I checked /var/ossec/logs/alerts/alerts.log and a log about syslog > >> > process. It seems log is decoded as syslog. > >> > > >> > > >> > > >> > ** Alert 1345026945.197836: - > >> > syslog,access_control,authentication_failed, > >> > > >> > 2012 Aug 15 13:35:45 logyon->1.1.1.1 > >> > > >> > Rule: 2501 (level 5) -> 'User authentication failure.' > >> > > >> > SSG350M: NetScreen device_id=Juniper111 [Root]system-warning-00518: > ADM: > >> > Local admin authentication failed for login name userid: invalid > >> > password > >> > (2012-08-15 14:39:22) > >> > > >> > >> It looks like the log message sent to OSSEC is different than the log > >> message you tested above. This log message doesn't have the timestamp > >> at the beginning. > >> > >> **Phase 1: Completed pre-decoding. > >> full event: 'SSG350M: NetScreen device_id=Juniper111 > >> [Root]system-warning-00518: ADM: Local admin authentication failed for > >> login name userid: invalid password (2012-08-15 14:39:22)' > >> hostname: 'arrakis' > >> program_name: '(null)' > >> log: 'SSG350M: NetScreen device_id=Juniper111 > >> [Root]system-warning-00518: ADM: Local admin authentication failed for > >> login name userid: invalid password (2012-08-15 14:39:22)' > >> > >> **Phase 2: Completed decoding. > >> No decoder matched. > >> > >> **Phase 3: Completed filtering (rules). > >> Rule id: '2501' > >> Level: '5' > >> Description: 'User authentication failure.' > >> **Alert to be generated. > >> > >> > >> > > >> > > >> > I couldn't find what I am missing. Any help would be greatly > >> > appreciated.. > >> > > >> > > >> > > >> > Regards, > >> > > >> > > >> > > >> > Ozgur > >> > > >> > Bu e-posta icindeki bilgiler ve/veya mesajla iletilen butun dosyalar > >> > sadece gondericisi tarafindan almasi amaclanan yetkili kisinin > kullanimi > >> > icindir ve gizlilik icerebilir. Eger bu e-posta size yanlislikla > >> > ulasmissa, > >> > icerigini hicbir sekilde kullanmayiniz. Bu durumda lutfen ilgili > >> > e-postayi > >> > mesaj kutunuzdan siliniz ve gonderen kisiyi uyariniz. > >> > > >> > The information in this message and/or attachments is intended solely > >> > for > >> > the attention and use of the named addressee and may be confidential. > If > >> > you > >> > are not the intended recipient, you are hereby notified that you have > >> > received this transmittal in error and that any use of it is strictly > >> > prohibited. In such a case please delete this message and kindly > notify > >> > the > >> > sender accordingly. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
