On Apr 2, 2014 7:54 AM, "Daniel Kertby" <[email protected]> wrote: > > Hi all, > > Im experience the same issue when trying to setup ossec monitoring for a Juniper Netscreen SSG-320M. > Failed web user login is hitting the 1002 rule, info from archives.log provided below: > > 014 Apr 02 23:59:59 #ossec-hostname# -> #FW_IP# #FW_hostname#: NetScreen device_id=#FW_hostname# [Root]system-warning-00518: Admin user "#username#" login attempt for Web(https) management (port 47873) from #client_IP#:54031 failed. (2014-04-02 23:59:59) >
Maybe it's the hashes? Have you tried using ossec-logtest to see how ossec is parsing the log message? > Any help appreciated! > > Regards, > Daniel > > On Thursday, August 16, 2012 2:52:42 PM UTC+2, dan (ddpbsd) wrote: >> >> On Thu, Aug 16, 2012 at 6:48 AM, oorhan <[email protected]> wrote: >> > hi Dan, >> > >> > Thank you for your reply. >> > >> > The original netscreen log message has timestamp. Log is taken from another >> > syslog server. >> > >> >> >> According to your alert.log entry the log message does not have a timestamp. >> >> An example of an alert.log entry complete with a timestamp: >> ** Alert 1336394319.2684: - syslog,sudo >> 2012 May 07 08:38:39 arrakis->/var/log/secure >> Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed' >> User: ddp >> 2012-05-07T08:38:38.338172-04:00 arrakis sudo: ddp : TTY=ttyp1 ; >> PWD=/home/ddp ; USER=root ; COMMAND=/sbin/ifconfig em0 down >> >> >> You can enable the logall option to make sure though. >> >> Looking at the sample you gave me though (the one in alerts.log since >> I don't trust the other one), I can see why it isn't decoded as a >> netscreen entry. The decoder thinks the first parts of the log will >> be "NetScreen device_id." In your sample it starts with: "SSG350M: >> NetScreen device_id." So find out why the SSG350M is showing up >> instead of a timestamp and you should be golden. >> >> Otherwise if the log sample you provided is incorrect, post a sample >> from the archives.log so we can try and track this down. >> >> >> > >> > " >> > >> > Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen device_id=Juniper111 >> > [Root]system-warning-00518: Admin user "userid" login attempt for Web(http) >> > management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 11:33:36) >> > >> > " >> > >> > Log message on your test was a part of alert.log. >> > >> > here is my Logtest results..but we are still unable to decode it. Any idea? >> > >> > >> > Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen device_id=Juniper111 >> > [Root]system-warning-00518: Admin user "userid" login attempt for Web(http) >> > management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 11:33:36) >> > >> > >> > **Phase 1: Completed pre-decoding. >> > full event: 'Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen >> > device_id=Juniper111 [Root]system-warning-00518: Admin user "userid" login >> > attempt for Web(http) management (port 20480) from 1.1.1.1:22560failed. >> > (2012-08-15 11:33:36)' >> > hostname: '136.10.247.130' >> > >> > program_name: 'SSG350M' >> > log: 'NetScreen device_id=Juniper111 [Root]system-warning-00518: >> > Admin user "userid" login attempt for Web(http) management (port 20480) from >> > 1.1.1.1:22560 failed. (2012-08-15 11:33:36)' >> > >> > **Phase 2: Completed decoding. >> > decoder: 'netscreenfw' >> > action: 'warning' >> > id: '00518' >> > >> >> Looks like it's being decoded to me. I must be misunderstanding something. >> >> > **Phase 3: Completed filtering (rules). >> > Rule id: '4502' >> > Level: '9' >> > Description: 'Netscreen warning message.' >> > **Alert to be generated. >> > >> > >> > >> > >> > 15 Ağustos 2012 Çarşamba 16:20:34 UTC+3 tarihinde dan (ddpbsd) yazdı: >> >> >> >> On Wed, Aug 15, 2012 at 7:03 AM, Ozgur Orhan <[email protected]> wrote: >> >> > >> >> > >> >> > >> >> > Hi All, >> >> > >> >> > >> >> > >> >> > We have issues configuring Ossec server to receive Netscreen firewall >> >> > logs. Logs are decoded as syslog not netscreen firewall. >> >> > >> >> > >> >> > >> >> > Here are my configuration steps; >> >> > >> >> > First, firewalls are configured sending audit logs via syslog. >> >> > >> >> > We changed ossec.conf file as below to allow syslog; >> >> > >> >> > >> >> > >> >> > <remote> >> >> > >> >> > <connection>syslog</connection> >> >> > >> >> > <allowed-ips>firewall ip</allowed-ips> >> >> > >> >> > </remote> >> >> > >> >> > >> >> > >> >> > Ossec services restarted without problem. >> >> > >> >> > >> >> > >> >> > I checked with tcpdump that firewall syslog traffic is received by Ossec >> >> > Server. >> >> > >> >> > >> >> > >> >> > Here is my sample log. >> >> > >> >> > >> >> > >> >> > Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen device_id=Juniper111 >> >> > [Root]system-warning-00518: Admin user "userid" login attempt for >> >> > Web(http) >> >> > management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 11:33:36) >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > /var/ossec/bin/ossec-logtest shows logs from netscreen device decoded >> >> > properly. >> >> > >> >> > >> >> > >> >> > **Phase 1: Completed pre-decoding. >> >> > >> >> > full event: 'Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen >> >> > device_id=Juniper111 [Root]system-warning-00518: Admin user "userid" >> >> > login >> >> > attempt for Web(http) management (port 20480) from 1.1.1.1:22560failed. >> >> > (2012-08-15 11:33:36)' >> >> > >> >> > hostname: '1.1.1.1' >> >> > >> >> > program_name: 'SSG350M' >> >> > >> >> > log: 'NetScreen device_id=Juniper111 [Root]system-warning-00518: >> >> > Admin user "userid" login attempt for Web(http) management (port 20480) >> >> > from >> >> > 1.1.1.1:22560 failed. (2012-08-15 11:33:36)' >> >> > >> >> > >> >> > >> >> > **Phase 2: Completed decoding. >> >> > >> >> > decoder: 'netscreenfw' >> >> > >> >> > action: 'warning' >> >> > >> >> > id: '00518' >> >> > >> >> > >> >> > >> >> > **Phase 3: Completed filtering (rules). >> >> > >> >> > Rule id: '4502' >> >> > >> >> > Level: '9' >> >> > >> >> > Description: 'Netscreen warning message.' >> >> > >> >> > **Alert to be generated. >> >> > >> >> > >> >> > >> >> > No logs/alerts occured on /var/ossec/logs/firewall/firewall.log. >> >> > >> >> > I checked /var/ossec/logs/alerts/alerts.log and a log about syslog >> >> > process. It seems log is decoded as syslog. >> >> > >> >> > >> >> > >> >> > ** Alert 1345026945.197836: - >> >> > syslog,access_control,authentication_failed, >> >> > >> >> > 2012 Aug 15 13:35:45 logyon->1.1.1.1 >> >> > >> >> > Rule: 2501 (level 5) -> 'User authentication failure.' >> >> > >> >> > SSG350M: NetScreen device_id=Juniper111 [Root]system-warning-00518: ADM: >> >> > Local admin authentication failed for login name userid: invalid >> >> > password >> >> > (2012-08-15 14:39:22) >> >> > >> >> >> >> It looks like the log message sent to OSSEC is different than the log >> >> message you tested above. This log message doesn't have the timestamp >> >> at the beginning. >> >> >> >> **Phase 1: Completed pre-decoding. >> >> full event: 'SSG350M: NetScreen device_id=Juniper111 >> >> [Root]system-warning-00518: ADM: Local admin authentication failed for >> >> login name userid: invalid password (2012-08-15 14:39:22)' >> >> hostname: 'arrakis' >> >> program_name: '(null)' >> >> log: 'SSG350M: NetScreen device_id=Juniper111 >> >> [Root]system-warning-00518: ADM: Local admin authentication failed for >> >> login name userid: invalid password (2012-08-15 14:39:22)' >> >> >> >> **Phase 2: Completed decoding. >> >> No decoder matched. >> >> >> >> **Phase 3: Completed filtering (rules). >> >> Rule id: '2501' >> >> Level: '5' >> >> Description: 'User authentication failure.' >> >> **Alert to be generated. >> >> >> >> >> >> > >> >> > >> >> > I couldn't find what I am missing. Any help would be greatly >> >> > appreciated.. >> >> > >> >> > >> >> > >> >> > Regards, >> >> > >> >> > >> >> > >> >> > Ozgur >> >> > >> >> > Bu e-posta icindeki bilgiler ve/veya mesajla iletilen butun dosyalar >> >> > sadece gondericisi tarafindan almasi amaclanan yetkili kisinin kullanimi >> >> > icindir ve gizlilik icerebilir. Eger bu e-posta size yanlislikla >> >> > ulasmissa, >> >> > icerigini hicbir sekilde kullanmayiniz. Bu durumda lutfen ilgili >> >> > e-postayi >> >> > mesaj kutunuzdan siliniz ve gonderen kisiyi uyariniz. >> >> > >> >> > The information in this message and/or attachments is intended solely >> >> > for >> >> > the attention and use of the named addressee and may be confidential. If >> >> > you >> >> > are not the intended recipient, you are hereby notified that you have >> >> > received this transmittal in error and that any use of it is strictly >> >> > prohibited. In such a case please delete this message and kindly notify >> >> > the >> >> > sender accordingly. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
