Sorry for the confusion, the # hashes where putted there by me to
masquerade hostnames/ip's.
I tried the ossec-logtest now and pasted infro from "NetScreen device_id=",
skipped the first part of the info the archives.log file, a bit unsure what
should be included.
-----------------------------------------------------------------------------------------------------------------------------------
2014/04/02 01:01:01 ossec-testrule: INFO: Started (pid: 29953).
ossec-testrule: Type one log per line.
NetScreen device_id=<netscreen-device> [Root]system-warning-00518:
Admin user "theuser" login attempt for Web(https) management (port 47873)
from <client_ip>:54031 failed. (2014-04-02 00:01:01)
**Phase 1: Completed pre-decoding.
full event: 'NetScreen device_id=<netscreen-device>
[Root]system-warning-00518: Admin user "<theuser>" login attempt for
Web(https) management (port 47873) from <client-ip>:54031 failed.
(2014-04-02 00:01:01)'
hostname: '<ossec_server>'
program_name: '(null)'
log: 'NetScreen device_id=<netscreen-device>
[Root]system-warning-00518: Admin user "<theuser>" login attempt for
Web(https) management (port 47873) from <client-ip>:54031 failed.
(2014-04-02 00:01:01)'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
-----------------------------------------------------------------------------------------------------------------------------------
On Wednesday, April 2, 2014 1:57:53 PM UTC+2, dan (ddpbsd) wrote:
>
>
> On Apr 2, 2014 7:54 AM, "Daniel Kertby" <[email protected] <javascript:>>
> wrote:
> >
> > Hi all,
> >
> > Im experience the same issue when trying to setup ossec monitoring for a
> Juniper Netscreen SSG-320M.
> > Failed web user login is hitting the 1002 rule, info from archives.log
> provided below:
> >
> > 014 Apr 02 23:59:59 #ossec-hostname# -> #FW_IP# #FW_hostname#: NetScreen
> device_id=#FW_hostname# [Root]system-warning-00518: Admin user
> "#username#" login attempt for Web(https) management (port 47873) from
> #client_IP#:54031 failed. (2014-04-02 23:59:59)
> >
>
> Maybe it's the hashes?
> Have you tried using ossec-logtest to see how ossec is parsing the log
> message?
>
> > Any help appreciated!
> >
> > Regards,
> > Daniel
> >
> > On Thursday, August 16, 2012 2:52:42 PM UTC+2, dan (ddpbsd) wrote:
> >>
> >> On Thu, Aug 16, 2012 at 6:48 AM, oorhan <[email protected]> wrote:
> >> > hi Dan,
> >> >
> >> > Thank you for your reply.
> >> >
> >> > The original netscreen log message has timestamp. Log is taken from
> another
> >> > syslog server.
> >> >
> >>
> >>
> >> According to your alert.log entry the log message does not have a
> timestamp.
> >>
> >> An example of an alert.log entry complete with a timestamp:
> >> ** Alert 1336394319.2684: - syslog,sudo
> >> 2012 May 07 08:38:39 arrakis->/var/log/secure
> >> Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
> >> User: ddp
> >> 2012-05-07T08:38:38.338172-04:00 arrakis sudo: ddp : TTY=ttyp1 ;
> >> PWD=/home/ddp ; USER=root ; COMMAND=/sbin/ifconfig em0 down
> >>
> >>
> >> You can enable the logall option to make sure though.
> >>
> >> Looking at the sample you gave me though (the one in alerts.log since
> >> I don't trust the other one), I can see why it isn't decoded as a
> >> netscreen entry. The decoder thinks the first parts of the log will
> >> be "NetScreen device_id." In your sample it starts with: "SSG350M:
> >> NetScreen device_id." So find out why the SSG350M is showing up
> >> instead of a timestamp and you should be golden.
> >>
> >> Otherwise if the log sample you provided is incorrect, post a sample
> >> from the archives.log so we can try and track this down.
> >>
> >>
> >> >
> >> > "
> >> >
> >> > Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen
> device_id=Juniper111
> >> > [Root]system-warning-00518: Admin user "userid" login attempt for
> Web(http)
> >> > management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15
> 11:33:36)
> >> >
> >> > "
> >> >
> >> > Log message on your test was a part of alert.log.
> >> >
> >> > here is my Logtest results..but we are still unable to decode it. Any
> idea?
> >> >
> >> >
> >> > Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen
> device_id=Juniper111
> >> > [Root]system-warning-00518: Admin user "userid" login attempt for
> Web(http)
> >> > management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15
> 11:33:36)
> >> >
> >> >
> >> > **Phase 1: Completed pre-decoding.
> >> > full event: 'Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen
> >> > device_id=Juniper111 [Root]system-warning-00518: Admin user "userid"
> login
> >> > attempt for Web(http) management (port 20480) from 1.1.1.1:22560failed.
> >> > (2012-08-15 11:33:36)'
> >> > hostname: '136.10.247.130'
> >> >
> >> > program_name: 'SSG350M'
> >> > log: 'NetScreen device_id=Juniper111
> [Root]system-warning-00518:
> >> > Admin user "userid" login attempt for Web(http) management (port
> 20480) from
> >> > 1.1.1.1:22560 failed. (2012-08-15 11:33:36)'
> >> >
> >> > **Phase 2: Completed decoding.
> >> > decoder: 'netscreenfw'
> >> > action: 'warning'
> >> > id: '00518'
> >> >
> >>
> >> Looks like it's being decoded to me. I must be misunderstanding
> something.
> >>
> >> > **Phase 3: Completed filtering (rules).
> >> > Rule id: '4502'
> >> > Level: '9'
> >> > Description: 'Netscreen warning message.'
> >> > **Alert to be generated.
> >> >
> >> >
> >> >
> >> >
> >> > 15 Ağustos 2012 Çarşamba 16:20:34 UTC+3 tarihinde dan (ddpbsd) yazdı:
> >> >>
> >> >> On Wed, Aug 15, 2012 at 7:03 AM, Ozgur Orhan <[email protected]>
> wrote:
> >> >> >
> >> >> >
> >> >> >
> >> >> > Hi All,
> >> >> >
> >> >> >
> >> >> >
> >> >> > We have issues configuring Ossec server to receive Netscreen
> firewall
> >> >> > logs. Logs are decoded as syslog not netscreen firewall.
> >> >> >
> >> >> >
> >> >> >
> >> >> > Here are my configuration steps;
> >> >> >
> >> >> > First, firewalls are configured sending audit logs via syslog.
> >> >> >
> >> >> > We changed ossec.conf file as below to allow syslog;
> >> >> >
> >> >> >
> >> >> >
> >> >> > <remote>
> >> >> >
> >> >> > <connection>syslog</connection>
> >> >> >
> >> >> > <allowed-ips>firewall ip</allowed-ips>
> >> >> >
> >> >> > </remote>
> >> >> >
> >> >> >
> >> >> >
> >> >> > Ossec services restarted without problem.
> >> >> >
> >> >> >
> >> >> >
> >> >> > I checked with tcpdump that firewall syslog traffic is received by
> Ossec
> >> >> > Server.
> >> >> >
> >> >> >
> >> >> >
> >> >> > Here is my sample log.
> >> >> >
> >> >> >
> >> >> >
> >> >> > Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen
> device_id=Juniper111
> >> >> > [Root]system-warning-00518: Admin user "userid" login attempt for
> >> >> > Web(http)
> >> >> > management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15
> 11:33:36)
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> > /var/ossec/bin/ossec-logtest shows logs from netscreen device
> decoded
> >> >> > properly.
> >> >> >
> >> >> >
> >> >> >
> >> >> > **Phase 1: Completed pre-decoding.
> >> >> >
> >> >> > full event: 'Aug 15 10:30:14 136.10.247.130 SSG350M:
> NetScreen
> >> >> > device_id=Juniper111 [Root]system-warning-00518: Admin user
> "userid"
> >> >> > login
> >> >> > attempt for Web(http) management (port 20480) from
> >> >> > 1.1.1.1:22560failed.
> >> >> > (2012-08-15 11:33:36)'
> >> >> >
> >> >> > hostname: '1.1.1.1'
> >> >> >
> >> >> > program_name: 'SSG350M'
> >> >> >
> >> >> > log: 'NetScreen device_id=Juniper111
> [Root]system-warning-00518:
> >> >> > Admin user "userid" login attempt for Web(http) management (port
> 20480)
> >> >> > from
> >> >> > 1.1.1.1:22560 failed. (2012-08-15 11:33:36)'
> >> >> >
> >> >> >
> >> >> >
> >> >> > **Phase 2: Completed decoding.
> >> >> >
> >> >> > decoder: 'netscreenfw'
> >> >> >
> >> >> > action: 'warning'
> >> >> >
> >> >> > id: '00518'
> >> >> >
> >> >> >
> >> >> >
> >> >> > **Phase 3: Completed filtering (rules).
> >> >> >
> >> >> > Rule id: '4502'
> >> >> >
> >> >> > Level: '9'
> >> >> >
> >> >> > Description: 'Netscreen warning message.'
> >> >> >
> >> >> > **Alert to be generated.
> >> >> >
> >> >> >
> >> >> >
> >> >> > No logs/alerts occured on /var/ossec/logs/firewall/firewall.log.
> >> >> >
> >> >> > I checked /var/ossec/logs/alerts/alerts.log and a log about syslog
> >> >> > process. It seems log is decoded as syslog.
> >> >> >
> >> >> >
> >> >> >
> >> >> > ** Alert 1345026945.197836: -
> >> >> > syslog,access_control,authentication_failed,
> >> >> >
> >> >> > 2012 Aug 15 13:35:45 logyon->1.1.1.1
> >> >> >
> >> >> > Rule: 2501 (level 5) -> 'User authentication failure.'
> >> >> >
> >> >> > SSG350M: NetScreen device_id=Juniper111
> [Root]system-warning-00518: ADM:
> >> >> > Local admin authentication failed for login name userid: invalid
> >> >> > password
> >> >> > (2012-08-15 14:39:22)
> >> >> >
> >> >>
> >> >> It looks like the log message sent to OSSEC is different than the
> log
> >> >> message you tested above. This log message doesn't have the
> timestamp
> >> >> at the beginning.
> >> >>
> >> >> **Phase 1: Completed pre-decoding.
> >> >> full event: 'SSG350M: NetScreen device_id=Juniper111
> >> >> [Root]system-warning-00518: ADM: Local admin authentication failed
> for
> >> >> login name userid: invalid password (2012-08-15 14:39:22)'
> >> >> hostname: 'arrakis'
> >> >> program_name: '(null)'
> >> >> log: 'SSG350M: NetScreen device_id=Juniper111
> >> >> [Root]system-warning-00518: ADM: Local admin authentication failed
> for
> >> >> login name userid: invalid password (2012-08-15 14:39:22)'
> >> >>
> >> >> **Phase 2: Completed decoding.
> >> >> No decoder matched.
> >> >>
> >> >> **Phase 3: Completed filtering (rules).
> >> >> Rule id: '2501'
> >> >> Level: '5'
> >> >> Description: 'User authentication failure.'
> >> >> **Alert to be generated.
> >> >>
> >> >>
> >> >> >
> >> >> >
> >> >> > I couldn't find what I am missing. Any help would be greatly
> >> >> > appreciated..
> >> >> >
> >> >> >
> >> >> >
> >> >> > Regards,
> >> >> >
> >> >> >
> >> >> >
> >> >> > Ozgur
> >> >> >
> >> >> > Bu e-posta icindeki bilgiler ve/veya mesajla iletilen butun
> dosyalar
> >> >> > sadece gondericisi tarafindan almasi amaclanan yetkili kisinin
> kullanimi
> >> >> > icindir ve gizlilik icerebilir. Eger bu e-posta size yanlislikla
> >> >> > ulasmissa,
> >> >> > icerigini hicbir sekilde kullanmayiniz. Bu durumda lutfen ilgili
> >> >> > e-postayi
> >> >> > mesaj kutunuzdan siliniz ve gonderen kisiyi uyariniz.
> >> >> >
> >> >> > The information in this message and/or attachments is intended
> solely
> >> >> > for
> >> >> > the attention and use of the named addressee and may be
> confidential. If
> >> >> > you
> >> >> > are not the intended recipient, you are hereby notified that you
> have
> >> >> > received this transmittal in error and that any use of it is
> strictly
> >> >> > prohibited. In such a case please delete this message and kindly
> notify
> >> >> > the
> >> >> > sender accordingly.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
