On Wed, Apr 2, 2014 at 8:50 AM, Daniel Kertby <[email protected]> wrote: > Sorry for the confusion, the # hashes where putted there by me to masquerade > hostnames/ip's. > > I tried the ossec-logtest now and pasted infro from "NetScreen device_id=", > skipped the first part of the info the archives.log file, a bit unsure what > should be included. > > ----------------------------------------------------------------------------------------------------------------------------------- > > 2014/04/02 01:01:01 ossec-testrule: INFO: Started (pid: 29953). > ossec-testrule: Type one log per line. > > > NetScreen device_id=<netscreen-device> [Root]system-warning-00518: Admin > user "theuser" login attempt for Web(https) management (port 47873) from > <client_ip>:54031 failed. (2014-04-02 00:01:01) > > > **Phase 1: Completed pre-decoding. > full event: 'NetScreen device_id=<netscreen-device> > [Root]system-warning-00518: Admin user "<theuser>" login attempt for > Web(https) management (port 47873) from <client-ip>:54031 failed. > (2014-04-02 00:01:01)' > hostname: '<ossec_server>' > program_name: '(null)' > log: 'NetScreen device_id=<netscreen-device> > [Root]system-warning-00518: Admin user "<theuser>" login attempt for > Web(https) management (port 47873) from <client-ip>:54031 failed. > (2014-04-02 00:01:01)' > > **Phase 2: Completed decoding. > No decoder matched. >
So it isn't getting decoded properly. The first step in tracking down the issue is to find out why it isn't being decoded. It looks like the version of OSSEC in the ancient post you replied to decoded it. What version of OSSEC are you using? > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > > > ----------------------------------------------------------------------------------------------------------------------------------- > > > On Wednesday, April 2, 2014 1:57:53 PM UTC+2, dan (ddpbsd) wrote: >> >> >> On Apr 2, 2014 7:54 AM, "Daniel Kertby" <[email protected]> wrote: >> > >> > Hi all, >> > >> > Im experience the same issue when trying to setup ossec monitoring for a >> > Juniper Netscreen SSG-320M. >> > Failed web user login is hitting the 1002 rule, info from archives.log >> > provided below: >> > >> > 014 Apr 02 23:59:59 #ossec-hostname# -> #FW_IP# #FW_hostname#: NetScreen >> > device_id=#FW_hostname# [Root]system-warning-00518: Admin user >> > "#username#" >> > login attempt for Web(https) management (port 47873) from #client_IP#:54031 >> > failed. (2014-04-02 23:59:59) >> > >> >> Maybe it's the hashes? >> Have you tried using ossec-logtest to see how ossec is parsing the log >> message? >> >> > Any help appreciated! >> > >> > Regards, >> > Daniel >> > >> > On Thursday, August 16, 2012 2:52:42 PM UTC+2, dan (ddpbsd) wrote: >> >> >> >> On Thu, Aug 16, 2012 at 6:48 AM, oorhan <[email protected]> wrote: >> >> > hi Dan, >> >> > >> >> > Thank you for your reply. >> >> > >> >> > The original netscreen log message has timestamp. Log is taken from >> >> > another >> >> > syslog server. >> >> > >> >> >> >> >> >> According to your alert.log entry the log message does not have a >> >> timestamp. >> >> >> >> An example of an alert.log entry complete with a timestamp: >> >> ** Alert 1336394319.2684: - syslog,sudo >> >> 2012 May 07 08:38:39 arrakis->/var/log/secure >> >> Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed' >> >> User: ddp >> >> 2012-05-07T08:38:38.338172-04:00 arrakis sudo: ddp : TTY=ttyp1 ; >> >> PWD=/home/ddp ; USER=root ; COMMAND=/sbin/ifconfig em0 down >> >> >> >> >> >> You can enable the logall option to make sure though. >> >> >> >> Looking at the sample you gave me though (the one in alerts.log since >> >> I don't trust the other one), I can see why it isn't decoded as a >> >> netscreen entry. The decoder thinks the first parts of the log will >> >> be "NetScreen device_id." In your sample it starts with: "SSG350M: >> >> NetScreen device_id." So find out why the SSG350M is showing up >> >> instead of a timestamp and you should be golden. >> >> >> >> Otherwise if the log sample you provided is incorrect, post a sample >> >> from the archives.log so we can try and track this down. >> >> >> >> >> >> > >> >> > " >> >> > >> >> > Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen >> >> > device_id=Juniper111 >> >> > [Root]system-warning-00518: Admin user "userid" login attempt for >> >> > Web(http) >> >> > management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 >> >> > 11:33:36) >> >> > >> >> > " >> >> > >> >> > Log message on your test was a part of alert.log. >> >> > >> >> > here is my Logtest results..but we are still unable to decode it. Any >> >> > idea? >> >> > >> >> > >> >> > Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen >> >> > device_id=Juniper111 >> >> > [Root]system-warning-00518: Admin user "userid" login attempt for >> >> > Web(http) >> >> > management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 >> >> > 11:33:36) >> >> > >> >> > >> >> > **Phase 1: Completed pre-decoding. >> >> > full event: 'Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen >> >> > device_id=Juniper111 [Root]system-warning-00518: Admin user "userid" >> >> > login >> >> > attempt for Web(http) management (port 20480) from 1.1.1.1:22560 >> >> > failed. >> >> > (2012-08-15 11:33:36)' >> >> > hostname: '136.10.247.130' >> >> > >> >> > program_name: 'SSG350M' >> >> > log: 'NetScreen device_id=Juniper111 >> >> > [Root]system-warning-00518: >> >> > Admin user "userid" login attempt for Web(http) management (port >> >> > 20480) from >> >> > 1.1.1.1:22560 failed. (2012-08-15 11:33:36)' >> >> > >> >> > **Phase 2: Completed decoding. >> >> > decoder: 'netscreenfw' >> >> > action: 'warning' >> >> > id: '00518' >> >> > >> >> >> >> Looks like it's being decoded to me. I must be misunderstanding >> >> something. >> >> >> >> > **Phase 3: Completed filtering (rules). >> >> > Rule id: '4502' >> >> > Level: '9' >> >> > Description: 'Netscreen warning message.' >> >> > **Alert to be generated. >> >> > >> >> > >> >> > >> >> > >> >> > 15 Ağustos 2012 Çarşamba 16:20:34 UTC+3 tarihinde dan (ddpbsd) yazdı: >> >> >> >> >> >> On Wed, Aug 15, 2012 at 7:03 AM, Ozgur Orhan <[email protected]> >> >> >> wrote: >> >> >> > >> >> >> > >> >> >> > >> >> >> > Hi All, >> >> >> > >> >> >> > >> >> >> > >> >> >> > We have issues configuring Ossec server to receive Netscreen >> >> >> > firewall >> >> >> > logs. Logs are decoded as syslog not netscreen firewall. >> >> >> > >> >> >> > >> >> >> > >> >> >> > Here are my configuration steps; >> >> >> > >> >> >> > First, firewalls are configured sending audit logs via syslog. >> >> >> > >> >> >> > We changed ossec.conf file as below to allow syslog; >> >> >> > >> >> >> > >> >> >> > >> >> >> > <remote> >> >> >> > >> >> >> > <connection>syslog</connection> >> >> >> > >> >> >> > <allowed-ips>firewall ip</allowed-ips> >> >> >> > >> >> >> > </remote> >> >> >> > >> >> >> > >> >> >> > >> >> >> > Ossec services restarted without problem. >> >> >> > >> >> >> > >> >> >> > >> >> >> > I checked with tcpdump that firewall syslog traffic is received by >> >> >> > Ossec >> >> >> > Server. >> >> >> > >> >> >> > >> >> >> > >> >> >> > Here is my sample log. >> >> >> > >> >> >> > >> >> >> > >> >> >> > Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen >> >> >> > device_id=Juniper111 >> >> >> > [Root]system-warning-00518: Admin user "userid" login attempt for >> >> >> > Web(http) >> >> >> > management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 >> >> >> > 11:33:36) >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > /var/ossec/bin/ossec-logtest shows logs from netscreen device >> >> >> > decoded >> >> >> > properly. >> >> >> > >> >> >> > >> >> >> > >> >> >> > **Phase 1: Completed pre-decoding. >> >> >> > >> >> >> > full event: 'Aug 15 10:30:14 136.10.247.130 SSG350M: >> >> >> > NetScreen >> >> >> > device_id=Juniper111 [Root]system-warning-00518: Admin user >> >> >> > "userid" >> >> >> > login >> >> >> > attempt for Web(http) management (port 20480) from 1.1.1.1:22560 >> >> >> > failed. >> >> >> > (2012-08-15 11:33:36)' >> >> >> > >> >> >> > hostname: '1.1.1.1' >> >> >> > >> >> >> > program_name: 'SSG350M' >> >> >> > >> >> >> > log: 'NetScreen device_id=Juniper111 >> >> >> > [Root]system-warning-00518: >> >> >> > Admin user "userid" login attempt for Web(http) management (port >> >> >> > 20480) >> >> >> > from >> >> >> > 1.1.1.1:22560 failed. (2012-08-15 11:33:36)' >> >> >> > >> >> >> > >> >> >> > >> >> >> > **Phase 2: Completed decoding. >> >> >> > >> >> >> > decoder: 'netscreenfw' >> >> >> > >> >> >> > action: 'warning' >> >> >> > >> >> >> > id: '00518' >> >> >> > >> >> >> > >> >> >> > >> >> >> > **Phase 3: Completed filtering (rules). >> >> >> > >> >> >> > Rule id: '4502' >> >> >> > >> >> >> > Level: '9' >> >> >> > >> >> >> > Description: 'Netscreen warning message.' >> >> >> > >> >> >> > **Alert to be generated. >> >> >> > >> >> >> > >> >> >> > >> >> >> > No logs/alerts occured on /var/ossec/logs/firewall/firewall.log. >> >> >> > >> >> >> > I checked /var/ossec/logs/alerts/alerts.log and a log about syslog >> >> >> > process. It seems log is decoded as syslog. >> >> >> > >> >> >> > >> >> >> > >> >> >> > ** Alert 1345026945.197836: - >> >> >> > syslog,access_control,authentication_failed, >> >> >> > >> >> >> > 2012 Aug 15 13:35:45 logyon->1.1.1.1 >> >> >> > >> >> >> > Rule: 2501 (level 5) -> 'User authentication failure.' >> >> >> > >> >> >> > SSG350M: NetScreen device_id=Juniper111 >> >> >> > [Root]system-warning-00518: ADM: >> >> >> > Local admin authentication failed for login name userid: invalid >> >> >> > password >> >> >> > (2012-08-15 14:39:22) >> >> >> > >> >> >> >> >> >> It looks like the log message sent to OSSEC is different than the >> >> >> log >> >> >> message you tested above. This log message doesn't have the >> >> >> timestamp >> >> >> at the beginning. >> >> >> >> >> >> **Phase 1: Completed pre-decoding. >> >> >> full event: 'SSG350M: NetScreen device_id=Juniper111 >> >> >> [Root]system-warning-00518: ADM: Local admin authentication failed >> >> >> for >> >> >> login name userid: invalid password (2012-08-15 14:39:22)' >> >> >> hostname: 'arrakis' >> >> >> program_name: '(null)' >> >> >> log: 'SSG350M: NetScreen device_id=Juniper111 >> >> >> [Root]system-warning-00518: ADM: Local admin authentication failed >> >> >> for >> >> >> login name userid: invalid password (2012-08-15 14:39:22)' >> >> >> >> >> >> **Phase 2: Completed decoding. >> >> >> No decoder matched. >> >> >> >> >> >> **Phase 3: Completed filtering (rules). >> >> >> Rule id: '2501' >> >> >> Level: '5' >> >> >> Description: 'User authentication failure.' >> >> >> **Alert to be generated. >> >> >> >> >> >> >> >> >> > >> >> >> > >> >> >> > I couldn't find what I am missing. Any help would be greatly >> >> >> > appreciated.. >> >> >> > >> >> >> > >> >> >> > >> >> >> > Regards, >> >> >> > >> >> >> > >> >> >> > >> >> >> > Ozgur >> >> >> > >> >> >> > Bu e-posta icindeki bilgiler ve/veya mesajla iletilen butun >> >> >> > dosyalar >> >> >> > sadece gondericisi tarafindan almasi amaclanan yetkili kisinin >> >> >> > kullanimi >> >> >> > icindir ve gizlilik icerebilir. Eger bu e-posta size yanlislikla >> >> >> > ulasmissa, >> >> >> > icerigini hicbir sekilde kullanmayiniz. Bu durumda lutfen ilgili >> >> >> > e-postayi >> >> >> > mesaj kutunuzdan siliniz ve gonderen kisiyi uyariniz. >> >> >> > >> >> >> > The information in this message and/or attachments is intended >> >> >> > solely >> >> >> > for >> >> >> > the attention and use of the named addressee and may be >> >> >> > confidential. If >> >> >> > you >> >> >> > are not the intended recipient, you are hereby notified that you >> >> >> > have >> >> >> > received this transmittal in error and that any use of it is >> >> >> > strictly >> >> >> > prohibited. In such a case please delete this message and kindly >> >> >> > notify >> >> >> > the >> >> >> > sender accordingly. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
