Hi...
I am curious if anyone is using a Cisco NGFW with Cisco PRSM ???? I'd love
to get a little input on these and perhaps see what logs look like from
other Cisco NFGW devices with PRSM.
And if you are using this firewall, would you help in testing the syslog
feature of PRSM to OSSEC?
Here are the decodes to add to your local_decode.xml - it's not complete
yet...
<decoder name="cisco-cx">
<prematch>^\d\s\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d\d\dZ\s\d+.\d+.\d+.\d+\sCiscoNGFW\s\d\d\d\d\s</prematch>
</decoder>
<decoder name="cisco-cxalert">
<parent>cisco-cx</parent>
<prematch offset="after_parent">^1|2|3|4</prematch>
<regex
offset="after_parent">\.+Flow_DstIp=\p(\d+.\d+.\d+.\d+)\p\.+Flow_SrcIp="(\d+.\d+.\d+.\d+)"\.+Url_Category_Name="(\w+\s*\w*\s*\w*\s*\w*)"
\.+Url="(\.+)"\.*</regex>
<order>dstip,srcip,extra_data,url,action</order>
</decoder>
The second sample below throws an Rule: 1002 fired (level 2) -> "Unknown
problem somewhere in the system." - Bad words are all over that one... I am
not sure how to work around it right now and there are too many
interruptions to wrap my head around it.
Cisco won't give me their secret formula for the logs, so I'm forced to try
to figure it out on my own. Near as I can tell... the number X
in "CiscoNGFW 2827 X" is significant as to what type of log it is. You can
see where I've tried to prematch that number.... 6 seems to be denied
transactions... while 1-5 are setup, complete, and teardown flows.
sample logs:
1 2015-01-22T23:16:02.783Z 1.2.3.23 CiscoNGFW 2827 5 [ngfwEvent@9
Http_Response_Status="200" Flow_Dst_Service="tcp/80" Flow_Bytes_Sent="317"
Flow_Bytes_Received="36718" Event_Type="0" Count="1"
Flow_DstIp="184.25.57.9" Flow_SrcIp="1.1.1.47" Url_Category_Name="Software
Updates" Flow_Bytes="37035" Web_Reputation_Threat_Type="" Avc_Tag_Name=""
Ev_SrcLabel="CX-CX" Response_Magic_Type="application/x-ms-cab"
Event_Type_Name="HTTP Complete" User_Realm="1.1.1.47" Policy_Name="Implicit
Allow" Flow_Transaction_Id="3" Url="
http://download.windowsupdate.com/d/msdownload/update/software/updt/2013/12/windows6.1-kb2891804-x64-express_9d70ffa853afa5f559c42d552c7626a47cb3e3da.cab";
Identity_Source_Name="None" Auth_Policy_Name="Default" Flow_SrcIfc="inside"
Flow_ConnId="27397591" Flow_DstHostName="download.windowsupdate.com"
Flow_Transaction_Count="1" Ev_Id="43239" Web_Reputation_Score="9.2"
Event_Type_Action="Info" Ev_GenTime="1421968494449" Flow_DstPort="80"
Flow_DstIfc="outside" Ev_SrcId="2147484710" Avc_App_Na
1 2015-01-26T16:51:13.515Z 1.2.3.23 CiscoNGFW 2827 6 [ngfwEvent@9
Flow_Dst_Service="tcp/80" Flow_Bytes_Sent="388" Event_Type="0"
Flow_DstIp="199.27.79.129" Flow_SrcIp="1.1.1.32" Count="1"
Url_Category_Name="Business and Industry" Flow_Bytes="388"
Web_Reputation_Threat_Type="Adware" Avc_Tag_Name="" Ev_SrcLabel="CX-CX"
Event_Type_Name="HTTP Deny" User_Realm="1.1.1.32" Policy_Name="Implicit
Allow" Flow_Transaction_Id="0" Url="
http://s.skimresources.com/js/23176X817180.skimlinks.js";
Identity_Source_Name="None" Auth_Policy_Name="Default" Flow_SrcIfc="inside"
Flow_ConnId="27947284" Flow_DstHostName="s.skimresources.com"
Flow_Transaction_Count="1" Ev_Id="679530" Web_Reputation_Score="-9.1"
Event_Type_Action="Deny" Ev_GenTime="1422291064092" Flow_DstPort="80"
Policy_Deny_Reason_Name="Web Reputation" Flow_DstIfc="outside"
Ev_SrcId="2147484710" Avc_App_Name="HyperText Transfer Protocol"
Ev_SrcHwType="ASA-CX" Flow_SrcPort="44750" Smx_Config_Version="56"
Flow_Requests_Denied="1" Avc_App_Type="Infrastructure
Thanks! Let me know if anyone has any interest.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
