Here's the entire thing...
local_rules.xml - adjust rule ids accordingly...
<group name="syslog,cisco-cx,">
<rule id="100198" level="0">
<decoded_as>cisco-cx</decoded_as>
<description>Cisco CX Flows.</description>
</rule>
<rule id="100199" level="10">
<if_sid>100198</if_sid>
<match>Deny</match>
<description>Flow Denied</description>
</rule>
</group>
local_decoder.xml -----
<decoder name="cisco-cx">
<prematch>^\d\s\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d\d\dZ\s\d+.\d+.\d+.\d+\sCiscoNGFW\s\d\d\d\d\s</prematch>
</decoder>
<decoder name="cisco-cxalert">
<parent>cisco-cx</parent>
<prematch offset="after_parent">^1|^2|^3|^4|^5</prematch>
<regex
offset="after_parent">\.+Flow_DstIp=\p(\d+.\d+.\d+.\d+)\p\.+Flow_SrcIp="(\d+.\d+.\d+.\d+)"\.+Url_Category_Name="(\w+\s*\w*\s*\w*\s*\w*)"
\.+Url="(\.+)"\.*</regex>
<order>dstip,srcip,extra_data,url,action</order>
</decoder>
<decoder name="cisco-cxalert2">
<parent>cisco-cx</parent>
<prematch offset="after_parent">^6|^7|^8|^9|^10</prematch>
<regex
offset="after_parent">^\.+Web_Reputation_Threat_Type="(\w+\s*\w*\s*\w*\s*\w*)"\.*Event_Type_Name="(\w+\s*\w*\s*\w*\s*\w*)"
User_Realm="(\w+\p*\w*\p*\w*\p*\w*)"\.+Event_Type_Action="\w+"\.*Policy_Deny_Reason_Name="(\w+\s*\w*)"\.*</regex>
<order>status,action,user,extra_data</order>
</decoder>
it still needs some tweaking... if anyone out there (*listens for
crickets*) has a Cisco CX product and wants to test its syslog
abilities.....
On Tuesday, January 27, 2015 at 4:18:38 PM UTC-8, Brent Morris wrote:
> Hi...
>
> I am curious if anyone is using a Cisco NGFW with Cisco PRSM ???? I'd
> love to get a little input on these and perhaps see what logs look like
> from other Cisco NFGW devices with PRSM.
>
> And if you are using this firewall, would you help in testing the syslog
> feature of PRSM to OSSEC?
>
> Here are the decodes to add to your local_decode.xml - it's not complete
> yet...
>
> <decoder name="cisco-cx">
>
> <prematch>^\d\s\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d\d\dZ\s\d+.\d+.\d+.\d+\sCiscoNGFW\s\d\d\d\d\s</prematch>
> </decoder>
>
>
> <decoder name="cisco-cxalert">
> <parent>cisco-cx</parent>
> <prematch offset="after_parent">^1|2|3|4</prematch>
> <regex
> offset="after_parent">\.+Flow_DstIp=\p(\d+.\d+.\d+.\d+)\p\.+Flow_SrcIp="(\d+.\d+.\d+.\d+)"\.+Url_Category_Name="(\w+\s*\w*\s*\w*\s*\w*)"
>
> \.+Url="(\.+)"\.*</regex>
> <order>dstip,srcip,extra_data,url,action</order>
> </decoder>
>
>
> The second sample below throws an Rule: 1002 fired (level 2) -> "Unknown
> problem somewhere in the system." - Bad words are all over that one... I am
> not sure how to work around it right now and there are too many
> interruptions to wrap my head around it.
>
> Cisco won't give me their secret formula for the logs, so I'm forced to
> try to figure it out on my own. Near as I can tell... the number X
> in "CiscoNGFW 2827 X" is significant as to what type of log it is. You can
> see where I've tried to prematch that number.... 6 seems to be denied
> transactions... while 1-5 are setup, complete, and teardown flows.
>
> sample logs:
>
> 1 2015-01-22T23:16:02.783Z 1.2.3.23 CiscoNGFW 2827 5 [ngfwEvent@9
> Http_Response_Status="200" Flow_Dst_Service="tcp/80" Flow_Bytes_Sent="317"
> Flow_Bytes_Received="36718" Event_Type="0" Count="1"
> Flow_DstIp="184.25.57.9" Flow_SrcIp="1.1.1.47" Url_Category_Name="Software
> Updates" Flow_Bytes="37035" Web_Reputation_Threat_Type="" Avc_Tag_Name=""
> Ev_SrcLabel="CX-CX" Response_Magic_Type="application/x-ms-cab"
> Event_Type_Name="HTTP Complete" User_Realm="1.1.1.47" Policy_Name="Implicit
> Allow" Flow_Transaction_Id="3" Url="
> http://download.windowsupdate.com/d/msdownload/update/software/updt/2013/12/windows6.1-kb2891804-x64-express_9d70ffa853afa5f559c42d552c7626a47cb3e3da.cab";
>
> Identity_Source_Name="None" Auth_Policy_Name="Default" Flow_SrcIfc="inside"
> Flow_ConnId="27397591" Flow_DstHostName="download.windowsupdate.com"
> Flow_Transaction_Count="1" Ev_Id="43239" Web_Reputation_Score="9.2"
> Event_Type_Action="Info" Ev_GenTime="1421968494449" Flow_DstPort="80"
> Flow_DstIfc="outside" Ev_SrcId="2147484710" Avc_App_Na
>
>
> 1 2015-01-26T16:51:13.515Z 1.2.3.23 CiscoNGFW 2827 6 [ngfwEvent@9
> Flow_Dst_Service="tcp/80" Flow_Bytes_Sent="388" Event_Type="0"
> Flow_DstIp="199.27.79.129" Flow_SrcIp="1.1.1.32" Count="1"
> Url_Category_Name="Business and Industry" Flow_Bytes="388"
> Web_Reputation_Threat_Type="Adware" Avc_Tag_Name="" Ev_SrcLabel="CX-CX"
> Event_Type_Name="HTTP Deny" User_Realm="1.1.1.32" Policy_Name="Implicit
> Allow" Flow_Transaction_Id="0" Url="
> http://s.skimresources.com/js/23176X817180.skimlinks.js";
> Identity_Source_Name="None" Auth_Policy_Name="Default" Flow_SrcIfc="inside"
> Flow_ConnId="27947284" Flow_DstHostName="s.skimresources.com"
> Flow_Transaction_Count="1" Ev_Id="679530" Web_Reputation_Score="-9.1"
> Event_Type_Action="Deny" Ev_GenTime="1422291064092" Flow_DstPort="80"
> Policy_Deny_Reason_Name="Web Reputation" Flow_DstIfc="outside"
> Ev_SrcId="2147484710" Avc_App_Name="HyperText Transfer Protocol"
> Ev_SrcHwType="ASA-CX" Flow_SrcPort="44750" Smx_Config_Version="56"
> Flow_Requests_Denied="1" Avc_App_Type="Infrastructure
>
>
> Thanks! Let me know if anyone has any interest.
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
