Well .... I think it worked.. I stumbled my way through GIT but managed to push my changes back to the project.
I chose some rule id numbers close to the Cisco VPN concentrator - it looked like there was a gap in numbers in that rule section to the next. I can also submit the decodes for the on-prem Microsoft Azure 2FA if that would help (I posted earlier on this). Thanks for your help! On Tuesday, February 3, 2015 at 7:54:48 AM UTC-8, dan (ddpbsd) wrote: > > On Tue, Feb 3, 2015 at 8:44 AM, Brent Morris <[email protected] > <javascript:>> wrote: > > Greetings all. > > > > Would it be better to submit a pull request on github to get these > included > > in the next release of OSSEC? I'm not github aware... never used it > other > > than to download stuff. > > > > Submitting a pull request is the best way to get these included. I can > do it if you really need me to. > The basic process is: > create an account/login to your account > Fork the ossec-hids project > Clone your repo on your local system > Apply your changes > `git add` changed files > `git commit` and add a useful commit message > `git push` your changes to your repository > Go to https://github.com/ossec/ossec-hids and click the new link at > the top asking if you want to compare changes/submit a pull request. > > > Here are my final decodes for ASA CX - These are coming off a Cisco > > ASA-5515X with PRSM "on-box". The advantage to sending these to a > syslog > > server is that you can keep the logs from the "on-box" PRSM as long as > you > > like. "On-Box" PRSM only allows 30 days of rolling logs, and the > reporting > > feature leaves much to be desired. Off-box PRSM is a separate > license/cost > > item, and does a little more but still leaves much to be desired in > > reporting. It also supports Syslog. Downside to syslog is that the > > messages sometimes hit the limit of syslog size and are truncated. I've > > accommodated for this by picking out the interesting bits usually > included > > toward the beginning of the message. the URL= portion of the log can > > sometimes be extremely long in today's world. After speaking to Cisco > TAC - > > they said 1024 bytes was the max they could send - referencing > > http://tools.ietf.org/html/rfc3164#section-4 - So without further > ado.... > > > > > > > > local_rules.xml > > > > > > > > <group name="syslog,cisco-cx,"> > > <rule id="100210" level="0"> > > <decoded_as>cisco-cx</decoded_as> > > <description>Cisco CX Flows.</description> > > </rule> > > > > <rule id="100211" level="10"> > > <if_sid>100210</if_sid> > > <match>Deny</match> > > <description>Flow Denied</description> > > </rule> > > > > </group> > > > > local_decoder.xml > > > > <decoder name="cisco-cx"> > > > > > <prematch>^\d\s\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d\d\dZ\s\d+.\d+.\d+.\d+\sCiscoNGFW\s\d\d\d\d\s</prematch> > > > > </decoder> > > > > <decoder name="cisco-cxalert"> > > <parent>cisco-cx</parent> > > <prematch offset="after_parent">^1|^2|^3|^4|^5</prematch> > > <regex > > > offset="after_parent">\.+Flow_DstIp=\p(\d+.\d+.\d+.\d+)\p\.+Flow_SrcIp="(\d+.\d+.\d+.\d+)"\.+Url_Category_Name="(\w+\s*\w*\s*\w*\s*\w*)" > > > > \.+Url="(\.+)"\.*</regex> > > <order>dstip,srcip,extra_data,url,action</order> > > </decoder> > > > > <decoder name="cisco-cxalert2"> > > <parent>cisco-cx</parent> > > <prematch offset="after_parent">^6|^7|^8|^9|^10</prematch> > > <regex > > > offset="after_parent">^\.+Web_Reputation_Threat_Type="(\w+\s*\w*\s*\w*\s*\w*)"\.*Event_Type_Name="(\w+\s*\w*\s*\w*\s*\w*)" > > > > User_Realm="(\w+\p*\w*\p*\w*\p*\w*)"\.+Url="(\.+)"\.*</regex> > > <order>status,action,user,url</order> > > </decoder> > > > > > > Sample Logs. > > > > Flow Denied > > > > 1 2015-02-02T23:09:03.733Z 1.1.1.23 CiscoNGFW 2827 6 [ngfwEvent@9 > > Flow_Dst_Service="tcp/80" Flow_Bytes_Sent="396" Event_Type="0" > > Flow_DstIp="162.255.119.254" Flow_SrcIp="1.2.3.32" Count="1" > > Url_Category_Name="Uncategorized" Flow_Bytes="396" > > Web_Reputation_Threat_Type="Related to Phishing" Avc_Tag_Name="" > > Ev_SrcLabel="CX-CX" Event_Type_Name="HTTP Deny" User_Realm="1.2.3.32" > > Policy_Name="Implicit Allow" Flow_Transaction_Id="0" > > Url="http://image2.seethenewscan-updates.us/"; > Identity_Source_Name="None" > > Auth_Policy_Name="Default" Flow_SrcIfc="inside" Flow_ConnId="29106287" > > Flow_DstHostName="image2.seethenewscan-updates.us" > > Flow_Transaction_Count="1" Ev_Id="2281992" Web_Reputation_Score="-8.4" > > Event_Type_Action="Deny" Ev_GenTime="1422918630588" Flow_DstPort="80" > > Policy_Deny_Reason_Name="Web Reputation" Flow_DstIfc="outside" > > Ev_SrcId="2147484710" Avc_App_Name="HyperText Transfer Protocol" > > Ev_SrcHwType="ASA-CX" Flow_SrcPort="2260" Smx_Config_Version="56" > > Flow_Requests_Denied="1" Avc_App_Type="Infrastruct > > > > Normal Flow > > > > 1 2015-01-28T22:26:34.371Z 1.1.1.23 CiscoNGFW 2827 5 [ngfwEvent@9 > > Http_Response_Status="200" Flow_Dst_Service="tcp/80" > Flow_Bytes_Sent="519" > > Flow_Bytes_Received="352" Event_Type="0" Count="1" > Flow_DstIp="54.241.20.38" > > Flow_SrcIp="1.2.3.32" Url_Category_Name="Business and Industry" > > Flow_Bytes="871" Web_Reputation_Threat_Type="" Avc_Tag_Name="" > > Ev_SrcLabel="CX-CX" Response_Magic_Type="image/gif" > Event_Type_Name="HTTP > > Complete" User_Realm="1.2.3.32" Policy_Name="Implicit Allow" > > Flow_Transaction_Id="4" > > Url=" > http://nexus.ensighten.com/error/e.gif?msg=Unable%20to%20get%20property%20'onmousedown'%20of%20undefined%20or%20null%20reference&lnn=-1&fn=&cid=1017&client=MSFTsupport&publishPath=prod&rid=602489&did=255875&errorName=TypeError" > > > > Identity_Source_Name="None" Auth_Policy_Name="Default" > Flow_SrcIfc="inside" > > Flow_ConnId="28362166" Flow_DstHostName="nexus.ensighten.com" > > Flow_Transaction_Count="1" Ev_Id="1276022" Web_Reputation_Score="0.5" > > Event_Type_Action="Info" Ev_GenTime="1422484014848" Flow_DstPort= > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
