Thanks for the tip. I submitted it as a pull request... -Brent
On Tuesday, March 10, 2015 at 1:29:51 PM UTC-7, ChristianB wrote: > > Here is the commit: > > https://github.com/score1more4me/ossec-hids/commit/ed45c6fc6fe02a9016e1e709f17a1960fcf42c40 > > > It's not a pull request yet. > > Regards > Christian > > > Am 10.03.2015 um 21:14 schrieb Brent Morris: > > Well .... I think it worked.. I stumbled my way through GIT but managed > > to push my changes back to the project. > > > > I chose some rule id numbers close to the Cisco VPN concentrator - it > > looked like there was a gap in numbers in that rule section to the next. > > > > I can also submit the decodes for the on-prem Microsoft Azure 2FA if > > that would help (I posted earlier on this). > > > > Thanks for your help! > > > > On Tuesday, February 3, 2015 at 7:54:48 AM UTC-8, dan (ddpbsd) wrote: > > > > On Tue, Feb 3, 2015 at 8:44 AM, Brent Morris <[email protected]> > > wrote: > > > Greetings all. > > > > > > Would it be better to submit a pull request on github to get these > > included > > > in the next release of OSSEC? I'm not github aware... never used > > it other > > > than to download stuff. > > > > > > > Submitting a pull request is the best way to get these included. I > can > > do it if you really need me to. > > The basic process is: > > create an account/login to your account > > Fork the ossec-hids project > > Clone your repo on your local system > > Apply your changes > > `git add` changed files > > `git commit` and add a useful commit message > > `git push` your changes to your repository > > Go to https://github.com/ossec/ossec-hids > > <https://github.com/ossec/ossec-hids> and click the new link at > > the top asking if you want to compare changes/submit a pull request. > > > > > Here are my final decodes for ASA CX - These are coming off a > Cisco > > > ASA-5515X with PRSM "on-box". The advantage to sending these to a > > syslog > > > server is that you can keep the logs from the "on-box" PRSM as > > long as you > > > like. "On-Box" PRSM only allows 30 days of rolling logs, and the > > reporting > > > feature leaves much to be desired. Off-box PRSM is a separate > > license/cost > > > item, and does a little more but still leaves much to be desired > in > > > reporting. It also supports Syslog. Downside to syslog is that > the > > > messages sometimes hit the limit of syslog size and are truncated. > > I've > > > accommodated for this by picking out the interesting bits usually > > included > > > toward the beginning of the message. the URL= portion of the log > can > > > sometimes be extremely long in today's world. After speaking to > > Cisco TAC - > > > they said 1024 bytes was the max they could send - referencing > > > http://tools.ietf.org/html/rfc3164#section-4 > > <http://tools.ietf.org/html/rfc3164#section-4> - So without further > > ado.... > > > > > > > > > > > > local_rules.xml > > > > > > > > > > > > <group name="syslog,cisco-cx,"> > > > <rule id="100210" level="0"> > > > <decoded_as>cisco-cx</decoded_as> > > > <description>Cisco CX Flows.</description> > > > </rule> > > > > > > <rule id="100211" level="10"> > > > <if_sid>100210</if_sid> > > > <match>Deny</match> > > > <description>Flow Denied</description> > > > </rule> > > > > > > </group> > > > > > > local_decoder.xml > > > > > > <decoder name="cisco-cx"> > > > > > > > > > <prematch>^\d\s\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d\d\dZ\s\d+.\d+.\d+.\d+\sCiscoNGFW\s\d\d\d\d\s</prematch> > > > > > > > </decoder> > > > > > > <decoder name="cisco-cxalert"> > > > <parent>cisco-cx</parent> > > > <prematch offset="after_parent">^1|^2|^3|^4|^5</prematch> > > > <regex > > > > > > offset="after_parent">\.+Flow_DstIp=\p(\d+.\d+.\d+.\d+)\p\.+Flow_SrcIp="(\d+.\d+.\d+.\d+)"\.+Url_Category_Name="(\w+\s*\w*\s*\w*\s*\w*)" > > > > > > > \.+Url="(\.+)"\.*</regex> > > > <order>dstip,srcip,extra_data,url,action</order> > > > </decoder> > > > > > > <decoder name="cisco-cxalert2"> > > > <parent>cisco-cx</parent> > > > <prematch offset="after_parent">^6|^7|^8|^9|^10</prematch> > > > <regex > > > > > > offset="after_parent">^\.+Web_Reputation_Threat_Type="(\w+\s*\w*\s*\w*\s*\w*)"\.*Event_Type_Name="(\w+\s*\w*\s*\w*\s*\w*)" > > > > > > > User_Realm="(\w+\p*\w*\p*\w*\p*\w*)"\.+Url="(\.+)"\.*</regex> > > > <order>status,action,user,url</order> > > > </decoder> > > > > > > > > > Sample Logs. > > > > > > Flow Denied > > > > > > 1 2015-02-02T23:09:03.733Z 1.1.1.23 CiscoNGFW 2827 6 [ngfwEvent@9 > > > Flow_Dst_Service="tcp/80" Flow_Bytes_Sent="396" Event_Type="0" > > > Flow_DstIp="162.255.119.254" Flow_SrcIp="1.2.3.32" Count="1" > > > Url_Category_Name="Uncategorized" Flow_Bytes="396" > > > Web_Reputation_Threat_Type="Related to Phishing" Avc_Tag_Name="" > > > Ev_SrcLabel="CX-CX" Event_Type_Name="HTTP Deny" > User_Realm="1.2.3.32" > > > Policy_Name="Implicit Allow" Flow_Transaction_Id="0" > > > Url="http://image2.seethenewscan-updates.us/ > > <http://image2.seethenewscan-updates.us/>" > Identity_Source_Name="None" > > > Auth_Policy_Name="Default" Flow_SrcIfc="inside" > > Flow_ConnId="29106287" > > > Flow_DstHostName="image2.seethenewscan-updates.us > > <http://image2.seethenewscan-updates.us>" > > > Flow_Transaction_Count="1" Ev_Id="2281992" > > Web_Reputation_Score="-8.4" > > > Event_Type_Action="Deny" Ev_GenTime="1422918630588" > Flow_DstPort="80" > > > Policy_Deny_Reason_Name="Web Reputation" Flow_DstIfc="outside" > > > Ev_SrcId="2147484710" Avc_App_Name="HyperText Transfer Protocol" > > > Ev_SrcHwType="ASA-CX" Flow_SrcPort="2260" Smx_Config_Version="56" > > > Flow_Requests_Denied="1" Avc_App_Type="Infrastruct > > > > > > Normal Flow > > > > > > 1 2015-01-28T22:26:34.371Z 1.1.1.23 CiscoNGFW 2827 5 [ngfwEvent@9 > > > Http_Response_Status="200" Flow_Dst_Service="tcp/80" > > Flow_Bytes_Sent="519" > > > Flow_Bytes_Received="352" Event_Type="0" Count="1" > > Flow_DstIp="54.241.20.38" > > > Flow_SrcIp="1.2.3.32" Url_Category_Name="Business and Industry" > > > Flow_Bytes="871" Web_Reputation_Threat_Type="" Avc_Tag_Name="" > > > Ev_SrcLabel="CX-CX" Response_Magic_Type="image/gif" > > Event_Type_Name="HTTP > > > Complete" User_Realm="1.2.3.32" Policy_Name="Implicit Allow" > > > Flow_Transaction_Id="4" > > > > > Url=" > http://nexus.ensighten.com/error/e.gif?msg=Unable%20to%20get%20property%20'onmousedown'%20of%20undefined%20or%20null%20reference&lnn=-1&fn=&cid=1017&client=MSFTsupport&publishPath=prod&rid=602489&did=255875&errorName=TypeError > > > < > http://nexus.ensighten.com/error/e.gif?msg=Unable%20to%20get%20property%20%27onmousedown%27%20of%20undefined%20or%20null%20reference&lnn=-1&fn=&cid=1017&client=MSFTsupport&publishPath=prod&rid=602489&did=255875&errorName=TypeError>" > > > > > > > Identity_Source_Name="None" Auth_Policy_Name="Default" > > Flow_SrcIfc="inside" > > > Flow_ConnId="28362166" Flow_DstHostName="nexus.ensighten.com > > <http://nexus.ensighten.com>" > > > Flow_Transaction_Count="1" Ev_Id="1276022" > Web_Reputation_Score="0.5" > > > Event_Type_Action="Info" Ev_GenTime="1422484014848" Flow_DstPort= > > > > > > -- > > > > > > --- > > > You received this message because you are subscribed to the Google > > Groups > > > "ossec-list" group. > > > To unsubscribe from this group and stop receiving emails from it, > > send an > > > email to [email protected]. > > > For more options, visit https://groups.google.com/d/optout > > <https://groups.google.com/d/optout>. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an email to [email protected] <javascript:> > > <mailto:[email protected] <javascript:>>. > > For more options, visit https://groups.google.com/d/optout. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
