On Aug 4, 2015 8:45 AM, "Björn" <[email protected]> wrote: > > Ah okay, thanks for your help. > I got and understand it now! It seems we got multiple srcip's. >
I only see 1 source ip in the log samples you provided. > Am Montag, 3. August 2015 17:59:23 UTC+2 schrieb dan (ddpbsd): >> >> >> On Aug 3, 2015 11:56 AM, "Björn" <[email protected]> wrote: >> > >> > bin/ossec-logtest >> > 2015/08/03 17:47:39 ossec-testrule: INFO: Reading local decoder file. >> > 2015/08/03 17:47:39 ossec-testrule: INFO: Started (pid: 22641). >> > ossec-testrule: Type one log per line. >> > >> > >> > 2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE >> > >> > >> > **Phase 1: Completed pre-decoding. >> > full event: '2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE' >> > hostname: 'webint' >> > program_name: '(null)' >> > log: '2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE' >> > >> > >> > **Phase 2: Completed decoding. >> > decoder: 'windows-date-format' >> > action: 'DROP' >> > proto: 'TCP' >> > srcip: '10.13.1.6' >> > dstip: '10.13.16.7' >> >> 16.7 is being decoded as the destination IP, 1.6 is the source. >> >> > srcport: '443' >> > >> > dstport: '3572' >> > >> > >> > **Phase 3: Completed filtering (rules). >> > Rule id: '4101' >> > Level: '5' >> > >> > Description: 'Firewall drop event.' >> > ^C >> > >> > Yes, I think so. >> > >> > >> > Am Montag, 3. August 2015 17:44:45 UTC+2 schrieb dan (ddpbsd): >> >> >> >> >> >> On Aug 3, 2015 11:41 AM, "Björn" <[email protected]> wrote: >> >> > >> >> > Hello, >> >> > >> >> > I try to exclude this event: >> >> > >> >> > >> >> > OSSEC HIDS Notification. >> >> > 2015 Jul 02 12:12:14 >> >> > >> >> > Received From: (jump02) 10.13.16.7->\Logfiles\Firewall\pfirewall.log >> >> > Rule: 4151 fired (level 10) -> "Multiple Firewall drop events from same source." >> >> > Portion of the log(s): >> >> > >> >> > 2015-07-02 12:11:59 DROP TCP 10.13.1.6 10.13.16.7 443 3573 40 A 2313797595 2078887944 7504 - - - RECEIVE >> >> >> >> I can't run these throughossec-logtest at the moment, but does the 16.7 address decode to be the source ip? >> >> >> >> > 2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE >> >> > 2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563535 7504 - - - RECEIVE >> >> > 2015-07-02 12:11:57 DROP TCP 10.13.1.6 10.13.16.7 443 3571 40 A 1983683511 660455107 7504 - - - RECEIVE >> >> > 2015-07-02 12:11:57 DROP TCP 10.13.1.6 10.13.16.7 443 3571 40 A 1983683511 660455106 7504 - - - RECEIVE >> >> > 2015-07-02 12:11:56 DROP TCP 10.13.1.6 10.13.16.7 443 3568 40 A 1348841012 1715023945 7504 - - - RECEIVE >> >> > 2015-07-02 12:11:56 DROP TCP 10.13.1.6 10.13.16.7 443 3568 40 A 1348841012 1715023944 7504 - - - RECEIVE >> >> > 2015-07-02 12:11:50 DROP TCP 10.13.1.6 10.13.16.7 443 3566 40 A 1087397228 121698030 7504 - - - RECEIVE >> >> > 2015-07-02 12:11:49 DROP TCP 10.13.1.6 10.13.16.7 443 3563 40 A 524181289 2382348392 7504 - - - RECEIVE >> >> > 2015-07-02 12:11:49 DROP TCP 10.13.1.6 10.13.16.7 443 3563 40 A 524181289 2382348391 7504 - - - RECEIVE >> >> > 2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A 1283761885 1189402708 7504 - - - RECEIVE >> >> > 2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A 1283761885 1189402707 7504 - - - RECEIVE >> >> > >> >> > >> >> > >> >> > --END OF NOTIFICATION >> >> > >> >> > >> >> > with this rule without success: >> >> > >> >> > <rule id="100002" level="10"> >> >> > <if_sid>4151</if_sid> >> >> > <srcip>10.13.16.7</srcip> >> >> > <match>10.13.1.6</match> >> >> > <description>#100882</description> >> >> > </rule> >> >> > >> >> > >> >> > But we still receiving mails for this events. Do you got an idea what's wrong? >> >> > >> >> > Thanks! >> >> > >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
