Hi Brent,
I think that I found the problem! Here is an sample of my ossec-logtest
output:
**Phase 2: Completed decoding.
decoder: 'iptables'
action: 'AUDIT'
srcip: '92.222.185.1'
dstip: '51.254.36.238'
proto: 'ICMP'
But, while diving into the source code (in analysisd/alert/log.c):
/* FW_Log: v0.1, 2005/12/30 */
int FW_Log(Eventinfo *lf)
{
/* If we don't have the srcip or the
* action, there is no point in going
* forward over here
*/
if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport ||
!lf->dstport || !lf->protocol)
{
return(0);
}
I don't have srcport & dstport filled in so no log! I think I'll patch the
code and
I'm wondering why your ASA firewall provides ports!?
About ossec2dshield, I wrote this tool a long time ago to share my logs
with DShield.org.
Ping me you want details!
/x
On Tue, Jan 26, 2016 at 9:05 PM, Brent Morris <[email protected]>
wrote:
> Xavier,
>
> I'm collecting logs from my ASA and I do see ICMP traffic in my
> firewall.log -
>
> 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10254
> ->external.addr:10254
> 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10510
> ->external.addr:10510
> 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10766
> ->external.addr:10766
> 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:11278
> ->external.addr:11278
>
> I'm not sure what the issue might be.
>
> Also, thank you for the ossec2dshield script!!! I heard about it on the
> Internet Storm Center Stormcast, but it might be worth plugging to the list
> here too :)
>
> On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote:
>>
>> I'm collected firewall logs from many Ubuntu servers (basically the
>> /var/log/ufw.log).
>> In this log, I can see events about TCP, UDP and ICMP traffic (allowed or
>> dropped).
>> But, on my OSSEC server, in my firewall.log, I don't see any event
>> related to the ICMP protocol...
>>
>> /x
>>
>> On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett <[email protected]
>> > wrote:
>>
>>> I am afraid I don't understand the problem or question, maybe if you
>>> explain it a little bit more we can help better.
>>>
>>> Best
>>>
>>> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens <[email protected]>
>>> wrote:
>>>
>>>> Hi *,
>>>>
>>>> Maybe a stupid question but I'm investigating an issue and I've to
>>>> browse my history of firewall.log files. Problem: I find only TCP/UDP
>>>> events and nothing regarding ICMP packets?
>>>>
>>>> I tested via ossec-logstest and events are correctly parsed...
>>>>
>>>> I never paid attention to this in the past... :-(
>>>> Any idea?
>>>>
>>>> /x
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected].
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
