Good catch!
I think the ASA provides ports just as part of internal processing of the
IP translation. Perhaps they're a sequence number or provide some internal
function for IOS. They seem completely random. They change to the real
port in the logs when using TCP or UDP. Here are the logs as seen from the
ASA....
ICMP
2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021:
Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18125
laddr external.addr/18125(any)
2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302020:
Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr
external.addr/18126 laddr external.addr/18126(any)
2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021:
Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18126
laddr external.addr/18126(any)
In the case of a TCP or UDP connection, you'd see ....Built outbound TCP
connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) to
inside:1.2.3.4/11515 (external.ip.addr/11515)
On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8, Xavier Mertens wrote:
>
> Hi Brent,
> I think that I found the problem! Here is an sample of my ossec-logtest
> output:
>
> **Phase 2: Completed decoding.
> decoder: 'iptables'
> action: 'AUDIT'
> srcip: '92.222.185.1'
> dstip: '51.254.36.238'
> proto: 'ICMP'
>
> But, while diving into the source code (in analysisd/alert/log.c):
>
> /* FW_Log: v0.1, 2005/12/30 */
> int FW_Log(Eventinfo *lf)
> {
> /* If we don't have the srcip or the
> * action, there is no point in going
> * forward over here
> */
> if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport ||
> !lf->dstport || !lf->protocol)
> {
> return(0);
> }
>
> I don't have srcport & dstport filled in so no log! I think I'll patch the
> code and
>
> I'm wondering why your ASA firewall provides ports!?
>
> About ossec2dshield, I wrote this tool a long time ago to share my logs
> with DShield.org.
> Ping me you want details!
>
> /x
>
>
> On Tue, Jan 26, 2016 at 9:05 PM, Brent Morris <[email protected]
> <javascript:>> wrote:
>
>> Xavier,
>>
>> I'm collecting logs from my ASA and I do see ICMP traffic in my
>> firewall.log -
>>
>> 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP
>> 1.2.3.4:10254->external.addr:10254
>> 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP
>> 1.2.3.4:10510->external.addr:10510
>> 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP
>> 1.2.3.4:10766->external.addr:10766
>> 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP
>> 1.2.3.4:11278->external.addr:11278
>>
>> I'm not sure what the issue might be.
>>
>> Also, thank you for the ossec2dshield script!!! I heard about it on the
>> Internet Storm Center Stormcast, but it might be worth plugging to the list
>> here too :)
>>
>> On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote:
>>>
>>> I'm collected firewall logs from many Ubuntu servers (basically the
>>> /var/log/ufw.log).
>>> In this log, I can see events about TCP, UDP and ICMP traffic (allowed
>>> or dropped).
>>> But, on my OSSEC server, in my firewall.log, I don't see any event
>>> related to the ICMP protocol...
>>>
>>> /x
>>>
>>> On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett <
>>> [email protected]> wrote:
>>>
>>>> I am afraid I don't understand the problem or question, maybe if you
>>>> explain it a little bit more we can help better.
>>>>
>>>> Best
>>>>
>>>> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens <[email protected]>
>>>> wrote:
>>>>
>>>>> Hi *,
>>>>>
>>>>> Maybe a stupid question but I'm investigating an issue and I've to
>>>>> browse my history of firewall.log files. Problem: I find only TCP/UDP
>>>>> events and nothing regarding ICMP packets?
>>>>>
>>>>> I tested via ossec-logstest and events are correctly parsed...
>>>>>
>>>>> I never paid attention to this in the past... :-(
>>>>> Any idea?
>>>>>
>>>>> /x
>>>>>
>>>>> --
>>>>>
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "ossec-list" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to [email protected].
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected].
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
