I'll patch my analysisd to provide srcport and dstport with a value of "0"
if the protocol is "ICMP"... I need to keep traces of such events...
/x
On Tue, Jan 26, 2016 at 11:40 PM, Brent Morris <brent.mor...@gmail.com>
wrote:
> Good catch!
>
> I think the ASA provides ports just as part of internal processing of the
> IP translation. Perhaps they're a sequence number or provide some internal
> function for IOS. They seem completely random. They change to the real
> port in the logs when using TCP or UDP. Here are the logs as seen from the
> ASA....
>
> ICMP
> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021:
> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18125
> laddr external.addr/18125(any)
> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302020:
> Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr
> external.addr/18126 laddr external.addr/18126(any)
> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021:
> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18126
> laddr external.addr/18126(any)
>
> In the case of a TCP or UDP connection, you'd see ....Built outbound TCP
> connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) to
> inside:1.2.3.4/11515 (external.ip.addr/11515)
>
>
>
> On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8, Xavier Mertens wrote:
>>
>> Hi Brent,
>> I think that I found the problem! Here is an sample of my ossec-logtest
>> output:
>>
>> **Phase 2: Completed decoding.
>> decoder: 'iptables'
>> action: 'AUDIT'
>> srcip: '92.222.185.1'
>> dstip: '51.254.36.238'
>> proto: 'ICMP'
>>
>> But, while diving into the source code (in analysisd/alert/log.c):
>>
>> /* FW_Log: v0.1, 2005/12/30 */
>> int FW_Log(Eventinfo *lf)
>> {
>> /* If we don't have the srcip or the
>> * action, there is no point in going
>> * forward over here
>> */
>> if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport ||
>> !lf->dstport || !lf->protocol)
>> {
>> return(0);
>> }
>>
>> I don't have srcport & dstport filled in so no log! I think I'll patch
>> the code and
>>
>> I'm wondering why your ASA firewall provides ports!?
>>
>> About ossec2dshield, I wrote this tool a long time ago to share my logs
>> with DShield.org.
>> Ping me you want details!
>>
>> /x
>>
>>
>> On Tue, Jan 26, 2016 at 9:05 PM, Brent Morris <brent....@gmail.com>
>> wrote:
>>
>>> Xavier,
>>>
>>> I'm collecting logs from my ASA and I do see ICMP traffic in my
>>> firewall.log -
>>>
>>> 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10254
>>> ->external.addr:10254
>>> 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10510
>>> ->external.addr:10510
>>> 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10766
>>> ->external.addr:10766
>>> 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:11278
>>> ->external.addr:11278
>>>
>>> I'm not sure what the issue might be.
>>>
>>> Also, thank you for the ossec2dshield script!!! I heard about it on the
>>> Internet Storm Center Stormcast, but it might be worth plugging to the list
>>> here too :)
>>>
>>> On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote:
>>>>
>>>> I'm collected firewall logs from many Ubuntu servers (basically the
>>>> /var/log/ufw.log).
>>>> In this log, I can see events about TCP, UDP and ICMP traffic (allowed
>>>> or dropped).
>>>> But, on my OSSEC server, in my firewall.log, I don't see any event
>>>> related to the ICMP protocol...
>>>>
>>>> /x
>>>>
>>>> On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett <
>>>> santiago...@gmail.com> wrote:
>>>>
>>>>> I am afraid I don't understand the problem or question, maybe if you
>>>>> explain it a little bit more we can help better.
>>>>>
>>>>> Best
>>>>>
>>>>> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens <xmer...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi *,
>>>>>>
>>>>>> Maybe a stupid question but I'm investigating an issue and I've to
>>>>>> browse my history of firewall.log files. Problem: I find only TCP/UDP
>>>>>> events and nothing regarding ICMP packets?
>>>>>>
>>>>>> I tested via ossec-logstest and events are correctly parsed...
>>>>>>
>>>>>> I never paid attention to this in the past... :-(
>>>>>> Any idea?
>>>>>>
>>>>>> /x
>>>>>>
>>>>>> --
>>>>>>
>>>>>> ---
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "ossec-list" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to ossec-list+...@googlegroups.com.
>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "ossec-list" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to ossec-list+...@googlegroups.com.
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>>
>>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
