I'll patch my analysisd to provide srcport and dstport with a value of "0" if the protocol is "ICMP"... I need to keep traces of such events...
/x On Tue, Jan 26, 2016 at 11:40 PM, Brent Morris <brent.mor...@gmail.com> wrote: > Good catch! > > I think the ASA provides ports just as part of internal processing of the > IP translation. Perhaps they're a sequence number or provide some internal > function for IOS. They seem completely random. They change to the real > port in the logs when using TCP or UDP. Here are the logs as seen from the > ASA.... > > ICMP > 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: > Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18125 > laddr external.addr/18125(any) > 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302020: > Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr > external.addr/18126 laddr external.addr/18126(any) > 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: > Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18126 > laddr external.addr/18126(any) > > In the case of a TCP or UDP connection, you'd see ....Built outbound TCP > connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) to > inside:1.2.3.4/11515 (external.ip.addr/11515) > > > > On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8, Xavier Mertens wrote: >> >> Hi Brent, >> I think that I found the problem! Here is an sample of my ossec-logtest >> output: >> >> **Phase 2: Completed decoding. >> decoder: 'iptables' >> action: 'AUDIT' >> srcip: '92.222.185.1' >> dstip: '51.254.36.238' >> proto: 'ICMP' >> >> But, while diving into the source code (in analysisd/alert/log.c): >> >> /* FW_Log: v0.1, 2005/12/30 */ >> int FW_Log(Eventinfo *lf) >> { >> /* If we don't have the srcip or the >> * action, there is no point in going >> * forward over here >> */ >> if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport || >> !lf->dstport || !lf->protocol) >> { >> return(0); >> } >> >> I don't have srcport & dstport filled in so no log! I think I'll patch >> the code and >> >> I'm wondering why your ASA firewall provides ports!? >> >> About ossec2dshield, I wrote this tool a long time ago to share my logs >> with DShield.org. >> Ping me you want details! >> >> /x >> >> >> On Tue, Jan 26, 2016 at 9:05 PM, Brent Morris <brent....@gmail.com> >> wrote: >> >>> Xavier, >>> >>> I'm collecting logs from my ASA and I do see ICMP traffic in my >>> firewall.log - >>> >>> 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10254 >>> ->external.addr:10254 >>> 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10510 >>> ->external.addr:10510 >>> 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10766 >>> ->external.addr:10766 >>> 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:11278 >>> ->external.addr:11278 >>> >>> I'm not sure what the issue might be. >>> >>> Also, thank you for the ossec2dshield script!!! I heard about it on the >>> Internet Storm Center Stormcast, but it might be worth plugging to the list >>> here too :) >>> >>> On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote: >>>> >>>> I'm collected firewall logs from many Ubuntu servers (basically the >>>> /var/log/ufw.log). >>>> In this log, I can see events about TCP, UDP and ICMP traffic (allowed >>>> or dropped). >>>> But, on my OSSEC server, in my firewall.log, I don't see any event >>>> related to the ICMP protocol... >>>> >>>> /x >>>> >>>> On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett < >>>> santiago...@gmail.com> wrote: >>>> >>>>> I am afraid I don't understand the problem or question, maybe if you >>>>> explain it a little bit more we can help better. >>>>> >>>>> Best >>>>> >>>>> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens <xmer...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi *, >>>>>> >>>>>> Maybe a stupid question but I'm investigating an issue and I've to >>>>>> browse my history of firewall.log files. Problem: I find only TCP/UDP >>>>>> events and nothing regarding ICMP packets? >>>>>> >>>>>> I tested via ossec-logstest and events are correctly parsed... >>>>>> >>>>>> I never paid attention to this in the past... :-( >>>>>> Any idea? >>>>>> >>>>>> /x >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to ossec-list+...@googlegroups.com. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to ossec-list+...@googlegroups.com. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.