Is this worth submitting as an issue to github?
https://github.com/ossec/ossec-hids/issues
On Wednesday, January 27, 2016 at 12:08:54 AM UTC-8, Xavier Mertens wrote:
>
> I'll patch my analysisd to provide srcport and dstport with a value of "0"
> if the protocol is "ICMP"... I need to keep traces of such events...
>
> /x
>
> On Tue, Jan 26, 2016 at 11:40 PM, Brent Morris <brent....@gmail.com
> <javascript:>> wrote:
>
>> Good catch!
>>
>> I think the ASA provides ports just as part of internal processing of the
>> IP translation. Perhaps they're a sequence number or provide some internal
>> function for IOS. They seem completely random. They change to the real
>> port in the logs when using TCP or UDP. Here are the logs as seen from the
>> ASA....
>>
>> ICMP
>> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021:
>> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18125
>> laddr external.addr/18125(any)
>> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302020:
>> Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr
>> external.addr/18126 laddr external.addr/18126(any)
>> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021:
>> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18126
>> laddr external.addr/18126(any)
>>
>> In the case of a TCP or UDP connection, you'd see ....Built outbound
>> TCP connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443)
>> to inside:1.2.3.4/11515 (external.ip.addr/11515)
>>
>>
>>
>> On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8, Xavier Mertens wrote:
>>>
>>> Hi Brent,
>>> I think that I found the problem! Here is an sample of my ossec-logtest
>>> output:
>>>
>>> **Phase 2: Completed decoding.
>>> decoder: 'iptables'
>>> action: 'AUDIT'
>>> srcip: '92.222.185.1'
>>> dstip: '51.254.36.238'
>>> proto: 'ICMP'
>>>
>>> But, while diving into the source code (in analysisd/alert/log.c):
>>>
>>> /* FW_Log: v0.1, 2005/12/30 */
>>> int FW_Log(Eventinfo *lf)
>>> {
>>> /* If we don't have the srcip or the
>>> * action, there is no point in going
>>> * forward over here
>>> */
>>> if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport ||
>>> !lf->dstport || !lf->protocol)
>>> {
>>> return(0);
>>> }
>>>
>>> I don't have srcport & dstport filled in so no log! I think I'll patch
>>> the code and
>>>
>>> I'm wondering why your ASA firewall provides ports!?
>>>
>>> About ossec2dshield, I wrote this tool a long time ago to share my logs
>>> with DShield.org.
>>> Ping me you want details!
>>>
>>> /x
>>>
>>>
>>> On Tue, Jan 26, 2016 at 9:05 PM, Brent Morris <brent....@gmail.com>
>>> wrote:
>>>
>>>> Xavier,
>>>>
>>>> I'm collecting logs from my ASA and I do see ICMP traffic in my
>>>> firewall.log -
>>>>
>>>> 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP
>>>> 1.2.3.4:10254->external.addr:10254
>>>> 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP
>>>> 1.2.3.4:10510->external.addr:10510
>>>> 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP
>>>> 1.2.3.4:10766->external.addr:10766
>>>> 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP
>>>> 1.2.3.4:11278->external.addr:11278
>>>>
>>>> I'm not sure what the issue might be.
>>>>
>>>> Also, thank you for the ossec2dshield script!!! I heard about it on
>>>> the Internet Storm Center Stormcast, but it might be worth plugging to the
>>>> list here too :)
>>>>
>>>> On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote:
>>>>>
>>>>> I'm collected firewall logs from many Ubuntu servers (basically the
>>>>> /var/log/ufw.log).
>>>>> In this log, I can see events about TCP, UDP and ICMP traffic (allowed
>>>>> or dropped).
>>>>> But, on my OSSEC server, in my firewall.log, I don't see any event
>>>>> related to the ICMP protocol...
>>>>>
>>>>> /x
>>>>>
>>>>> On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett <
>>>>> santiago...@gmail.com> wrote:
>>>>>
>>>>>> I am afraid I don't understand the problem or question, maybe if you
>>>>>> explain it a little bit more we can help better.
>>>>>>
>>>>>> Best
>>>>>>
>>>>>> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens <xmer...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi *,
>>>>>>>
>>>>>>> Maybe a stupid question but I'm investigating an issue and I've to
>>>>>>> browse my history of firewall.log files. Problem: I find only TCP/UDP
>>>>>>> events and nothing regarding ICMP packets?
>>>>>>>
>>>>>>> I tested via ossec-logstest and events are correctly parsed...
>>>>>>>
>>>>>>> I never paid attention to this in the past... :-(
>>>>>>> Any idea?
>>>>>>>
>>>>>>> /x
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> ---
>>>>>>> You received this message because you are subscribed to the Google
>>>>>>> Groups "ossec-list" group.
>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>> send an email to ossec-list+...@googlegroups.com.
>>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> ---
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "ossec-list" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to ossec-list+...@googlegroups.com.
>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>
>>>>>
>>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to ossec-list+...@googlegroups.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+...@googlegroups.com <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
