Is this worth submitting as an issue to github? https://github.com/ossec/ossec-hids/issues
On Wednesday, January 27, 2016 at 12:08:54 AM UTC-8, Xavier Mertens wrote: > > I'll patch my analysisd to provide srcport and dstport with a value of "0" > if the protocol is "ICMP"... I need to keep traces of such events... > > /x > > On Tue, Jan 26, 2016 at 11:40 PM, Brent Morris <brent....@gmail.com > <javascript:>> wrote: > >> Good catch! >> >> I think the ASA provides ports just as part of internal processing of the >> IP translation. Perhaps they're a sequence number or provide some internal >> function for IOS. They seem completely random. They change to the real >> port in the logs when using TCP or UDP. Here are the logs as seen from the >> ASA.... >> >> ICMP >> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: >> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18125 >> laddr external.addr/18125(any) >> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302020: >> Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr >> external.addr/18126 laddr external.addr/18126(any) >> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: >> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18126 >> laddr external.addr/18126(any) >> >> In the case of a TCP or UDP connection, you'd see ....Built outbound >> TCP connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) >> to inside:1.2.3.4/11515 (external.ip.addr/11515) >> >> >> >> On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8, Xavier Mertens wrote: >>> >>> Hi Brent, >>> I think that I found the problem! Here is an sample of my ossec-logtest >>> output: >>> >>> **Phase 2: Completed decoding. >>> decoder: 'iptables' >>> action: 'AUDIT' >>> srcip: '92.222.185.1' >>> dstip: '51.254.36.238' >>> proto: 'ICMP' >>> >>> But, while diving into the source code (in analysisd/alert/log.c): >>> >>> /* FW_Log: v0.1, 2005/12/30 */ >>> int FW_Log(Eventinfo *lf) >>> { >>> /* If we don't have the srcip or the >>> * action, there is no point in going >>> * forward over here >>> */ >>> if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport || >>> !lf->dstport || !lf->protocol) >>> { >>> return(0); >>> } >>> >>> I don't have srcport & dstport filled in so no log! I think I'll patch >>> the code and >>> >>> I'm wondering why your ASA firewall provides ports!? >>> >>> About ossec2dshield, I wrote this tool a long time ago to share my logs >>> with DShield.org. >>> Ping me you want details! >>> >>> /x >>> >>> >>> On Tue, Jan 26, 2016 at 9:05 PM, Brent Morris <brent....@gmail.com> >>> wrote: >>> >>>> Xavier, >>>> >>>> I'm collecting logs from my ASA and I do see ICMP traffic in my >>>> firewall.log - >>>> >>>> 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP >>>> 1.2.3.4:10254->external.addr:10254 >>>> 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP >>>> 1.2.3.4:10510->external.addr:10510 >>>> 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP >>>> 1.2.3.4:10766->external.addr:10766 >>>> 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP >>>> 1.2.3.4:11278->external.addr:11278 >>>> >>>> I'm not sure what the issue might be. >>>> >>>> Also, thank you for the ossec2dshield script!!! I heard about it on >>>> the Internet Storm Center Stormcast, but it might be worth plugging to the >>>> list here too :) >>>> >>>> On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote: >>>>> >>>>> I'm collected firewall logs from many Ubuntu servers (basically the >>>>> /var/log/ufw.log). >>>>> In this log, I can see events about TCP, UDP and ICMP traffic (allowed >>>>> or dropped). >>>>> But, on my OSSEC server, in my firewall.log, I don't see any event >>>>> related to the ICMP protocol... >>>>> >>>>> /x >>>>> >>>>> On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett < >>>>> santiago...@gmail.com> wrote: >>>>> >>>>>> I am afraid I don't understand the problem or question, maybe if you >>>>>> explain it a little bit more we can help better. >>>>>> >>>>>> Best >>>>>> >>>>>> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens <xmer...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> Hi *, >>>>>>> >>>>>>> Maybe a stupid question but I'm investigating an issue and I've to >>>>>>> browse my history of firewall.log files. Problem: I find only TCP/UDP >>>>>>> events and nothing regarding ICMP packets? >>>>>>> >>>>>>> I tested via ossec-logstest and events are correctly parsed... >>>>>>> >>>>>>> I never paid attention to this in the past... :-( >>>>>>> Any idea? >>>>>>> >>>>>>> /x >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "ossec-list" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to ossec-list+...@googlegroups.com. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to ossec-list+...@googlegroups.com. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.