Issue submitted! /x
On Wed, Jan 27, 2016 at 5:04 PM, Brent Morris <[email protected]> wrote: > Is this worth submitting as an issue to github? > > https://github.com/ossec/ossec-hids/issues > > > On Wednesday, January 27, 2016 at 12:08:54 AM UTC-8, Xavier Mertens wrote: >> >> I'll patch my analysisd to provide srcport and dstport with a value of >> "0" if the protocol is "ICMP"... I need to keep traces of such events... >> >> /x >> >> On Tue, Jan 26, 2016 at 11:40 PM, Brent Morris <[email protected]> >> wrote: >> >>> Good catch! >>> >>> I think the ASA provides ports just as part of internal processing of >>> the IP translation. Perhaps they're a sequence number or provide some >>> internal function for IOS. They seem completely random. They change to >>> the real port in the logs when using TCP or UDP. Here are the logs as seen >>> from the ASA.... >>> >>> ICMP >>> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: >>> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18125 >>> laddr external.addr/18125(any) >>> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302020: >>> Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr >>> external.addr/18126 laddr external.addr/18126(any) >>> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: >>> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18126 >>> laddr external.addr/18126(any) >>> >>> In the case of a TCP or UDP connection, you'd see ....Built outbound >>> TCP connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) >>> to inside:1.2.3.4/11515 (external.ip.addr/11515) >>> >>> >>> >>> On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8, Xavier Mertens wrote: >>>> >>>> Hi Brent, >>>> I think that I found the problem! Here is an sample of my ossec-logtest >>>> output: >>>> >>>> **Phase 2: Completed decoding. >>>> decoder: 'iptables' >>>> action: 'AUDIT' >>>> srcip: '92.222.185.1' >>>> dstip: '51.254.36.238' >>>> proto: 'ICMP' >>>> >>>> But, while diving into the source code (in analysisd/alert/log.c): >>>> >>>> /* FW_Log: v0.1, 2005/12/30 */ >>>> int FW_Log(Eventinfo *lf) >>>> { >>>> /* If we don't have the srcip or the >>>> * action, there is no point in going >>>> * forward over here >>>> */ >>>> if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport || >>>> !lf->dstport || !lf->protocol) >>>> { >>>> return(0); >>>> } >>>> >>>> I don't have srcport & dstport filled in so no log! I think I'll patch >>>> the code and >>>> >>>> I'm wondering why your ASA firewall provides ports!? >>>> >>>> About ossec2dshield, I wrote this tool a long time ago to share my logs >>>> with DShield.org. >>>> Ping me you want details! >>>> >>>> /x >>>> >>>> >>>> On Tue, Jan 26, 2016 at 9:05 PM, Brent Morris <[email protected]> >>>> wrote: >>>> >>>>> Xavier, >>>>> >>>>> I'm collecting logs from my ASA and I do see ICMP traffic in my >>>>> firewall.log - >>>>> >>>>> 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10254 >>>>> ->external.addr:10254 >>>>> 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10510 >>>>> ->external.addr:10510 >>>>> 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10766 >>>>> ->external.addr:10766 >>>>> 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:11278 >>>>> ->external.addr:11278 >>>>> >>>>> I'm not sure what the issue might be. >>>>> >>>>> Also, thank you for the ossec2dshield script!!! I heard about it on >>>>> the Internet Storm Center Stormcast, but it might be worth plugging to the >>>>> list here too :) >>>>> >>>>> On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote: >>>>>> >>>>>> I'm collected firewall logs from many Ubuntu servers (basically the >>>>>> /var/log/ufw.log). >>>>>> In this log, I can see events about TCP, UDP and ICMP traffic >>>>>> (allowed or dropped). >>>>>> But, on my OSSEC server, in my firewall.log, I don't see any event >>>>>> related to the ICMP protocol... >>>>>> >>>>>> /x >>>>>> >>>>>> On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> I am afraid I don't understand the problem or question, maybe if you >>>>>>> explain it a little bit more we can help better. >>>>>>> >>>>>>> Best >>>>>>> >>>>>>> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi *, >>>>>>>> >>>>>>>> Maybe a stupid question but I'm investigating an issue and I've to >>>>>>>> browse my history of firewall.log files. Problem: I find only TCP/UDP >>>>>>>> events and nothing regarding ICMP packets? >>>>>>>> >>>>>>>> I tested via ossec-logstest and events are correctly parsed... >>>>>>>> >>>>>>>> I never paid attention to this in the past... :-( >>>>>>>> Any idea? >>>>>>>> >>>>>>>> /x >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "ossec-list" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "ossec-list" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> >>>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
