Hi Jesus!
Hope you have had a nice summer so far :) I'm revisiting this decoder with, what I hoped would be, a fresh (rested) pair of eyes ;) Unfortunately, I realize I still have trouble sorting this one out in an efficient manner. I was hoping I could ask you for a few additional pointers especially regarding how to best extract the relevant information from all five types of messages (outlined below). My current challenge is that the 'catch all' parent decoder and allow-block-child, result in events of types redirect/alert/system alert not be parsed completely i.e. information like action/src/dst/message not being extracted. I have attacked the problem from the few angles I can think of, but have come up short :( Note: All messages except "System Alert" now share a commonality in the hostname which is the active node in the cluster, possible values being st4600fw01n1 or st4600fw01n2 . Previously (in thread) you showed me how the actions could be used in parent decoder <prematch>^redirect \p|^prevent \p|^allow \p|^block \p|^mail System Alert|\S+ alert Protection Name:</prematch>. - Should I use the hostname as the matching criteria for my parent decoder and group these four events together whilst creating a separate decoder for System Alert? - How would you then suggest I go about extracting the information action/srcip/dstip/url/extra data for the for types of messages in this 'group' using child decoders? BLOCK Jun 2 13:24:13 st4600fw01n1 block <eth6 mail src: 192.168.71.151; dst: 54.164.78.72; proto: tcp; bytes: 1845; sent_bytes: 749; received_bytes: 1096; app_id: 1347922162; browse_time: ******; Suppressed logs: 7; Referrer_self_uid: ******; Referrer_Parent_uid: ******; product: URL Filtering; service: http; s_port: 51096; product_family: Network; Jun 2 13:24:54 st4600fw01n1 block <eth6 mail src: 192.168.71.151; dst: 54.164.78.72; proto: tcp; bytes: 11122; sent_bytes: 4494; received_bytes: 6628; app_id: 1347922162; browse_time: ******; Referrer_self_uid: ******; product: URL Filtering; service: http; s_port: 51096; product_family: Network; Jun 2 13:31:57 st4600fw01n1 block <eth6 mail src: 192.168.71.3; dst: 152.115.75.210; proto: tcp; appi_name: ******; app_desc: ******; app_id: 1875144601; app_category: ******; matched_category: ******; app_properties: ******; app_risk: ******; app_rule_id: ******; app_rule_name: ******; web_client_type: Other: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko; web_server_type: Other: nginx; resource: http://adx.adform.net/adx/?rp=3&pv=1&bWNyPWhiX2FkaWQ6MmIwZmQyMDc0OTllYTEmZHByPTQuMjA2NjQmbWt2PWhiX2JpZGRlcjpydWJpY29uJm1rdz12ZWN0dXJhJTJDZmFzdGlnaGV0ZXIlMkNhYiUyQzU1NjkwMzA1ODcmbWlkPTExODY4NQ&bWNyPWhiX2FkaWQ6MWEwNDNmY2MyNjk2MTk4JmRwcj04LjMwODk2OSZta3Y9aGJfYmlkZGVyOnJ1Ymljb24mbWt3PXZlY3R1cmElMkNmYXN0aWdoZXRlciUyQ2FiJTJDNTU2OTAzMDU4NyZtaWQ9MTE4Njg0&callback=_adform_cb_1464866991419_10159400672628005; proxy_src_ip: 192.168.71.3; product: URL Filtering; service: http; s_port: 51311; product_family: Network; ALLOW Jun 2 13:50:15 st4600fw01n1 allow <eth6 mail src: 192.168.99.11; dst: 107.170.204.55; proto: tcp; appi_name: ******; app_desc: ******; app_id: 60520086; app_category: ******; matched_category: ******; app_properties: ******; app_risk: ******; app_rule_id: ******; app_rule_name: ******; app_sig_id: 60520086:4; proxy_src_ip: 192.168.99.11; product: Application Control; service: https; s_port: 54159; product_family: Network; Jun 2 13:59:05 st4600fw01n1 allow <eth1 mail src: 192.168.99.11; dst: 89.208.212.2; proto: tcp; appi_name: ******; app_desc: ******; app_id: 10063753; app_category: ******; matched_category: ******; app_properties: ******; app_risk: ******; app_rule_id: ******; app_rule_name: ******; web_client_type: Chrome; web_server_type: Microsoft-IIS; app_sig_id: 10063753:5; resource: http://www.aliveproxy.com/; proxy_src_ip: 192.168.99.11; product: Application Control; service: http; s_port: 54473; product_family: Network; ALERT May 31 08:05:18 > st4600fw01n1 alert Protection Name: TCP Urgent Data Enforcement; Severity: 0; Confidence Level: 0; protection_id: tcp_block_urg_bit_enable; SmartDefense Profile: Recommended_Protection; Performance Impact: 0; Protection Type: settings; Attack Info: TCP segment with urgent pointer (no data). Urgent data indication was stripped. Please refer to sk36869.; attack: Streaming Engine: TCP Urgent Data Enforcement; Total logs: 8; Suppressed logs: 7; proto: tcp; dst: 52.22.193.162; src: 192.168.10.204; product: SmartDefense; service: http; s_port: 50869; FollowUp: Not Followed; product_family: Network; May 31 17:51:04 > st4600fw01n1 alert Protection Name: TCP Urgent Data Enforcement; Severity: 0; Confidence Level: 0; protection_id: tcp_block_urg_bit_enable; SmartDefense Profile: Recommended_Protection; Performance Impact: 0; Protection Type: settings; rule: 21; rule_uid: {3F67BCCB-8087-4974-95FA-F4A4FF466D49}; rule_name: #name; Attack Info: TCP segment with urgent pointer (no data). Urgent data indication was stripped. Please refer to sk36869.; attack: Streaming Engine: TCP Urgent Data Enforcement; Total logs: 24; Suppressed logs: 23; proto: tcp; dst: 54.239.168.11; src: 192.168.10.204; product: SmartDefense; service: http; s_port: 60324; FollowUp: Not Followed; product_family: Network; Aug 17 12:37:14 > st4600fw01n1 alert Protection Name: TCP Urgent Data Enforcement; Severity: 0; Confidence Level: 0; protection_id: tcp_block_urg_bit_enable; SmartDefense Profile: Recommended_Protection; Performance Impact: 0; Protection Type: settings; rule: 23; rule_uid: {3F67BCCB-8087-4974-95FA-F4A4FF466D49}; rule_name: #name; Attack Info: TCP segment with urgent pointer (no data). Urgent data indication was stripped. Please refer to sk36869.; attack: Streaming Engine: TCP Urgent Data Enforcement; Total logs: 11; Suppressed logs: 10; proto: tcp; dst: 80.251.201.102; src: 172.18.46.230; product: SmartDefense; service: https; s_port: 57991; FollowUp: Not Followed; product_family: Network; Aug 17 04:33:21 > st4600fw01n1 alert Protection Name: Packet Sanity; Severity: 2; Confidence Level: 5; protection_id: PacketSanity; SmartDefense Profile: Recommended_Protection; Performance Impact: 1; Industry Reference: CAN-2002-1071; Protection Type: anomaly; Attack Info: Invalid TCP packet - source / destination port 0; attack: Malformed Packet; Total logs: 3; Suppressed logs: 2; proto: tcp; dst: 80.169.184.240; src: 185.65.132.121; product: SmartDefense; FollowUp: Not Followed; product_family: Network; REDIRECT Jun 2 13:54:09 st4600fw01n1 redirect <eth1 alert web_client_type: Chrome; resource: http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html; src: 192.168.99.11; dst: 172.226.217.148; proto: tcp; session_id: {0x57501e61,0x1001b,0xc50d2e0a,0xc0000000}; Protection name: Check Point - Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence Level: 5; severity: 2; malware_action: Communication with C&C site; rule_uid: {9AF67731-0D35-4117-AF2B-9A47F9396D26}; Protection Type: URL reputation; malware_rule_id: {000000CE-00A4-0046-9658-621EA5468654}; protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 192.168.99.11; scope: 192.168.99.11; product: Anti Malware; service: http; s_port: 54402; SYSTEM ALERT May 31 21:31:58 sto-fwm03 mail System Alert message: A Firewall Policy has been successfully installed on st4600fw01n1; Object: st4600fw01n1; Event: Change; Parameter: policy_time; Condition: changes Tue May 31 14:44:13 2016; Current value: Tue May 31 21:04:34 2016; product: System Monitor; product_family: Network; I realize I'm pushing my luck here! You have done more than enough to set me off in the right direction, and it might just be that I should work up my skills on simpler messages. However, hoping that the concepts you share on creating parent/child decoders is useful to the rest of the community. Best regards, Fredrik On Friday, April 15, 2016 at 6:28:22 PM UTC+2, Jesus Linares wrote: > > Hi Fredrik, > > It is good progress. You can capture all events with: > > <decoder name="Checkpoint-test"> > <prematch>^redirect \p|^prevent \p|^allow \p|^block \p|^mail System > Alert|\S+ alert Protection Name:</prematch> > <type>firewall</type> > </decoder> > > > I know... It is not very elegant, but it controls all your events. Also, > you can add a tag in the beginning of the log (by the firewall settings or > with *rsyslog*) and the decoder will be vey easy: > > Logs: > *FredikFirewall *Apr 15 12:23:16 > st4600fw01n1 alert Protection Name: > TCP Urgent Data Enforcement; Severity: 0; Confidence Level: 0; > protection_id: tcp_block_urg_bit_enable; SmartDefense Profile: > Recommended_Protection; Performance Impact: 0; Protection Type: settings; > rule: 20; rule_uid: {3F67BCCB-8087-4974-95FA-F4A4FF466D49}; rule_name: > #sample; > Attack Info: TCP segment with urgent pointer (no data). Urgent data > indication was stripped. Please refer to sk36869.; attack: Streaming > Engine: TCP Urgent Data Enforcement; Total logs: 3; Suppressed logs: 2; > proto: tcp; dst: 104.16.65.50; src: 192.168.10.204; product: SmartDefense; > service: https; s_port: 56814; FollowUp: Not Followed; product_family: > Network; > > > > Decoder: > <decoder name="Checkpoint-test"> > <prematch>^FredikFirewall </prematch> > <type>firewall</type> > </decoder> > > > Regards, > Jesus Linares. > > > > On Friday, April 15, 2016 at 3:47:17 PM UTC+2, Fredrik wrote: >> >> Hello Jesus! >> >> >> Story continues. Just wanted to let you know that I have been able, with >> help, to unify ALL the messages for easier handling in OSSEC. Thing is now >> that the hostname is extracted automagically (by OSSEC) from the message >> and I guess can't be used for my prematch, or? Ossec-logtest will treat the >> hostname as part of the header and start the 'Log:' section with e.g. >> >> block <eth6 mail src: 10.46.7.196; dst: 37.157.4.16; protocol ... >> >> How would you tackle this? Right a prematch with all operative words >> (actions) that is used with the messages I'm interested in (e.g. >> ^allow|^block|^prevent|^redirect)? In my scenario this shouldn't conflict >> with other type of messages. I'm guessing that you Ossec-pros will have >> options and better alternative though ;) I would also like to match the >> decoder regardless of which node in the firewall cluster is the source of >> the event? I The two possibilities are st4600fw01n1 and st4600fw01n2 . >> >> Here are more message samples: >> >> pr 15 14:41:53 st4600fw01n1 allow <eth6 mail src: 192.168.5.133; dst: >> 216.131.91.92; proto: tcp; appi_name: ******; app_desc: ******; app_id: >> 60461422; app_category: ******; matched_category: ******; app_properties: >> ******; app_risk: ******; app_rule_id: ******; app_rule_name: ******; >> web_client_type: Chrome; web_server_type: Apache; app_sig_id: 60461422:1; >> resource: >> http://strongvpn.com/difference_between_proxy_and_vpn.html?utm_source=adwords&utm_medium=sem&gclid=Cj0KEQjwosK4BRCYhsngx4_SybcBEiQAowaCJTFp6qNVmL7E-BhfeTkQouJTwpHN5v1wslK79jD62k4aAqBB8P8HAQ; >> >> proxy_src_ip: 192.168.5.133; product: Application Control; service: http; >> s_port: 59319; product_family: Network; >> >> Apr 15 14:21:37 st4600fw01n1 redirect <eth1 alert web_client_type: >> Chrome; resource: >> http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html; >> src: 192.168.5.133; dst: 184.31.90.152; proto: tcp; session_id: >> {0x5710dcd1,0x10002,0xc50d2e0a,0xc0000000}; Protection name: Check Point - >> Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence >> Level: 5; severity: 2; malware_action: Communication with C&C site; >> rule_uid: {9AF67731-0D35-4117-AF2B-9A47F9396D26}; Protection Type: URL >> reputation; malware_rule_id: {000000CE-00A4-0046-9658-621EA5468654}; >> protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 192.168.5.133; scope: >> 192.168.5.133; product: Anti Malware; service: http; s_port: 57878; >> >> Apr 15 05:35:51 st4600fw01n1 prevent <eth6 alert src: 82.221.102.34; dst: >> 192.168.99.4; proto: tcp; session_id: >> {0x57106197,0x10003,0xc50d2e0a,0xc0000001}; Protection name: >> Trojan.Win32.HackerDefender.C; malware_family: HackerDefender; Source OS: >> Solaris; Confidence Level: 5; severity: 4; malware_action: Malicious >> network activity; rule_uid: {25157EEE-C09C-4FE0-A872-E0A1486526B8}; >> rule_name: #extweb; Protection Type: protection; malware_rule_id: >> {000000CE-00A4-0046-9658-621EA5468654}; protection_id: 000043FBC; log_id: >> 2; scope: 192.168.99.4; product: Anti Malware; service: http; s_port: 49228; >> >> Apr 15 14:13:17 st4600fw01n1 block <eth6 mail src: 192.168.7.196; dst: >> 37.157.2.24; proto: tcp; appi_name: ******; app_desc: ******; app_id: >> 1875144601; app_category: ******; matched_category: ******; app_properties: >> ******; app_risk: ******; app_rule_id: ******; app_rule_name: ******; >> web_client_type: Chrome; web_server_type: Other: nginx; resource: >> http://adx.adform.net/adx/?rp=3&pv=1&bWlkPTk3ODMyJmN0dXJsPWh0dHA6Ly9mdXNpb24uYm9ubmllcnRpZHNrcmlmdGVyLnNlL2V2ZW50L2ZsaXlmL2J0LmVrb25vbWkucGFmLnJvcy8xNDc3OTkyNzcvY2xpY2s_dXJsPQ&bWlkPTk3ODMxJmN0dXJsPWh0dHA6Ly9mdXNpb24uYm9ubmllcnRpZHNrcmlmdGVyLnNlL2V2ZW50L2V0YnN3L2J0LmVrb25vbWkucGFmLnJvcy8xNDc3OTkyNzAvY2xpY2s_dXJsPQ&bWlkPTk3ODI5JmN0dXJsPWh0dHA6Ly9mdXNpb24uYm9ubmllcnRpZHNrcmlmdGVyLnNlL2V2ZW50L3FmdWh5L2J0LmVrb25vbWkucGFmLnJvcy8xNDc3OTkyNTYvY2xpY2s_dXJsPQ&callback=_adform_cb_1460722287088_3438587873323349; >> >> proxy_src_ip: 192.168.7.196; product: URL Filtering; service: http; s_port: >> 51190; product_family: Network; >> >> Apr 15 11:16:05 st4600fw01n1 block <eth6 mail src: 192.168.8.67; dst: >> 64.207.139.185; proto: tcp; appi_name: ******; app_desc: ******; app_id: >> 3723664659; app_category: ******; matched_category: ******; app_properties: >> ******; app_risk: ******; app_rule_id: ******; app_rule_name: ******; >> web_client_type: Chrome; web_server_type: Apache; resource: >> http://cdn.wibiya.com/Toolbars/dir_0650/Toolbar_650079/Loader_650079.js; >> proxy_src_ip: 192.168.8.67; product: URL Filtering; service: http; s_port: >> 61907; product_family: Network; >> >> The two outliers now are the messages below. Not quite sure how to handle >> them, but two additional decoders seem required, At least I'm down to two >> outliers and not a whole bunch of exceptions as previously :) :) What would >> be your take on how to treat these two? >> >> Mar 7 13:07:53 sto-fwm03 mail System Alert message: A Firewall Policy >> has been successfully installed on st4600fw01n1; Object: st4600fw01n1; >> Event: Change; Parameter: policy_time; Condition: changes Mon Mar 7 >> 13:03:42 2016; Current value: Mon Mar 7 13:08:48 2016; product: Test >> Monitor; product_family: Network; >> >> Apr 15 12:23:16 > st4600fw01n1 alert Protection Name: TCP Urgent Data >> Enforcement; Severity: 0; Confidence Level: 0; protection_id: >> tcp_block_urg_bit_enable; SmartDefense Profile: Recommended_Protection; >> Performance Impact: 0; Protection Type: settings; rule: 20; rule_uid: >> {3F67BCCB-8087-4974-95FA-F4A4FF466D49}; rule_name: #sample; Attack Info: >> TCP segment with urgent pointer (no data). Urgent data indication was >> stripped. Please refer to sk36869.; attack: Streaming Engine: TCP Urgent >> Data Enforcement; Total logs: 3; Suppressed logs: 2; proto: tcp; dst: >> 104.16.65.50; src: 192.168.10.204; product: SmartDefense; service: https; >> s_port: 56814; FollowUp: Not Followed; product_family: Network; >> >> Best regards, >> Fredrik >> >> >> On Friday, April 1, 2016 at 1:18:17 PM UTC+2, Jesus Linares wrote: >> >> Hi Fredrik, >> >> here an example of decoding allow/block events (with the option >> *after_regex*): >> >> >> <!-- >> pattern: >> Mar 29 09:04:21 127.0.0.1 Mar 29 8:52:29 st4600fw01n1 Text >> --> >> <decoder name="Checkpoint-test"> >> <prematch>^\w\w\w \d+ \d+:\d+:\d+ \S+ </prematch> >> <type>firewall</type> >> </decoder> >> >> >> <!-- >> Mar 30 09:03:56 127.0.0.1 Mar 30 8:52:05 st4600fw01n1 allow <eth6 mail >> src: 192.168.5.133; dst: 89.208.212.2; proto: tcp; bytes: 2396; sent_bytes: >> 1180; received_bytes: 1216; app_id: 10063753; browse_time: ******; >> Suppressed logs: 19; Referrer_self_uid: ******; product: Application >> Control; service: http; s_port: 64136; product_family: Network; >> --> >> <decoder name="Checkpoint-block-allow"> >> <parent>Checkpoint-test</parent> >> <prematch offset="after_parent">^block|^allow</prematch> >> <regex offset="after_parent">(\w+) \S+ \S+ src: (\d+.\d+.\d+.\d+); >> dst: (\d+.\d+.\d+.\d+)</regex> >> <order>action,srcip,dstip</order> >> </decoder> >> >> >> <!-- >> Checkpoint-block-allow: extra fields: resource and product >> Mar 30 09:03:35 127.0.0.1 Mar 30 8:51:43 st4600fw01n1 allow <eth6 mail >> src: 192.168.5.133; dst: 89.208.212.2; proto: tcp; appi_name: ******; >> app_desc: ******; app_id: 10063753; app_category: ******; matched_category: >> ******; app_properties: ******; app_risk: ******; app_rule_id: ******; >> app_rule_name: ******; web_client_type: Chrome; web_server_type: >> Microsoft-IIS; app_sig_id: 10063753:5; resource: >> http://www.aliveproxy.com/; proxy_src_ip: 192.168.5.133; product: >> Application Control; service: http; s_port: 64136; product_family: Network; >> --> >> <decoder name="Checkpoint-block-allow"> >> <parent>Checkpoint-test</parent> >> <regex offset="after_regex">resource: (\S+); proxy_src_ip: \S+; >> product: (\.+); </regex> >> <order>url, extra_data</order> >> </decoder> >> >> >> I recommend you configure all your checkpoint devices with the same log >> format. If you can't you could use *several parents*: >> >> <!-- >> pattern: >> Mar 29 09:04:21 127.0.0.1 Mar 29 8:52:29 st4600fw01n1 Text >> --> >> <decoder name="Checkpoint-test"> >> <prematch>^\w\w\w \d+ \d+:\d+:\d+ \S+ </prematch> >> <type>firewall</type> >> </decoder> >> >> >> <!-- >> pattern: >> Mar 30 10:04:39 127.0.0.1 redirect <eth1 alert web_client_type: Chrome; >> resource: >> http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html; >> src: 192.168.5.133; dst: 172.226.217.148; proto: tcp; session_id: >> {0x56fb8896,0x10009,0xc50d2e0a,0xc0000001}; Protection name: Check Point - >> Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence >> Level: 5; severity: 2; malware_action: Communication with C&C site; >> rule_uid: {9AF67731-0D35-4117-AF2B-9A47F9396D26}; Protection Type: URL >> reputation; malware_rule_id: {000000CE-00A4-0046-9658-621EA5468654}; >> protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 192.168.5.133; scope: >> 192.168.5.133; product: Anti Malware; service: http; s_port: 49244; >> >> >> Mar 29 20:13:14 127.0.0.1 prevent <eth1 alert web_client_type: Microsoft >> IE; resource: >> http://www.bing.com/fd/ls/GLinkPing.aspx?IG=9A0044152B65437D93F87086B9E730D9&&ID=SERP,5118.1&url=http://sc1.checkpoint.com/z...; >> >> src: 192.168.5.133; dst: 204.79.197.200; proto: tcp; session_id: >> {0x56fac5ba,0x10004,0xc50d2e0a,0xc0000000}; Protection name: Check Point - >> Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence >> Level: 5; severity: 2; malware_action: Communication with C&C site; >> rule_uid: {9AF67731-0D35-4117-AF2B-9A47F9396D26}; Protection Type: URL >> reputation; malware_rule_id: {000000CE-00A4-0046-9658-621EA5468654}; >> protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 192.168.5.133; scope: >> 192.168.5.133; product: Anti Malware; service: http; s_port: 63119; >> --> >> <decoder name="Checkpoint-test"> >> <prematch>^redirect \p|^prevent \p</prematch> >> <type>firewall</type> >> </decoder> >> >> >> <!-- >> Mar 30 09:03:56 127.0.0.1 Mar 30 8:52:05 st4600fw01n1 allow <eth6 mail >> src: 192.168.5.133; dst: 89.208.212.2; proto: tcp; bytes: 2396; sent_bytes: >> 1180; received_bytes: 1216; app_id: 10063753; browse_time: ******; >> Suppressed logs: 19; Referrer_self_uid: ******; product: Application >> Control; service: http; s_port: 64136; product_family: Network; >> --> >> <decoder name="Checkpoint-block-allow"> >> <parent>Checkpoint-test</parent> >> <prematch offset="after_parent">^block|^allow</prematch> >> <regex offset="after_parent">(\w+) \S+ \S+ src: (\d+.\d+.\d+.\d+); >> dst: (\d+.\d+.\d+.\d+)</regex> >> <order>action,srcip,dstip</order> >> </decoder> >> >> >> <!-- >> Checkpoint-block-allow: extra fields: resource and product >> Mar 30 09:03:35 127.0.0.1 Mar 30 8:51:43 st4600fw01n1 allow <eth6 mail >> src: 192.168.5.133; dst: 89.208.212.2; proto: tcp; appi_name: ******; >> app_desc: ******; app_id: 10063753; app_category: ******; matched_category: >> ******; app_properties: ******; app_risk: ******; app_rule_id: ******; >> app_rule_name: ******; web_client_type: Chrome; web_server_type: >> Microsoft-IIS; app_sig_id: 10063753:5; resource: >> http://www.aliveproxy.com/; proxy_src_ip: 192.168.5.133; product: >> Application Control; service: http; s_port: 64136; product_family: Network; >> --> >> <decoder name="Checkpoint-block-allow"> >> <parent>Checkpoint-test</parent> >> <regex offset="after_regex">resource: (\S+); proxy_src_ip: \S+; >> product: (\.+); </regex> >> <order>url, extra_data</order> >> </decoder> >> >> >> P.S. My name is Jesus, not Jose ;). >> >> Regards, >> Jesus Linares. >> >> >> >> On Wednesday, March 30, 2016 at 10:28:09 AM UTC+2, Fredrik wrote: >> >> Hi Jose, >> >> >> I got some help to sort out the different timestamps (format) and all log >> types now use "Jan 27 09:41:01". You asked about the firewall, this >> particular one is a Checkpoint currently running version R77.20. >> >> The remaining question, that might be of interest to others on the path >> to OSSEC mastery ;) ;) is how to handle messages with different "format" >> coming from the same host. I have collected a bunch of messages that I >> would like to be able to decode, but I'm not sure about the most efficient >> way to build the parent/child decoder tree for this. >> >> With the help received previously in this thread, I currently have the >> following in my local_decoder and I'm experimenting with different addition >> - none of which is working so far ;) >> >> <decoder name="Checkpoint"> >> <prematch>^\w+ \d+ \d+:\d+:\d+ st4600fw01n\d</prematch> >> <type>firewall</type> >> </decoder> >> >> <decoder name="Checkpoint-alert"> >> <parent>Checkpoint</parent> >> <regex offset="after_parent">(\w+) \p\w+ \w+ >> src:\s(\d+.\d+.\d+.\d+);\sdst:\s(\d+.\d+.\d+.\d+)</regex> >> <order>action,srcip,dstip</order> >> </decoder> >> >> <decoder name="Checkpoint-alert"> >> <parent>Checkpoint</parent> >> <regex offset="after_regex">\.*resource: (\.*);\.*product: >> (\.*);</regex> >> <order>url,extra_data</order> >> </decoder> >> >> >> Below is a collection of syslog messages recieved from the firewall where >> the first section is currently decoded using the local_decoder above: >> >> >> Mar 29 10:09:40 127.0.0.1 Mar 29 9:57:49 st4600fw01n1 block <eth6 mail >> src: 192.168.7.206; dst: 54.72.9.51; proto: tcp; bytes: 4962; sent_bytes: >> 530; received_bytes: 4432; app_id: 3404393449; browse_time: ******; >> Suppressed logs: 1; Referrer_self_uid: ******; product: URL Filtering; >> service: http; s_port: 54693; product_family: Network; >> >> Mar 29 20:57:00, st4600fw01n1, allow <eth1 mail src: 192.168.5.133; dst: >> 89.208.212.2; proto: tcp; appi_name: ******; app_desc: ******; app_id: >> 10063753; app_category: ******; matched_category: ******; app_properties: >> ******; app_risk: ******; app_rule_id: ******; app_rule_name: ******; >> web_client_type: Microsoft IE; web_server_type: Microsoft-IIS; app_sig_id: >> 10063753:5; resource: http://aliveproxy.com/; proxy_src_ip: >> 192.168.5.133; product: Application Control; service: http; s_port: 63867; >> product_family: Network; >> >> Mar 30 09:04:14 127.0.0.1 Mar 30 8:52:22 st4600fw01n1 allow <eth6 mail >> src: 192.168.5.133; dst: 23.67.132.180; proto: tcp; appi_name: ******; >> app_desc: ******; app_id: 10003219; app_category: ******; matched_category: >> ******; app_properties: ******; app_risk: ******; app_rule_id: ******; >> app_rule_name: ******; app_sig_id: 10003219:4; proxy_src_ip: 192.168.5.133; >> product: Application Control; service: https; s_port: 64166; >> product_family: Network; >> >> Mar 30 09:03:56 127.0.0.1 Mar 30 8:52:05 st4600fw01n1 allow <eth6 mail >> src: 192.168.5.133; dst: 89.208.212.2; proto: tcp; bytes: 2396; sent_bytes: >> 1180; received_bytes: 1216; app_id: 10063753; browse_time: ******; >> Suppressed logs: 19; Referrer_self_uid: ******; product: Application >> Control; service: http; s_port: 64136; product_family: Network; >> >> Mar 30 09:03:35 127.0.0.1 Mar 30 8:51:43 st4600fw01n1 allow <eth6 mail >> src: 192.168.5.133; dst: 89.208.212.2; proto: tcp; appi_name: ******; >> app_desc: ******; app_id: 10063753; app_category: ******; matched_category: >> ******; app_properties: ******; app_risk: ******; app_rule_id: ******; >> app_rule_name: ******; web_client_type: Chrome; web_server_type: >> Microsoft-IIS; app_sig_id: 10063753:5; resource: >> http://www.aliveproxy.com/; proxy_src_ip: 192.168.5.133; product: >> Application Control; service: http; s_port: 64136; product_family: Network; >> >> Mar 29 09:04:21 127.0.0.1 Mar 29 8:52:29 st4600fw01n1 block <eth6 mail >> src: 192.168.5.136; dst: 37.157.4.15; proto: tcp; appi_name: ******; >> app_desc: ******; app_id: 1875144601; app_category: ******; >> matched_category: ******; app_properties: ******; app_risk: ******; >> app_rule_id: ******; app_rule_name: ******; web_client_type: Other: >> Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like >> Gecko; web_server_type: Other: nginx; resource: >> http://adx.adform.net/adx/?rp=3&pv=1&bWlkPTE1NzU3NiZybmQ9ODU1M2JjNGMtMmY2MC00YzVjLWFhMzAtYmY5NzZlNDllZDNk&callback=_adform_cb_1459234242747_7491414591872548; >> >> proxy_src_ip: 192.168.5.136; product: URL Filtering; service: http; s_port: >> 54051; product_family: Network; >> >> Mar 29 09:06:12 127.0.0.1 Mar 29 8:54:21 st4600fw01n1 block <eth6 mail >> src: 192.168.6.157; dst: 37.157.4.15; proto: tcp; appi_name: ******; >> app_desc: ******; app_id: 1875144601; app_category: ******; >> matched_category: ******; app_properties: ******; app_risk: ******; >> app_rule_id: ******; app_rule_name: ******; web_client_type: Other: >> Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like >> Gecko; web_server_type: Other: nginx; resource: >> http://adx.adform.net/adx/?rp=3&pv=1&bWlkPTk1NzI4&callback=_adform_cb_1459234355177_008705563130792681; >> >> proxy_src_ip: 192.168.6.157; product: URL Filtering; service: http; s_port: >> 51746; product_family: Network; >> >> Mar 29 08:37:54 127.0.0.1 Mar 29 8:26:03 st4600fw01n1 block <eth6 mail >> src: 192.168.6.157; dst: 152.115.75.210; proto: tcp; appi_name: ******; >> app_desc: ******; app_id: 1875144601; app_category: ******; >> matched_category: ******; app_properties: ******; app_risk: ******; >> app_rule_id: ******; app_rule_name: ******; web_client_type: Other: >> Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like >> Gecko; web_server_type: Other: nginx; resource: >> http://adx.adform.net/adx/?rp=3&pv=1&bWlkPTk3ODMyJmN0dXJsPWh0dHA6Ly9mdXNpb24uYm9ubmllcnRpZHNrcmlmdGVyLnNlL2V2ZW50L3VlZXVqL2J0LmVrb25vbWkucGFmLnJvcy8xNDc3OTkyNzcvY2xpY2s_dXJsPQ&bWlkPTk3ODMxJmN0dXJsPWh0dHA6Ly9mdXNpb24uYm9ubmllcnRpZHNrcmlmdGVyLnNlL2V2ZW50L3lydmd2L2J0LmVrb25vbWkucGFmLnJvcy8xNDc3OTkyNzAvY2xpY2s_dXJsPQ&callback=_adform_cb_1459232656248_7681010355476278; >> >> proxy_src_ip: 192.168.6.157; product: URL Filtering; service: http; s_port: >> 51104; product_family: Network; >> >> Mar 29 08:35:17 127.0.0.1 Mar 29 8:23:24 st4600fw01n1 block <eth6 mail >> src: 192.168.6.157; dst: 152.115.75.199; proto: tcp; appi_name: ******; >> app_desc: ******; app_id: 1875144601; app_category: ******; >> matched_category: ******; app_properties: ******; app_risk: ******; >> app_rule_id: ******; app_rule_name: ******; web_client_type: Other: >> Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like >> Gecko; web_server_type: Other: nginx; resource: >> http://adx.adform.net/adx/?rp=3&pv=1&bWlkPTk1NzMw&callback=_adform_cb_1459232497393_6046677836175733; >> >> proxy_src_ip: 192.168.6.157; product: URL Filtering; service: http; s_port: >> 50904; product_family: Network; >> >> >> >> >> Mar 30 10:04:39 127.0.0.1 redirect <eth1 alert web_client_type: Chrome; >> resource: >> http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html; >> src: 192.168.5.133; dst: 172.226.217.148; proto: tcp; session_id: >> {0x56fb8896,0x10009,0xc50d2e0a,0xc0000001}; Protection name: Check Point - >> Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence >> Level: 5; severity: 2; malware_action: Communication with C&C site; >> rule_uid: {9AF67731-0D35-4117-AF2B-9A47F9396D26}; Protection Type: URL >> reputation; malware_rule_id: {000000CE-00A4-0046-9658-621EA5468654}; >> protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 192.168.5.133; scope: >> 192.168.5.133; product: Anti Malware; service: http; s_port: 49244; >> >> Mar 29 20:13:14 127.0.0.1 prevent <eth1 alert web_client_type: Microsoft >> IE; resource: >> http://www.bing.com/fd/ls/GLinkPing.aspx?IG=9A0044152B65437D93F87086B9E730D9&&ID=SERP,5118.1&url=http://sc1.checkpoint.com/z...; >> >> src: 192.168.5.133; dst: 204.79.197.200; proto: tcp; session_id: >> {0x56fac5ba,0x10004,0xc50d2e0a,0xc0000000}; Protection name: Check Point - >> Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence >> Level: 5; severity: 2; malware_action: Communication with C&C site; >> rule_uid: {9AF67731-0D35-4117-AF2B-9A47F9396D26}; Protection Type: URL >> reputation; malware_rule_id: {000000CE-00A4-0046-9658-621EA5468654}; >> protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 192.168.5.133; scope: >> 192.168.5.133; product: Anti Malware; service: http; s_port: 63119; >> >> Mar 30 9:04:59, st4600fw01n1, allow <eth6 mail src: 192.168.5.133; dst: >> 207.244.85.73; proto: tcp; appi_name: ******; app_desc: ******; app_id >> : 10064017; app_category: ******; matched_category: ******; >> app_properties: ******; app_risk: >> >> ... > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
