Re: [ossec-list] Create rules for custom decoder (netasq/stomshield firewall)

dan (ddp) Tue, 31 Jan 2017 06:40:18 -0800

On Mon, Jan 30, 2017 at 10:46 AM, Bertrand Danos <[email protected]> wrote:
> Hello,
>
> I still have some problems with my customes rules.
> How to generate 3 differents alerts depending on the messages.
>
>
> Here are my steps :
>
> 1) Add log file to monitor
> * Edit the file etc/ossec.conf and add the following lines:
>   <localfile>
>     <log_format>syslog</log_format>
>     <location>/var/log/firewall.log</location>
>   </localfile>
>
>
> 2) Create a decoder
> * Add in file etc/local_decoder.xml the following lines :
>
> <decoder name="netasq">
>   <prematch>^id=</prematch>
> </decoder>
>
> <decoder name="netasq-auth">
>   <parent>netasq</parent>
>   <prematch>logtype="auth"</prematch>
>   <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ user="(\S+)" src=(\S+) \.+
> logtype="auth"</regex>
>   <order>id, extra_data, user, srcip</order>
> </decoder>
>
> <decoder name="netasq-filter">
>   <parent>netasq</parent>
>   <prematch>logtype="filter"</prematch>
>   <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)" ipproto=(\S+)
> proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+) dstport=(\d+) \.+
> logtype="(\S+)"</regex>
>   <order>id, extra_data, extra_data, protocol, protocol, srcip, srcport,
> dstip, dstport</order>


I think you have too many entries in <order> here. There's a limit,
apparently you reached it.
I segfaulted with this decoder, but removing the srcifname entry fixed
it for me.

> </decoder>
>
> <decoder name="netasq-alarm">
>   <parent>netasq</parent>
>   <prematch>logtype="alarm"</prematch>
>   <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ msg="(\.+)" \.+
> logtype="alarm"</regex>
>   <order>id, extra_data, extra_data, action</order>
> </decoder>
>
>
> 3) Write custom rules :
> * Edit the file etc/ossec.conf and add in <ossec_config/rules> the line :
> <include>netasq.xml</include>
>
> * Create file rules/netasq.xml
>
> <group name="local,syslog,">
>
>   <rule id="3000001" level="0">

These IDs appear to be too large. Remove a 0.

>     <decoded_as>netasq-auth</decoded_as>

All of the log messages decode as "netasq."

>     <description>Authentication failure on firewall</description>
>   </rule>
>
>   <rule id="3000002" level="0">
>     <decoded_as>netasq-filter</decoded_as>
>     <description>Firewall has filtered some data</description>
>   </rule>
>
>   <rule id="3000003" level="0">
>     <decoded_as>netasq-alarm</decoded_as>
>     <description>Firewall has gnerated an alarm</description>
>   </rule>
>
> </group>
>
>
> For each sample I'd like to receive one of the 3 alerts :
>
> Dec  2 15:42:29 192.168.200.1 id=firewall time="2016-12-02 15:42:28"
> fw="test-fw" tz=+0000 startime="2016-12-02 15:42:28" user="admin"
> src=10.0.0.1 ruleid=0 method="PLAIN" error=4 msg="Authentication request
> invalid" logtype="auth"#015
>
> Dec  2 14:37:42 192.168.200.1 id=firewall time="2016-12-02 14:37:41"
> fw="test-fw" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01
> slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="eth2" ipproto=tcp
> proto=ssh src=10.0.0.2 srcport=33659 srcportname=ephemeral_fw_tcp
> srcname=admin dst=192.168.1.1 dstport=22 dstportname=ssh dstname=fw
> action=pass logtype="filter"#015
>
> Jan  9 14:54:32 192.168.200.1 id=firewall time="2017-01-09 14:53:49"
> fw="test-fw" tz=+0000 startime="2017-01-09 14:53:48" pri=4 confid=01
> slotlevel=2 ruleid=13 srcif="Ethernet2" srcifname="eth2" ipproto=icmp
> icmptype=8 icmpcode=0 proto=icmp src=10.0.0.2 dst=192.168.1.1 dstname=fw
> action=block msg="Filter alarm" class=filter classification=0
> logtype="alarm"#015
>

logtest output:
**Phase 1: Completed pre-decoding.
       full event: 'Dec  2 15:42:29 192.168.200.1 id=firewall
time="2016-12-02 15:42:28" fw="test-fw" tz=+0000 startime="2016-12-02
15:42:28" user="admin" src=10.0.0.1 ruleid=0 method="PLAIN" error=4
msg="Authentication request invalid"
logtype="auth"#015'
       hostname: '192.168.200.1'
       program_name: '(null)'
       log: 'id=firewall time="2016-12-02 15:42:28" fw="test-fw"
tz=+0000 startime="2016-12-02 15:42:28" user="admin" src=10.0.0.1
ruleid=0 method="PLAIN" error=4 msg="Authentication request invalid"
logtype="auth"#015'

**Phase 2: Completed decoding.
       decoder: 'netasq'
       id: 'firewall'
       extra_data: 'test-fw'
       dstuser: 'admin'
       srcip: '10.0.0.1'

**Phase 3: Completed filtering (rules).
       Rule id: '1002'
       Level: '2'
       Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.




**Phase 1: Completed pre-decoding.
       full event: 'Dec  2 14:37:42 192.168.200.1 id=firewall
time="2016-12-02 14:37:41" fw="test-fw" tz=+0000 startime="2016-12-02
14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2"
srcifname="eth2" ipproto=tcp proto=ssh src=10.0.0.2 srcport=33659
srcportname=ephemeral_fw_tcp srcname=admin dst=192.168.1.1 dstport=22
dstportname=ssh dstname=fw action=pass logtype="filter"#015'
       hostname: '192.168.200.1'
       program_name: '(null)'
       log: 'id=firewall time="2016-12-02 14:37:41" fw="test-fw"
tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2
ruleid=1 srcif="Ethernet2" srcifname="eth2" ipproto=tcp proto=ssh
src=10.0.0.2 srcport=33659 srcportname=ephemeral_fw_tcp srcname=admin
dst=192.168.1.1 dstport=22 dstportname=ssh dstname=fw action=pass
logtype="filter"#015'

**Phase 2: Completed decoding.
       decoder: 'netasq'
       id: 'firewall'
       extra_data: 'test-fw'
       proto: 'tcp'
       proto: 'ssh'
       srcip: '10.0.0.2'
       srcport: '33659'
       dstip: '192.168.1.1'
       dstport: '22'


**Phase 1: Completed pre-decoding.
       full event: 'Jan  9 14:54:32 192.168.200.1 id=firewall
time="2017-01-09 14:53:49" fw="test-fw" tz=+0000 startime="2017-01-09
14:53:48" pri=4 confid=01 slotlevel=2 ruleid=13 srcif="Ethernet2"
srcifname="eth2" ipproto=icmp icmptype=8 icmpcode=0 proto=icmp
src=10.0.0.2 dst=192.168.1.1 dstname=fw action=block msg="Filter
alarm" class=filter classification=0 logtype="alarm"#015'
       hostname: '192.168.200.1'
       program_name: '(null)'
       log: 'id=firewall time="2017-01-09 14:53:49" fw="test-fw"
tz=+0000 startime="2017-01-09 14:53:48" pri=4 confid=01 slotlevel=2
ruleid=13 srcif="Ethernet2" srcifname="eth2" ipproto=icmp icmptype=8
icmpcode=0 proto=icmp src=10.0.0.2
dst=192.168.1.1 dstname=fw action=block msg="Filter alarm"
class=filter classification=0 logtype="alarm"#015'

**Phase 2: Completed decoding.
       decoder: 'netasq'
       id: 'firewall'
       extra_data: 'test-fw'
       extra_data: 'Filter alarm'


>
>
>
> Thanks in advance for your help.
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Create rules for custom decoder (netasq/stomshield firewall)

Reply via email to