Looking at the syslog packets I see the Cisco ASA only uses local facility
codes but my Palo Alto uses User facility codes:
08:55:50.340558 IP (tos 0x0, ttl 64, id 917, offset 0, flags [DF], proto
UDP (17), length 329)
10.10.10.151.44375 > 10.10.10.17.syslog: SYSLOG, length: 301
* Facility user (1)*, Severity info (6)
Msg: Oct 15 08:55:50 10.10.10.151 1,2019/10/15
08:55:50,012001010622,SYSTEM,userid,0,2019/10/15
08:55:50,,connect-ldap-sever,10.10.10.10,0,0,general,informational,"ldap
cfg DOMAIN GMapping FW-Admins connected to server 10.10.10.10:389,
initiated by: 10.10.10.152",1204131,0x0,0,0,0,0,,fw2
08:55:50.726480 IP (tos 0x0, ttl 254, id 65458, offset 0, flags [none],
proto UDP (17), length 190)
10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 162
*Facility local4 (20)*, Severity warning (4)
Msg: Oct 15 08:55:50 EDT fw1 : %ASA-4-106023: Deny udp src
outside:10.10.201.105/137 dst outside:10.10.201.255/137 by access-group
"outside_access_in" [0x0, 0x0]\0x0a
I can't change the ASA to be anything other than local facility.
On Tuesday, October 15, 2019 at 8:34:52 AM UTC-4, Nate wrote:
>
> Hi Dan,
>
> Yes I restarted the OSSEC service with a: service OSSEC restart
>
> Right now the iptables are wide open due to this issue:
>
> # iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> # iptables -S
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
>
> My full remote connections list is the following:
>
> <remote>
> <connection>syslog</connection>
> <allowed-ips>10.10.10.0/23</allowed-ips>
> <allowed-ips>10.10.2.2</allowed-ips>
> <allowed-ips>10.10.39.2</allowed-ips>
> <allowed-ips>10.10.6.2</allowed-ips>
> <allowed-ips>10.10.9.1</allowed-ips>
> <allowed-ips>192.168.2.0/24</allowed-ips>
> <port>514</port>
> </remote>
>
> I will move up the 10.10.2.2 up above the /23 in case this is causing it
> but I know we are getting syslog events from all other sources.
>
> Maybe it's the Cisco packet?
>
> On Tuesday, October 15, 2019 at 7:19:23 AM UTC-4, dan (ddpbsd) wrote:
>>
>> On Mon, Oct 14, 2019 at 3:03 PM Nate <[email protected]> wrote:
>> >
>> > Hi,
>> >
>> > I've never seen this before but I setup our ASA 5516 to send syslog
>> events to our OSSEC server to detect SHUN events.
>> >
>> > ossec.conf
>> > <remote>
>> > <connection>syslog</connection>
>> > <allowed-ips>10.10.2.2</allowed-ips>
>> > <port>514</port>
>> > </remote>
>> >
>> > <alerts>
>> > <log_alert_level>0</log_alert_level>
>> > <email_alert_level>9</email_alert_level>
>> > </alerts>
>> >
>> >
>> > local_rules.xml
>> >
>> > <group name="ASA,LANAttack">
>> > <rule id="100260" level="9">
>> > <!-- <decoded_as>ASA-lanattk</decoded_as> -->
>> > <if_sid>4100</if_sid>
>> > <regex>ASA-4-73310\d|ASA-4-40100\d</regex>
>> > <description>ASA Shun event</description>
>> > </rule>
>> > </group>
>> >
>> >
>> > but reviewing the alerts, archives,database no events from our
>> 10.10.2.2 or ASA show up. Running tcpdump on ossec shows they are received
>> by the server:
>> >
>> > 14:53:41.611883 IP (tos 0x0, ttl 254, id 54586, offset 0, flags [none],
>> proto UDP (17), length 140)
>> > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112
>> > Facility local0 (16), Severity warning (4)
>> > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet:
>> 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a
>> > 14:53:41.614335 IP (tos 0x0, ttl 254, id 46962, offset 0, flags [none],
>> proto UDP (17), length 140)
>> > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112
>> > Facility local0 (16), Severity warning (4)
>> > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet:
>> 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a
>> >
>> > If I copy out the Msg and paste it into ossec-logtest it does process
>> it to my rule:
>> >
>> > [USER@ossec~]# /var/ossec/bin/ossec-logtest
>> > 2019/10/14 14:58:37 ossec-testrule: INFO: Reading local decoder file.
>> > 2019/10/14 14:58:37 ossec-testrule: INFO: Started (pid: 29400).
>> > ossec-testrule: Type one log per line.
>> >
>> > Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37
>> ==> 87.106.71.108 on interface inside\0x0a
>> >
>> >
>> > **Phase 1: Completed pre-decoding.
>> > full event: 'Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned
>> packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a'
>> > hostname: 'EDT'
>> > program_name: '(null)'
>> > log: 'fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==>
>> 87.106.71.108 on interface inside\0x0a'
>> >
>> > **Phase 2: Completed decoding.
>> > decoder: 'ASA-lanattk'
>> >
>> > **Phase 3: Completed filtering (rules).
>> > Rule id: '100260'
>> > Level: '9'
>> > Description: 'ASA Shun event'
>> > **Alert to be generated.
>> >
>> > I see that UDP port 514 is running:
>> >
>> > [root@secserv ~]# netstat -anp | grep 514
>> > tcp 0 0 127.0.0.1:3306 127.0.0.1:37514
>> ESTABLISHED 5542/mysqld
>> > tcp 0 0 127.0.0.1:37514 127.0.0.1:3306
>> ESTABLISHED 29340/ossec-dbd
>> > udp 0 0 :::1514 :::*
>> 29373/ossec-remoted
>> > udp 0 0 :::514 :::*
>> 29372/ossec-remoted
>> >
>> >
>> > What obvious thing am I missing to setup an ASA to OSSEC? Our HP
>> switches and Palo Alto firewall are sending syslogs just fine.
>> >
>>
>> After adding the system to allowed-ips, did you restart the OSSEC
>> processes on the OSSEC server?
>> Is there a host firewall (iptables) on the OSSEC server? Is 514UDP
>> open to 10.10.2.2?
>>
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an email to [email protected].
>> > To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ossec-list/b1faa727-7071-49a0-91da-9fe4b680a724%40googlegroups.com.
>>
>>
>>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/e847005b-0106-4853-abef-512ff3a4a11f%40googlegroups.com.
