Re: [ossec-list] ossec and mysql database fails to run
On Oct 27, 2015 6:34 PM, "pgaltieri" wrote: > > I compiled the latest ossec-hids code with mysql database support: > > cd src > make TARGET=server DATABASE=mysql > > After running the install.sh script I enable the database and start ossec. > > /usr/local/etc/ossec/bin/ossec-control enable database > /usr/local/etc/ossec/bin/ossec-control start > > > The start fails with: > > OSSEC analysisd: Testing rules failed. Configuration error. Exiting. > > After some debugging it comes down to this: > > ./ossec-logtest -t -v -c ../etc/ossec.conf -D /usr/local/etc/ossec/ > 2015/10/27 14:53:30 ossec-testrule: INFO: Reading local decoder file. > 2015/10/27 14:53:30 ossec-testrule(1103): ERROR: Could not open file '/var/ossec/etc/internal_options.conf' due to [(2)-(No such file or directory)]. > 2015/10/27 14:53:30 ossec-testrule(2301): ERROR: Definition not found for: 'analysisd.default_timeframe'. > > The issue is related to the location where ossec is installed. On my system ossec is installed in > > /usr/local/etc/ossec/ > > However, logtest still looks in the default location. > > If I build ossec without database support then > > ./ossec-logtest -t -v -c ../etc/ossec.conf -D /usr/local/etc/ossec/ > > 2015/10/27 15:13:26 adding rule: rules_config.xml > 2015/10/27 15:13:26 adding rule: pam_rules.xml > 2015/10/27 15:13:26 adding rule: sshd_rules.xml > 2015/10/27 15:13:26 adding rule: telnetd_rules.xml > 2015/10/27 15:13:26 adding rule: syslog_rules.xml > 2015/10/27 15:13:26 adding rule: arpwatch_rules.xml > 2015/10/27 15:13:26 adding rule: symantec-av_rules.xml > 2015/10/27 15:13:26 adding rule: symantec-ws_rules.xml > 2015/10/27 15:13:26 adding rule: pix_rules.xml > > . > . > . > . > > 2015/10/27 15:13:26 1 : rule:551, level 7, timeout: 0 > 2015/10/27 15:13:26 2 : rule:595, level 5, timeout: 0 > 2015/10/27 15:13:26 1 : rule:552, level 7, timeout: 0 > 2015/10/27 15:13:26 2 : rule:596, level 5, timeout: 0 > 2015/10/27 15:13:26 1 : rule:553, level 7, timeout: 0 > 2015/10/27 15:13:26 2 : rule:597, level 5, timeout: 0 > 2015/10/27 15:13:26 ossec-testrule: INFO: Total rules enabled: '1487' > > works just fine. > > Is this a bug, or am I missing something? > Sounds like a bug. > Any help is appreciated. > > Paolo > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] ossec and mysql database fails to run
I compiled the latest ossec-hids code with mysql database support: cd src make TARGET=server DATABASE=mysql After running the install.sh script I enable the database and start ossec. /usr/local/etc/ossec/bin/ossec-control enable database /usr/local/etc/ossec/bin/ossec-control start The start fails with: OSSEC analysisd: Testing rules failed. Configuration error. Exiting. After some debugging it comes down to this: ./ossec-logtest -t -v -c ../etc/ossec.conf -D /usr/local/etc/ossec/ 2015/10/27 14:53:30 ossec-testrule: INFO: Reading local decoder file. 2015/10/27 14:53:30 ossec-testrule(1103): ERROR: Could not open file '/var/ossec/etc/internal_options.conf' due to [(2)-(No such file or directory)]. 2015/10/27 14:53:30 ossec-testrule(2301): ERROR: Definition not found for: 'analysisd.default_timeframe'. The issue is related to the location where ossec is installed. On my system ossec is installed in /usr/local/etc/ossec/ However, logtest still looks in the default location. If I build ossec without database support then ./ossec-logtest -t -v -c ../etc/ossec.conf -D /usr/local/etc/ossec/ 2015/10/27 15:13:26 adding rule: rules_config.xml 2015/10/27 15:13:26 adding rule: pam_rules.xml 2015/10/27 15:13:26 adding rule: sshd_rules.xml 2015/10/27 15:13:26 adding rule: telnetd_rules.xml 2015/10/27 15:13:26 adding rule: syslog_rules.xml 2015/10/27 15:13:26 adding rule: arpwatch_rules.xml 2015/10/27 15:13:26 adding rule: symantec-av_rules.xml 2015/10/27 15:13:26 adding rule: symantec-ws_rules.xml 2015/10/27 15:13:26 adding rule: pix_rules.xml . . . . 2015/10/27 15:13:26 1 : rule:551, level 7, timeout: 0 2015/10/27 15:13:26 2 : rule:595, level 5, timeout: 0 2015/10/27 15:13:26 1 : rule:552, level 7, timeout: 0 2015/10/27 15:13:26 2 : rule:596, level 5, timeout: 0 2015/10/27 15:13:26 1 : rule:553, level 7, timeout: 0 2015/10/27 15:13:26 2 : rule:597, level 5, timeout: 0 2015/10/27 15:13:26 ossec-testrule: INFO: Total rules enabled: '1487' works just fine. Is this a bug, or am I missing something? Any help is appreciated. Paolo -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Hybrid mode automated install
Hi Daniel, I havent' tested it but maybe you can set USER_INSTALL_TYPE to "hybrid" in the preloaded-vars.conf file. Find it here: https://github.com/ossec/ossec-hids/blob/master/etc/preloaded-vars.conf.example What OSSEC version are you trying to build? Also remember that OSSIM plugin needs to read a custom output, which is included in ossec.conf configuration this way: AV - Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: "[INIT]$FULLLOG[END]"; If you don't use this output the regular expressions the plugin uses won't be able to parse ossec alerts. Not sure how this would work with Syslog (I would say that it probably modifies the output). My advice would be to use an alternative way to read this data. Maybe mounting a small NFS partition on your OSSIM box, so the plugin can read ossec alerts file directly. Best Santiago. On Tue, Oct 27, 2015 at 9:15 AM, Daniel Townend wrote: > We are wanting to deploy ossec with active response but also to send logs > to OSSIM. I can't see an option for hybrid mode on the automated install > config file, is there any way to automate this installation? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Hybrid mode automated install
We are wanting to deploy ossec with active response but also to send logs to OSSIM. I can't see an option for hybrid mode on the automated install config file, is there any way to automate this installation? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Merge EventChannel fix into 2.8?
And the continued blood & sweat! On Tuesday, October 27, 2015 at 8:20:20 AM UTC-4, DefensiveDepth wrote: > > Thanks for the update Dan. > > On Monday, October 26, 2015 at 1:48:25 PM UTC-4, dan (ddpbsd) wrote: >> >> There is some headway being made on a release. Too many things going on >> at once, as always. >> On Oct 20, 2015 9:39 AM, "DefensiveDepth" wrote: >> >>> This all looks good to me, but I have never been involved in a release >>> in the past, so what do I know? :) >>> >>> On Thursday, October 15, 2015 at 8:25:47 AM UTC-4, dan (ddpbsd) wrote: I think I was seeing some instability in analysisd on OpenBSD, but I've been unable to trigger it in the past day. I've seen no crashes on my linux system. I want to give it the weekend before declaring this done, but I can still move ahead with other parts. I have a basic release notes written up in the ossec-docs repo ( https://github.com/ddpbsd/ossec-docs/blob/283/docs/whatsnew/release-notes/ossec-hids-2.8.3-release-note.txt). I've also tried to get the attention of Vic Hargrave and Jeremy Rossi behind the scenes, but haven't heard back. I'll try emailing them this time. If anyone can think of something I'm missing, let me know! On Wed, Oct 14, 2015 at 7:40 PM, DefensiveDepth wrote: > I should clarify - move forward with the release, as is? > > -Josh > > > On Wednesday, October 14, 2015 at 7:39:56 PM UTC-4, DefensiveDepth wrote: >> >> Is there anything else that would be an issue with continuing to move >> forward on this? >> >> On Tuesday, October 13, 2015 at 11:22:14 AM UTC-4, SoulAuctioneer wrote: >>> >>> If I had to guess, that thread and some of the others you might remember >>> seeing are about the installer setting permissions to the 'Administrators' >>> group. The problem is when Windows is set to use another language that group >>> isn't named the same. The proper way to do this is with well known SID's >>> which some stuff has been updated to use and other stuff not so much. Was >>> working on fixing that completely in 2.9 or 3.0. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Merge EventChannel fix into 2.8?
Thanks for the update Dan. On Monday, October 26, 2015 at 1:48:25 PM UTC-4, dan (ddpbsd) wrote: > > There is some headway being made on a release. Too many things going on at > once, as always. > On Oct 20, 2015 9:39 AM, "DefensiveDepth" > wrote: > >> This all looks good to me, but I have never been involved in a release in >> the past, so what do I know? :) >> >> On Thursday, October 15, 2015 at 8:25:47 AM UTC-4, dan (ddpbsd) wrote: >>> >>> I think I was seeing some instability in analysisd on OpenBSD, but >>> I've been unable to trigger it in the past day. I've seen no crashes >>> on my linux system. >>> I want to give it the weekend before declaring this done, but I can >>> still move ahead with other parts. >>> I have a basic release notes written up in the ossec-docs repo >>> ( >>> https://github.com/ddpbsd/ossec-docs/blob/283/docs/whatsnew/release-notes/ossec-hids-2.8.3-release-note.txt). >>> >>> >>> I've also tried to get the attention of Vic Hargrave and Jeremy Rossi >>> behind the scenes, but haven't heard back. I'll try emailing them this >>> time. >>> If anyone can think of something I'm missing, let me know! >>> >>> On Wed, Oct 14, 2015 at 7:40 PM, DefensiveDepth >>> wrote: >>> > I should clarify - move forward with the release, as is? >>> > >>> > -Josh >>> > >>> > >>> > On Wednesday, October 14, 2015 at 7:39:56 PM UTC-4, DefensiveDepth >>> wrote: >>> >> >>> >> Is there anything else that would be an issue with continuing to move >>> >> forward on this? >>> >> >>> >> On Tuesday, October 13, 2015 at 11:22:14 AM UTC-4, SoulAuctioneer >>> wrote: >>> >>> >>> >>> If I had to guess, that thread and some of the others you might >>> remember >>> >>> seeing are about the installer setting permissions to the >>> 'Administrators' >>> >>> group. The problem is when Windows is set to use another language >>> that group >>> >>> isn't named the same. The proper way to do this is with well known >>> SID's >>> >>> which some stuff has been updated to use and other stuff not so >>> much. Was >>> >>> working on fixing that completely in 2.9 or 3.0. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Watchguard Firebox logs
On Oct 27, 2015 4:49 AM, "Tero Onttonen" wrote: > > Hi, > > I would be interested in to find a solution regarding Watchguard logs. I did not find a solution after some searching. > > Did this go any further? > Are the logs the same as they were in 2009? > Br, > Tero > > On Wednesday, March 11, 2009 at 2:11:44 PM UTC+2, rob.but...@gmail.com wrote: >> >> Thanks. I'm also working AQTRONIX WebKnight logs too. Here's a few >> watchguard examples. I've blanked a few bits of info. Note that >> we've adopted a convention of putting wg_ at the start of the system >> name so we can identify them as watchguard logs, but perhaps this >> isn't the best way ? >> >> 2009 Mar 11 12:07:07 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:49 >> wg_Peterborough disp="Deny" pri="1" policy="Unhandled Internal >> Packet-00" src_ >> ip="172.12.10.26" dst_ip="81.137.245.126" pr="3085/tcp" >> src_port="2122" dst_port="3085" src_intf="1-Trusted" dst_intf="0- >> External" tcpinfo="off >> set 7 S 3884792327 win 65535" rc="101" msg="denied" pckt_len="48" >> ttl="128" >> >> 2009 Mar 11 12:07:06 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:48 >> wg_Peterborough disp="Allow" proxy[15055]: pri="4" policy="HTTP- >> proxy-00" src_i >> p="172.12.10.116" dst_ip="69.63.176.188" pr="http/tcp" >> src_port="58482" dst_port="80" src_intf="1-Trusted" dst_intf="0- >> External" src_ip_nat="195. >> 99.165.66" src_port_nat="13917" rc="592" msg_id="262171" >> msg="ProxyStrip: HTTP Header match" proxy_act="HTTP-Client" >> rule_name="Default" header=" >> X-Channel-Host: channel138:8081\x0d\x0a" >> src_user="xusername@Active Directory" >> >> 2009 Mar 11 12:07:03 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:45 >> wg_Peterborough disp="Deny" pri="1" policy="Unhandled External >> Packet-00" src_ >> ip="192.168.30.11" dst_ip="172.12.10.130" pr="135/tcp" src_port="4533" >> dst_port="135" src_intf="WALAN_PELAN/IPsec" dst_intf="1-Trusted" >> tcpinfo >> ="offset 7 S 2723202119 win 65535" dst_user="username@Active >> Directory" rc="101" msg="denied (decrypted packet, SA info: id >> 0x341e7636 )" pck >> t_len="48" ttl="128" >> >> On Mar 10, 8:35 pm, Daniel Cid wrote: >> > Hi Rob, >> > >> > I don't think anyone did this yet. Can you share some of your logs >> > with us? We can certainly >> > help writing some rules/decoders if we get some samples... >> > >> > Thanks, >> > >> > -- >> > Daniel B. Cid >> > dcid ( at ) ossec.net >> > >> > On Mon, Mar 2, 2009 at 10:47 AM, wrote: >> > >> > > Hi, >> > > Has anyone got OSSEC to parse Watchguard Firebox logs ? I have my >> > > logs coming in via syslog, and being stored, but if I run them through >> > > logtest they get recognized as Debian dpkg logs, so I guess ossec is >> > > pretty much ignoring them. >> > >> > > The format seems to be missing a unique key to spot the logs as being >> > > from the watchguards, sadly. We are considering using the firebox >> > > system name to identify them (e.g. adding wg_ at the start of all our >> > > firewall system names so I can match on a regexp with that string in >> > > it). However, before I spend time on this, I wonder whether anyone >> > > else has already do the hard work ? >> > >> > > If not, any pointers to instructions on writing new decoders and rules >> > > would be most welcome. If I get anything worth sharing, I'll offer it >> > > back to the project or at least post my findings here. >> > >> > > Rob > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Watchguard Firebox logs
Did you checked out watchguard dimension appliance? Eero 27.10.2015 10.49 ap. "Tero Onttonen" kirjoitti: > Hi, > > I would be interested in to find a solution regarding Watchguard logs. I > did not find a solution after some searching. > > Did this go any further? > > Br, > Tero > > On Wednesday, March 11, 2009 at 2:11:44 PM UTC+2, rob.but...@gmail.com > wrote: >> >> Thanks. I'm also working AQTRONIX WebKnight logs too. Here's a few >> watchguard examples. I've blanked a few bits of info. Note that >> we've adopted a convention of putting wg_ at the start of the system >> name so we can identify them as watchguard logs, but perhaps this >> isn't the best way ? >> >> 2009 Mar 11 12:07:07 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:49 >> wg_Peterborough disp="Deny" pri="1" policy="Unhandled Internal >> Packet-00" src_ >> ip="172.12.10.26" dst_ip="81.137.245.126" pr="3085/tcp" >> src_port="2122" dst_port="3085" src_intf="1-Trusted" dst_intf="0- >> External" tcpinfo="off >> set 7 S 3884792327 win 65535" rc="101" msg="denied" pckt_len="48" >> ttl="128" >> >> 2009 Mar 11 12:07:06 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:48 >> wg_Peterborough disp="Allow" proxy[15055]: pri="4" policy="HTTP- >> proxy-00" src_i >> p="172.12.10.116" dst_ip="69.63.176.188" pr="http/tcp" >> src_port="58482" dst_port="80" src_intf="1-Trusted" dst_intf="0- >> External" src_ip_nat="195. >> 99.165.66" src_port_nat="13917" rc="592" msg_id="262171" >> msg="ProxyStrip: HTTP Header match" proxy_act="HTTP-Client" >> rule_name="Default" header=" >> X-Channel-Host: channel138:8081\x0d\x0a" >> src_user="xusername@Active Directory" >> >> 2009 Mar 11 12:07:03 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:45 >> wg_Peterborough disp="Deny" pri="1" policy="Unhandled External >> Packet-00" src_ >> ip="192.168.30.11" dst_ip="172.12.10.130" pr="135/tcp" src_port="4533" >> dst_port="135" src_intf="WALAN_PELAN/IPsec" dst_intf="1-Trusted" >> tcpinfo >> ="offset 7 S 2723202119 win 65535" dst_user="username@Active >> Directory" rc="101" msg="denied (decrypted packet, SA info: id >> 0x341e7636 )" pck >> t_len="48" ttl="128" >> >> On Mar 10, 8:35 pm, Daniel Cid wrote: >> > Hi Rob, >> > >> > I don't think anyone did this yet. Can you share some of your logs >> > with us? We can certainly >> > help writing some rules/decoders if we get some samples... >> > >> > Thanks, >> > >> > -- >> > Daniel B. Cid >> > dcid ( at ) ossec.net >> > >> > On Mon, Mar 2, 2009 at 10:47 AM, wrote: >> > >> > > Hi, >> > > Has anyone got OSSEC to parse Watchguard Firebox logs ? I have my >> > > logs coming in via syslog, and being stored, but if I run them >> through >> > > logtest they get recognized as Debian dpkg logs, so I guess ossec is >> > > pretty much ignoring them. >> > >> > > The format seems to be missing a unique key to spot the logs as being >> > > from the watchguards, sadly. We are considering using the firebox >> > > system name to identify them (e.g. adding wg_ at the start of all our >> > > firewall system names so I can match on a regexp with that string in >> > > it). However, before I spend time on this, I wonder whether anyone >> > > else has already do the hard work ? >> > >> > > If not, any pointers to instructions on writing new decoders and >> rules >> > > would be most welcome. If I get anything worth sharing, I'll offer >> it >> > > back to the project or at least post my findings here. >> > >> > > Rob >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Watchguard Firebox logs
Hi, I would be interested in to find a solution regarding Watchguard logs. I did not find a solution after some searching. Did this go any further? Br, Tero On Wednesday, March 11, 2009 at 2:11:44 PM UTC+2, rob.but...@gmail.com wrote: > > Thanks. I'm also working AQTRONIX WebKnight logs too. Here's a few > watchguard examples. I've blanked a few bits of info. Note that > we've adopted a convention of putting wg_ at the start of the system > name so we can identify them as watchguard logs, but perhaps this > isn't the best way ? > > 2009 Mar 11 12:07:07 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:49 > wg_Peterborough disp="Deny" pri="1" policy="Unhandled Internal > Packet-00" src_ > ip="172.12.10.26" dst_ip="81.137.245.126" pr="3085/tcp" > src_port="2122" dst_port="3085" src_intf="1-Trusted" dst_intf="0- > External" tcpinfo="off > set 7 S 3884792327 win 65535" rc="101" msg="denied" pckt_len="48" > ttl="128" > > 2009 Mar 11 12:07:06 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:48 > wg_Peterborough disp="Allow" proxy[15055]: pri="4" policy="HTTP- > proxy-00" src_i > p="172.12.10.116" dst_ip="69.63.176.188" pr="http/tcp" > src_port="58482" dst_port="80" src_intf="1-Trusted" dst_intf="0- > External" src_ip_nat="195. > 99.165.66" src_port_nat="13917" rc="592" msg_id="262171" > msg="ProxyStrip: HTTP Header match" proxy_act="HTTP-Client" > rule_name="Default" header=" > X-Channel-Host: channel138:8081\x0d\x0a" > src_user="xusername@Active Directory" > > 2009 Mar 11 12:07:03 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:45 > wg_Peterborough disp="Deny" pri="1" policy="Unhandled External > Packet-00" src_ > ip="192.168.30.11" dst_ip="172.12.10.130" pr="135/tcp" src_port="4533" > dst_port="135" src_intf="WALAN_PELAN/IPsec" dst_intf="1-Trusted" > tcpinfo > ="offset 7 S 2723202119 win 65535" dst_user="username@Active > Directory" rc="101" msg="denied (decrypted packet, SA info: id > 0x341e7636 )" pck > t_len="48" ttl="128" > > On Mar 10, 8:35 pm, Daniel Cid wrote: > > Hi Rob, > > > > I don't think anyone did this yet. Can you share some of your logs > > with us? We can certainly > > help writing some rules/decoders if we get some samples... > > > > Thanks, > > > > -- > > Daniel B. Cid > > dcid ( at ) ossec.net > > > > On Mon, Mar 2, 2009 at 10:47 AM, wrote: > > > > > Hi, > > > Has anyone got OSSEC to parse Watchguard Firebox logs ? I have my > > > logs coming in via syslog, and being stored, but if I run them through > > > logtest they get recognized as Debian dpkg logs, so I guess ossec is > > > pretty much ignoring them. > > > > > The format seems to be missing a unique key to spot the logs as being > > > from the watchguards, sadly. We are considering using the firebox > > > system name to identify them (e.g. adding wg_ at the start of all our > > > firewall system names so I can match on a regexp with that string in > > > it). However, before I spend time on this, I wonder whether anyone > > > else has already do the hard work ? > > > > > If not, any pointers to instructions on writing new decoders and rules > > > would be most welcome. If I get anything worth sharing, I'll offer it > > > back to the project or at least post my findings here. > > > > > Rob > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
