Re: [ossec-list] Re: Using rules by escaping certain file extensions.
Hell Diego, it should work as far as I know. I recommend you to upgrade to a new version though due to the bug fixes and new features. You can take a look at the release notes here: https://documentation.wazuh.com/3.10/release-notes/index.html Regards, Javier. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/0790bc23-10fb-4acc-adf0-734b53a65efd%40googlegroups.com.
Re: [ossec-list] OSSEC receiving syslog alerts from ASA but not processing them
Looking at the syslog packets I see the Cisco ASA only uses local facility codes but my Palo Alto uses User facility codes: 08:55:50.340558 IP (tos 0x0, ttl 64, id 917, offset 0, flags [DF], proto UDP (17), length 329) 10.10.10.151.44375 > 10.10.10.17.syslog: SYSLOG, length: 301 * Facility user (1)*, Severity info (6) Msg: Oct 15 08:55:50 10.10.10.151 1,2019/10/15 08:55:50,012001010622,SYSTEM,userid,0,2019/10/15 08:55:50,,connect-ldap-sever,10.10.10.10,0,0,general,informational,"ldap cfg DOMAIN GMapping FW-Admins connected to server 10.10.10.10:389, initiated by: 10.10.10.152",1204131,0x0,0,0,0,0,,fw2 08:55:50.726480 IP (tos 0x0, ttl 254, id 65458, offset 0, flags [none], proto UDP (17), length 190) 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 162 *Facility local4 (20)*, Severity warning (4) Msg: Oct 15 08:55:50 EDT fw1 : %ASA-4-106023: Deny udp src outside:10.10.201.105/137 dst outside:10.10.201.255/137 by access-group "outside_access_in" [0x0, 0x0]\0x0a I can't change the ASA to be anything other than local facility. On Tuesday, October 15, 2019 at 8:34:52 AM UTC-4, Nate wrote: > > Hi Dan, > > Yes I restarted the OSSEC service with a: service OSSEC restart > > Right now the iptables are wide open due to this issue: > > # iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > # iptables -S > -P INPUT ACCEPT > -P FORWARD ACCEPT > -P OUTPUT ACCEPT > > My full remote connections list is the following: > > >syslog >10.10.10.0/23 >10.10.2.2 >10.10.39.2 >10.10.6.2 >10.10.9.1 >192.168.2.0/24 >514 > > > I will move up the 10.10.2.2 up above the /23 in case this is causing it > but I know we are getting syslog events from all other sources. > > Maybe it's the Cisco packet? > > On Tuesday, October 15, 2019 at 7:19:23 AM UTC-4, dan (ddpbsd) wrote: >> >> On Mon, Oct 14, 2019 at 3:03 PM Nate wrote: >> > >> > Hi, >> > >> > I've never seen this before but I setup our ASA 5516 to send syslog >> events to our OSSEC server to detect SHUN events. >> > >> > ossec.conf >> > >> >syslog >> >10.10.2.2 >> >514 >> > >> > >> > >> > 0 >> > 9 >> > >> > >> > >> > local_rules.xml >> > >> > >> > >> > >> > 4100 >> > ASA-4-73310\d|ASA-4-40100\d >> > ASA Shun event >> > >> > >> > >> > >> > but reviewing the alerts, archives,database no events from our >> 10.10.2.2 or ASA show up. Running tcpdump on ossec shows they are received >> by the server: >> > >> > 14:53:41.611883 IP (tos 0x0, ttl 254, id 54586, offset 0, flags [none], >> proto UDP (17), length 140) >> > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 >> > Facility local0 (16), Severity warning (4) >> > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: >> 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a >> > 14:53:41.614335 IP (tos 0x0, ttl 254, id 46962, offset 0, flags [none], >> proto UDP (17), length 140) >> > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 >> > Facility local0 (16), Severity warning (4) >> > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: >> 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a >> > >> > If I copy out the Msg and paste it into ossec-logtest it does process >> it to my rule: >> > >> > [USER@ossec~]# /var/ossec/bin/ossec-logtest >> > 2019/10/14 14:58:37 ossec-testrule: INFO: Reading local decoder file. >> > 2019/10/14 14:58:37 ossec-testrule: INFO: Started (pid: 29400). >> > ossec-testrule: Type one log per line. >> > >> > Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 >> ==> 87.106.71.108 on interface inside\0x0a >> > >> > >> > **Phase 1: Completed pre-decoding. >> >full event: 'Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned >> packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a' >> >hostname: 'EDT' >> >program_name: '(null)' >> >log: 'fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> >> 87.106.71.108 on interface inside\0x0a' >> > >> > **Phase 2: Completed decoding. >> >decoder: 'ASA-lanattk' >> > >> > **Phase 3: Completed filtering (rules). >> >Rule id: '100260' >> >Level: '9' >> >Description: 'ASA Shun event' >> > **Alert to be generated. >> > >> > I see that UDP port 514 is running: >> > >> > [root@secserv ~]# netstat -anp | grep 514 >> > tcp0 0 127.0.0.1:3306 127.0.0.1:37514 >> ESTABLISHED 5542/mysqld >> > tcp0 0 127.0.0.1:37514 127.0.0.1:3306 >> ESTABLISHED 29340/ossec-dbd >> > udp0 0 :::1514
Re: [ossec-list] OSSEC receiving syslog alerts from ASA but not processing them
Hi Dan, Yes I restarted the OSSEC service with a: service OSSEC restart Right now the iptables are wide open due to this issue: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT My full remote connections list is the following: syslog 10.10.10.0/23 10.10.2.2 10.10.39.2 10.10.6.2 10.10.9.1 192.168.2.0/24 514 I will move up the 10.10.2.2 up above the /23 in case this is causing it but I know we are getting syslog events from all other sources. Maybe it's the Cisco packet? On Tuesday, October 15, 2019 at 7:19:23 AM UTC-4, dan (ddpbsd) wrote: > > On Mon, Oct 14, 2019 at 3:03 PM Nate > > wrote: > > > > Hi, > > > > I've never seen this before but I setup our ASA 5516 to send syslog > events to our OSSEC server to detect SHUN events. > > > > ossec.conf > > > >syslog > >10.10.2.2 > >514 > > > > > > > > 0 > > 9 > > > > > > > > local_rules.xml > > > > > > > > > > 4100 > > ASA-4-73310\d|ASA-4-40100\d > > ASA Shun event > > > > > > > > > > but reviewing the alerts, archives,database no events from our 10.10.2.2 > or ASA show up. Running tcpdump on ossec shows they are received by the > server: > > > > 14:53:41.611883 IP (tos 0x0, ttl 254, id 54586, offset 0, flags [none], > proto UDP (17), length 140) > > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 > > Facility local0 (16), Severity warning (4) > > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a > > 14:53:41.614335 IP (tos 0x0, ttl 254, id 46962, offset 0, flags [none], > proto UDP (17), length 140) > > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 > > Facility local0 (16), Severity warning (4) > > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a > > > > If I copy out the Msg and paste it into ossec-logtest it does process it > to my rule: > > > > [USER@ossec~]# /var/ossec/bin/ossec-logtest > > 2019/10/14 14:58:37 ossec-testrule: INFO: Reading local decoder file. > > 2019/10/14 14:58:37 ossec-testrule: INFO: Started (pid: 29400). > > ossec-testrule: Type one log per line. > > > > Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> > 87.106.71.108 on interface inside\0x0a > > > > > > **Phase 1: Completed pre-decoding. > >full event: 'Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned > packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a' > >hostname: 'EDT' > >program_name: '(null)' > >log: 'fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> > 87.106.71.108 on interface inside\0x0a' > > > > **Phase 2: Completed decoding. > >decoder: 'ASA-lanattk' > > > > **Phase 3: Completed filtering (rules). > >Rule id: '100260' > >Level: '9' > >Description: 'ASA Shun event' > > **Alert to be generated. > > > > I see that UDP port 514 is running: > > > > [root@secserv ~]# netstat -anp | grep 514 > > tcp0 0 127.0.0.1:3306 127.0.0.1:37514 > ESTABLISHED 5542/mysqld > > tcp0 0 127.0.0.1:37514 127.0.0.1:3306 > ESTABLISHED 29340/ossec-dbd > > udp0 0 :::1514 :::* >29373/ossec-remoted > > udp0 0 :::514 :::* >29372/ossec-remoted > > > > > > What obvious thing am I missing to setup an ASA to OSSEC? Our HP > switches and Palo Alto firewall are sending syslogs just fine. > > > > After adding the system to allowed-ips, did you restart the OSSEC > processes on the OSSEC server? > Is there a host firewall (iptables) on the OSSEC server? Is 514UDP > open to 10.10.2.2? > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec...@googlegroups.com . > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/b1faa727-7071-49a0-91da-9fe4b680a724%40googlegroups.com. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/111b5ea7-25e3-43a8-9cb3-8a14c65a95bc%40googlegroups.
Re: [ossec-list] OSSEC receiving syslog alerts from ASA but not processing them
On Mon, Oct 14, 2019 at 3:03 PM Nate wrote: > > Hi, > > I've never seen this before but I setup our ASA 5516 to send syslog events to > our OSSEC server to detect SHUN events. > > ossec.conf > >syslog >10.10.2.2 >514 > > > > 0 > 9 > > > > local_rules.xml > > > > > 4100 > ASA-4-73310\d|ASA-4-40100\d > ASA Shun event > > > > > but reviewing the alerts, archives,database no events from our 10.10.2.2 or > ASA show up. Running tcpdump on ossec shows they are received by the server: > > 14:53:41.611883 IP (tos 0x0, ttl 254, id 54586, offset 0, flags [none], proto > UDP (17), length 140) > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 > Facility local0 (16), Severity warning (4) > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a > 14:53:41.614335 IP (tos 0x0, ttl 254, id 46962, offset 0, flags [none], proto > UDP (17), length 140) > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 > Facility local0 (16), Severity warning (4) > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a > > If I copy out the Msg and paste it into ossec-logtest it does process it to > my rule: > > [USER@ossec~]# /var/ossec/bin/ossec-logtest > 2019/10/14 14:58:37 ossec-testrule: INFO: Reading local decoder file. > 2019/10/14 14:58:37 ossec-testrule: INFO: Started (pid: 29400). > ossec-testrule: Type one log per line. > > Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> > 87.106.71.108 on interface inside\0x0a > > > **Phase 1: Completed pre-decoding. >full event: 'Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a' >hostname: 'EDT' >program_name: '(null)' >log: 'fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> > 87.106.71.108 on interface inside\0x0a' > > **Phase 2: Completed decoding. >decoder: 'ASA-lanattk' > > **Phase 3: Completed filtering (rules). >Rule id: '100260' >Level: '9' >Description: 'ASA Shun event' > **Alert to be generated. > > I see that UDP port 514 is running: > > [root@secserv ~]# netstat -anp | grep 514 > tcp0 0 127.0.0.1:3306 127.0.0.1:37514 > ESTABLISHED 5542/mysqld > tcp0 0 127.0.0.1:37514 127.0.0.1:3306 > ESTABLISHED 29340/ossec-dbd > udp0 0 :::1514 :::* > 29373/ossec-remoted > udp0 0 :::514 :::* > 29372/ossec-remoted > > > What obvious thing am I missing to setup an ASA to OSSEC? Our HP switches and > Palo Alto firewall are sending syslogs just fine. > After adding the system to allowed-ips, did you restart the OSSEC processes on the OSSEC server? Is there a host firewall (iptables) on the OSSEC server? Is 514UDP open to 10.10.2.2? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/b1faa727-7071-49a0-91da-9fe4b680a724%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMqVaKyr2A49%3Daf3LA4AodhY677HoGvzguhhZZWGrAO9EA%40mail.gmail.com.