date:20170529

[ossec-list] Re: Help with decoder

2017-05-29 Thread RWagner




Hi Jesus, thanks for the help!

I had tested this too, but I did not succeed.
I tried put vd=\.* and it did not work. I think there was some junk in the 
file.

I ran update_ruleset.py, I put the rule there and it worked. I do not know 
what happened. 




Em segunda-feira, 29 de maio de 2017 06:48:24 UTC-3, Jesus Linares escreveu:
>
> Hi,
>
> your prematch is wrong:
>
>- log: [...] vd=root logdesc [...]
>- prematch: [...] vd=*"*\.+*"* [...]
>
>
> Try this one:
>
> 
> 
> fortigate-firewall-v5
> type=event subtype=vpn level=
> 
> logdesc="\.+" msg="(\.+)" action=(\.*) remip=(\S+) locip=(\S+) 
> \.*vpntunnel="(\.*)"
> extra_data,action,dstip,srcip,status
> 
>
>
> **Phase 2: Completed decoding.
>decoder: 'fortigate-firewall-v5'
>extra_data: 'IPsec phase 2 status change'
>action: 'phase2-down'
>dstip: '1.1.1.1'
>srcip: '2.2.2.2'
>status: 'VPN_XPTO'
>
>
> **Phase 3: Completed filtering (rules).
>Rule id: '81603'
>Level: '0'
>Description: 'Fortigate messages grouped.'
>
>
> I hope it helps.
> Regards.
>
>
>
>
> On Sunday, May 28, 2017 at 4:41:24 PM UTC+2, RWagner wrote:
>>
>> Ooops!
>>
>> Correcting the decoder parent and my decoder:
>>
>> Decoder parent:
>> 
>> date=\S+ time=\.+ devname=\S+ devid=FG\w+ logid=\d+ 
>> 
>> syslog
>> 
>>
>>
>> My decoder:
>> 
>> fortigate-firewall-v5
>> type=event subtype=vpn level=\S+ 
>> vd="\.+" logdesc="\.+" msg=
>> logdesc="\.+" msg="(\.+)" action=(\.*) remip=(\S+) locip=(\S+) 
>> \.*vpntunnel="(\.*)"
>> extra_data,action,dstip,srcip,status
>> 
>>
>> Em domingo, 28 de maio de 2017 11:38:16 UTC-3, RWagner escreveu:
>>>
>>>
>>> 
>>> Hi Guys!
>>>
>>> I'm making a decoder for problems with vpn phase_2 for the fortigate.
>>>
>>> Sample log:
>>> date=2017-05-20 time=07:31:20 devname=Fw1-sa-dc2d-g56 
>>> devid=FGT60D00 logid=01016745858 type=event subtype=vpn 
>>> level=notice vd=root logdesc="IPsec phase 2 status changed" msg="IPsec 
>>> phase 2 status change" action=phase2-down remip=1.1.1.1 locip=2.2.2.2 
>>> remport=500 locport=500 outintf="wan2" 
>>> cookies="dfaf555664477957/b55566998873c6f9" user="N/A" group="N/A" 
>>> xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN_XPTO" 
>>> phase2_name=VPN_XPTO
>>>
>>>
>>> Decoder parent:
>>> 
>>>  date = \ S + time = \. + Devname = \ S + devid = FG \ w + 
>>> logid = \ d +
>>>  syslog 
>>> 
>>>
>>>
>>> My decoder:
>>> 
>>>  fortigate-firewall-v5 
>>>  >>  logdesc = "\. +" Msg = "(\. +)" Action = (\. *) Remip = (\ 
>>> S +) locip = 
>>>  extra_data, action, dstip, srcip, status 
>>> 
>>>
>>> In the image with the test done with the logtest, does not show data 
>>> extra_data, action, dstip, srcip, status.
>>>
>>> I wonder what's wrong with my decoder.
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC exclude IP and prevent alert trigger

2017-05-29 Thread Fredrik Hilmersson

Hello, let me try make myself understod. So i've got the part to 
ignore/exclude an specific IP to work, thats no problem. However, here's my 
issue/problem I'd like to solve.


 7
 cronjobIP
 Ignorning cronjobIP


1. Ignore specific IP which run regular cronjob's and utilizes SSH (done).
2. The SSH rule triggers rule 5501, session opened for user X (in this case 
the IP which I want to ignore).
3. The SSH rule triggers rule 5502, session closed for user X (in this case 
the IP which I want to ignore).

So, my question - beside ignoring the specific IP for rule 5715 (SSHD 
authentication success), is there a way prevent in step 1 to trigger step 2 
and 3?

One option would obviously be to ignore the user and create a specific user 
for the certain cronjob.

Kind regards,
Fredrik

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Help with decoder

2017-05-29 Thread Jesus Linares

Hi,

your prematch is wrong:

   - log: [...] vd=root logdesc [...]
   - prematch: [...] vd=*"*\.+*"* [...]


Try this one:



fortigate-firewall-v5
type=event subtype=vpn level=
logdesc="\.+" msg="(\.+)" action=(\.*) remip=(\S+) locip=(\S+) 
\.*vpntunnel="(\.*)"
extra_data,action,dstip,srcip,status



**Phase 2: Completed decoding.
   decoder: 'fortigate-firewall-v5'
   extra_data: 'IPsec phase 2 status change'
   action: 'phase2-down'
   dstip: '1.1.1.1'
   srcip: '2.2.2.2'
   status: 'VPN_XPTO'


**Phase 3: Completed filtering (rules).
   Rule id: '81603'
   Level: '0'
   Description: 'Fortigate messages grouped.'


I hope it helps.
Regards.




On Sunday, May 28, 2017 at 4:41:24 PM UTC+2, RWagner wrote:
>
> Ooops!
>
> Correcting the decoder parent and my decoder:
>
> Decoder parent:
> 
> date=\S+ time=\.+ devname=\S+ devid=FG\w+ logid=\d+ 
> 
> syslog
> 
>
>
> My decoder:
> 
> fortigate-firewall-v5
> type=event subtype=vpn level=\S+ 
> vd="\.+" logdesc="\.+" msg=
> logdesc="\.+" msg="(\.+)" action=(\.*) remip=(\S+) locip=(\S+) 
> \.*vpntunnel="(\.*)"
> extra_data,action,dstip,srcip,status
> 
>
> Em domingo, 28 de maio de 2017 11:38:16 UTC-3, RWagner escreveu:
>>
>>
>> 
>> Hi Guys!
>>
>> I'm making a decoder for problems with vpn phase_2 for the fortigate.
>>
>> Sample log:
>> date=2017-05-20 time=07:31:20 devname=Fw1-sa-dc2d-g56 
>> devid=FGT60D00 logid=01016745858 type=event subtype=vpn 
>> level=notice vd=root logdesc="IPsec phase 2 status changed" msg="IPsec 
>> phase 2 status change" action=phase2-down remip=1.1.1.1 locip=2.2.2.2 
>> remport=500 locport=500 outintf="wan2" 
>> cookies="dfaf555664477957/b55566998873c6f9" user="N/A" group="N/A" 
>> xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN_XPTO" 
>> phase2_name=VPN_XPTO
>>
>>
>> Decoder parent:
>> 
>>  date = \ S + time = \. + Devname = \ S + devid = FG \ w + 
>> logid = \ d +
>>  syslog 
>> 
>>
>>
>> My decoder:
>> 
>>  fortigate-firewall-v5 
>>  >  logdesc = "\. +" Msg = "(\. +)" Action = (\. *) Remip = (\ S 
>> +) locip = 
>>  extra_data, action, dstip, srcip, status 
>> 
>>
>> In the image with the test done with the logtest, does not show data 
>> extra_data, action, dstip, srcip, status.
>>
>> I wonder what's wrong with my decoder.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Help with decoder

[ossec-list] OSSEC exclude IP and prevent alert trigger

[ossec-list] Re: Help with decoder

3 matches

Site Navigation

Mail list logo

Footer information