OSSEC HIDS Notification.
2015 Jul 02 12:12:14
Received From: (jump02) 10.13.16.7->\Logfiles\Firewall\pfirewall.log
Rule: 4151 fired (level 10) -> "Multiple Firewall drop events from same source."
Portion of the log(s):
2015-07-02 12:11:59 DROP TCP 10.13.1.6 10.13.16.7 443 3573 40 A 2313797595 2078887944 7504 - - - RECEIVE
2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE
2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563535 7504 - - - RECEIVE
2015-07-02 12:11:57 DROP TCP 10.13.1.6 10.13.16.7 443 3571 40 A 1983683511 660455107 7504 - - - RECEIVE
2015-07-02 12:11:57 DROP TCP 10.13.1.6 10.13.16.7 443 3571 40 A 1983683511 660455106 7504 - - - RECEIVE
2015-07-02 12:11:56 DROP TCP 10.13.1.6 10.13.16.7 443 3568 40 A 1348841012 1715023945 7504 - - - RECEIVE
2015-07-02 12:11:56 DROP TCP 10.13.1.6 10.13.16.7 443 3568 40 A 1348841012 1715023944 7504 - - - RECEIVE
2015-07-02 12:11:50 DROP TCP 10.13.1.6 10.13.16.7 443 3566 40 A 1087397228 121698030 7504 - - - RECEIVE
2015-07-02 12:11:49 DROP TCP 10.13.1.6 10.13.16.7 443 3563 40 A 524181289 2382348392 7504 - - - RECEIVE
2015-07-02 12:11:49 DROP TCP 10.13.1.6 10.13.16.7 443 3563 40 A 524181289 2382348391 7504 - - - RECEIVE
2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A 1283761885 1189402708 7504 - - - RECEIVE
2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A 1283761885 1189402707 7504 - - - RECEIVE
--END OF NOTIFICATION
with this rule without success:
<rule id="100002" level="10">
<if_sid>4151</if_sid>
<srcip>10.13.16.7</srcip>
<match>10.13.1.6</match>
<description>#100882</description>
</rule>
But we still receiving mails for this events. Do you got an idea what's wrong?
Thanks!
On Aug 3, 2015 11:41 AM, "Björn" <in...@bb-it.biz> wrote:
>
> Hello,
>
> I try to exclude this event:
>
>
> OSSEC HIDS Notification.
> 2015 Jul 02 12:12:14
>
> Received From: (jump02) 10.13.16.7->\Logfiles\Firewall\pfirewall.log
> Rule: 4151 fired (level 10) -> "Multiple Firewall drop events from same source."
> Portion of the log(s):
>
> 2015-07-02 12:11:59 DROP TCP 10.13.1.6 10.13.16.7 443 3573 40 A 2313797595 2078887944 7504 - - - RECEIVE
I can't run these throughossec-logtest at the moment, but does the 16.7 address decode to be the source ip?
> 2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE
> 2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563535 7504 - - - RECEIVE
> 2015-07-02 12:11:57 DROP TCP 10.13.1.6 10.13.16.7 443 3571 40 A 1983683511 660455107 7504 - - - RECEIVE
> 2015-07-02 12:11:57 DROP TCP 10.13.1.6 10.13.16.7 443 3571 40 A 1983683511 660455106 7504 - - - RECEIVE
> 2015-07-02 12:11:56 DROP TCP 10.13.1.6 10.13.16.7 443 3568 40 A 1348841012 1715023945 7504 - - - RECEIVE
> 2015-07-02 12:11:56 DROP TCP 10.13.1.6 10.13.16.7 443 3568 40 A 1348841012 1715023944 7504 - - - RECEIVE
> 2015-07-02 12:11:50 DROP TCP 10.13.1.6 10.13.16.7 443 3566 40 A 1087397228 121698030 7504 - - - RECEIVE
> 2015-07-02 12:11:49 DROP TCP 10.13.1.6 10.13.16.7 443 3563 40 A 524181289 2382348392 7504 - - - RECEIVE
> 2015-07-02 12:11:49 DROP TCP 10.13.1.6 10.13.16.7 443 3563 40 A 524181289 2382348391 7504 - - - RECEIVE
> 2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A 1283761885 1189402708 7504 - - - RECEIVE
> 2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A 1283761885 1189402707 7504 - - - RECEIVE
>
>
>
> --END OF NOTIFICATION
>
>
> with this rule without success:
>
> <rule id="100002" level="10">
> <if_sid>4151</if_sid>
> <srcip>10.13.16.7</srcip>
> <match>10.13.1.6</match>
> <description>#100882</description>
> </rule>
>
>
> But we still receiving mails for this events. Do you got an idea what's wrong?
>
> Thanks!
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
bin/ossec-logtest
2015/08/03 17:47:39 ossec-testrule: INFO: Reading local decoder file.
2015/08/03 17:47:39 ossec-testrule: INFO: Started (pid: 22641).
ossec-testrule: Type one log per line.
2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE
**Phase 1: Completed pre-decoding.
full event: '2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE'
hostname: 'webint'
program_name: '(null)'
log: '2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
action: 'DROP'
proto: 'TCP'
srcip: '10.13.1.6'
dstip: '10.13.16.7'
srcport: '443'
dstport: '3572'
**Phase 3: Completed filtering (rules).
Rule id: '4101'
Level: '5'
Description: 'Firewall drop event.'
^C
On Aug 3, 2015 11:56 AM, "Björn" <in...@bb-it.biz> wrote:
>
> bin/ossec-logtest
> 2015/08/03 17:47:39 ossec-testrule: INFO: Reading local decoder file.
> 2015/08/03 17:47:39 ossec-testrule: INFO: Started (pid: 22641).
> ossec-testrule: Type one log per line.
>
>
> 2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE
>
>
> **Phase 1: Completed pre-decoding.
> full event: '2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE'
> hostname: 'webint'
> program_name: '(null)'
> log: '2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE'
>
>
> **Phase 2: Completed decoding.
> decoder: 'windows-date-format'
> action: 'DROP'
> proto: 'TCP'
> srcip: '10.13.1.6'
> dstip: '10.13.16.7'
16.7 is being decoded as the destination IP, 1.6 is the source.
On Aug 4, 2015 8:45 AM, "Björn" <in...@bb-it.biz> wrote:
>
> Ah okay, thanks for your help.
> I got and understand it now! It seems we got multiple srcip's.
>
I only see 1 source ip in the log samples you provided.