firewall.log and ICMP?

[Xavier Mertens]

Hi *,

Maybe a stupid question but I'm investigating an issue and I've to browse my history of firewall.log files. Problem: I find only TCP/UDP events and nothing regarding ICMP packets?

I tested via ossec-logstest and events are correctly parsed... 

I never paid attention to this in the past... :-(

Any idea?

/x

[Santiago Bassett]

I am afraid I don't understand the problem or question, maybe if you explain it a little bit more we can help better.

Best

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Xavier Mertens]

I'm collected firewall logs from many Ubuntu servers (basically the /var/log/ufw.log).

In this log, I can see events about TCP, UDP and ICMP traffic (allowed or dropped).

But, on my OSSEC server, in my firewall.log, I don't see any event related to the ICMP protocol...

/x

[Brent Morris]

Xavier,

I'm collecting logs from my ASA and I do see ICMP traffic in my firewall.log - 

2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10254->external.addr:10254

2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10510->external.addr:10510

2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10766->external.addr:10766

2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:11278->external.addr:11278

I'm not sure what the issue might be.  

Also, thank you for the ossec2dshield script!!!  I heard about it on the Internet Storm Center Stormcast, but it might be worth plugging to the list here too :)

[Xavier Mertens]

Hi Brent,

I think that I found the problem! Here is an sample of my ossec-logtest output:

**Phase 2: Completed decoding.

       decoder: 'iptables'

       action: 'AUDIT'

       srcip: '92.222.185.1'

       dstip: '51.254.36.238'

       proto: 'ICMP'

But, while diving into the source code (in analysisd/alert/log.c):

/* FW_Log: v0.1, 2005/12/30 */

int FW_Log(Eventinfo *lf)

{

    /* If we don't have the srcip or the

     * action, there is no point in going

     * forward over here

     */

    if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport ||

       !lf->dstport || !lf->protocol)

    {

        return(0);

    }

I don't have srcport & dstport filled in so no log! I think I'll patch the code and 

I'm wondering why your ASA firewall provides ports!?

About ossec2dshield, I wrote this tool a long time ago to share my logs with DShield.org.

Ping me you want details!

/x

[Brent Morris]

Good catch!  

I think the ASA provides ports just as part of internal processing of the IP translation.  Perhaps they're a sequence number or provide some internal function for IOS.  They seem completely random.  They change to the real port in the logs when using TCP or UDP.  Here are the logs as seen from the ASA....

ICMP

2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18125 laddr external.addr/18125(any)

2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302020: Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18126 laddr external.addr/18126(any)

2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18126 laddr external.addr/18126(any)

In the case of a TCP or UDP connection, you'd see   ....Built outbound TCP connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) to inside:1.2.3.4/11515 (external.ip.addr/11515)

[Xavier Mertens]

I'll patch my analysisd to provide srcport and dstport with a value of "0" if the protocol is "ICMP"... I need to keep traces of such events...

/x

[Brent Morris]

Is this worth submitting as an issue to github?

https://github.com/ossec/ossec-hids/issues

[Xavier Mertens]

Issue submitted!

/x