Firewall appliance : netasq/stormshield
432 views
Skip to first unread message
1kn0
Dec 7, 2016, 5:43:50 AM12/7/16
to ossec-list
Greetings,
I'm new to OSSEC and I didn't find an answer to my problem on the list.
I've appliance firewalls (netasq and stormshield) on a network. These firewalls exports their log to the computer where OSSEC is installed.
For tests :
Is there decoder and rules for firewall?
How to configure decode/rules to analyze all events reported by the firewalls?
Thanks in advance for your help.
I'm new to OSSEC and I didn't find an answer to my problem on the list.
I've appliance firewalls (netasq and stormshield) on a network. These firewalls exports their log to the computer where OSSEC is installed.
For tests :
- I connect on the administration pages of the firewall, with a an invalid user/password.
Dec 2 15:42:29 192.168.10.1 id=firewall time="2016-12-02 15:42:28" fw="FW1" tz=+0000 startime="2016-12-02 15:42:28" user="admin" src=192.168.10.2 ruleid=0 method="PLAIN" error=4 msg="Authentication request invalid" logtype="auth"#015
- I connect to the firewall with SSH
Dec 2 14:37:42 192.168.10.1 id=firewall time="2016-12-02 14:37:41" fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW action=pass logtype="filter"#015
Is there decoder and rules for firewall?
How to configure decode/rules to analyze all events reported by the firewalls?
Thanks in advance for your help.
dan (ddp)
Dec 7, 2016, 7:07:03 AM12/7/16
to ossec...@googlegroups.com
heard of it actually).
Running the samples provided through ossec-logtest, I get the following output:
**Phase 1: Completed pre-decoding.
full event: 'Dec 2 15:42:29 192.168.10.1 id=firewall
time="2016-12-02 15:42:28" fw="FW1" tz=+0000 startime="2016-12-02
15:42:28" user="admin" src=192.168.10.2 ruleid=0 method="PLAIN"
error=4 msg="Authentication request invalid" logtype="auth"#015'
15:42:28" user="admin" src=192.168.10.2 ruleid=0 method="PLAIN"
hostname: '192.168.10.1'
program_name: '(null)'
log: 'id=firewall time="2016-12-02 15:42:28" fw="FW1" tz=+0000
startime="2016-12-02 15:42:28" user="admin" src=192.168.10.2 ruleid=0
method="PLAIN" error=4 msg="Authentication request invalid"
logtype="auth"#015'
method="PLAIN" error=4 msg="Authentication request invalid"
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
**Phase 1: Completed pre-decoding.
full event: 'Dec 2 14:37:42 192.168.10.1 id=firewall
time="2016-12-02 14:37:41" fw="FW1" tz=+0000 startime="2016-12-02
14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2"
srcifname="port2" ipproto=tcp proto=ssh src=192.168.10.2 srcport=33659
srcportname=ephemeral_fw_tcp srcname=Routeur dst=192.168.10.1
dstport=22 dstportname=ssh dstname=FW action=pass
logtype="filter"#015'
14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2"
srcifname="port2" ipproto=tcp proto=ssh src=192.168.10.2 srcport=33659
srcportname=ephemeral_fw_tcp srcname=Routeur dst=192.168.10.1
dstport=22 dstportname=ssh dstname=FW action=pass
hostname: '192.168.10.1'
program_name: '(null)'
log: 'id=firewall time="2016-12-02 14:37:41" fw="FW1" tz=+0000
startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1
srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh
src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp
srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW
action=pass logtype="filter"#015'
srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh
src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp
srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW
**Phase 2: Completed decoding.
No decoder matched.
Adding the following deocder to local_decoder.xml gives us "decoder:
'netasq'" (although this is untested against other logs to make sure
there are no conflicts):
<decoder name="netasq">
<prematch>^id=</prematch>
</decoder>
These decoders flesh it out a bit:
<decoder name="netasq-log">
<parent>netasq</parent>
<prematch>logtype="auth"</prematch>
<regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ user="(\S+)" src=(\S+) \.+
logtype="auth"</regex>
<order>id, extra_data, user, srcip</order>
</decoder>
<decoder name="netasq-fw">
<parent>netasq</parent>
<prematch> logtype="filter"</prematch>
<regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ ipproto=(\S+) proto=(\S+)
src=(\S+) srcport=(\d+) \.+ dst=(\S+) dstport=(\d+) \.+ action=(\S+)
</regex>
<order>id, extra_data, protocol, protocol, srcip, srcport, dstip,
dstport, action</order>
</decoder>
**Phase 1: Completed pre-decoding.
full event: 'Dec 2 15:42:29 192.168.10.1 id=firewall
time="2016-12-02 15:42:28" fw="FW1" tz=+0000 startime="2016-12-02
15:42:28" user="admin" src=192.168.10.2 ruleid=0 method="PLAIN"
error=4 msg="Authentication request invalid" logtype="auth"#015'
15:42:28" user="admin" src=192.168.10.2 ruleid=0 method="PLAIN"
hostname: '192.168.10.1'
program_name: '(null)'
log: 'id=firewall time="2016-12-02 15:42:28" fw="FW1" tz=+0000
startime="2016-12-02 15:42:28" user="admin" src=192.168.10.2 ruleid=0
method="PLAIN" error=4 msg="Authentication request invalid"
logtype="auth"#015'
method="PLAIN" error=4 msg="Authentication request invalid"
**Phase 2: Completed decoding.
decoder: 'netasq'
id: 'firewall'
extra_data: 'FW1'
dstuser: 'admin'
srcip: '192.168.10.2'
**Phase 1: Completed pre-decoding.
full event: 'Dec 2 14:37:42 192.168.10.1 id=firewall
time="2016-12-02 14:37:41" fw="FW1" tz=+0000 startime="2016-12-02
14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2"
srcifname="port2" ipproto=tcp proto=ssh src=192.168.10.2 srcport=33659
srcportname=ephemeral_fw_tcp srcname=Routeur dst=192.168.10.1
dstport=22 dstportname=ssh dstname=FW action=pass
logtype="filter"#015'
14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2"
srcifname="port2" ipproto=tcp proto=ssh src=192.168.10.2 srcport=33659
srcportname=ephemeral_fw_tcp srcname=Routeur dst=192.168.10.1
dstport=22 dstportname=ssh dstname=FW action=pass
hostname: '192.168.10.1'
program_name: '(null)'
log: 'id=firewall time="2016-12-02 14:37:41" fw="FW1" tz=+0000
startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1
srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh
src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp
srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW
action=pass logtype="filter"#015'
srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh
src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp
srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW
**Phase 2: Completed decoding.
decoder: 'netasq'
id: 'firewall'
extra_data: 'FW1'
proto: 'tcp'
proto: 'ssh'
srcip: '192.168.10.2'
srcport: '33659'
dstip: '192.168.10.1'
dstport: '22'
I'm not sure why action isn't showing up in that second one off hand,
but I've fiddled with it enough for now.
Any rules you create based on these decoders should reference
<decoded_as>netasq</decoded_as>.
> Thanks in advance for your help.
>
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Natassia S
Dec 7, 2016, 11:32:28 AM12/7/16
to ossec...@googlegroups.com
The book does a good job of describing the process of writing custom decoders.
Natassia
> email to ossec-list+unsubscribe@googlegroups.com.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
Bertrand Danos
Dec 9, 2016, 5:51:09 AM12/9/16
to ossec...@googlegroups.com
Hello Dan,
Thank you very much for your help.
I've a problem with the following decoder and sample. Its generates a
segfault in ossec-logtest :
<!---
<decoder name="netasq-filter">
For the 'action' item, I can't display it too.
Any ideas?
Thank you very much for your help.
I've a problem with the following decoder and sample. Its generates a
segfault in ossec-logtest :
<!---
Dec 2 14:37:42 192.168.10.1 id=firewall time="2016-12-02 14:37:41"
fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01
slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp
proto=ssh src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp
srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW
action=pass logtype="filter"#015
-->
fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01
slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp
proto=ssh src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp
srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW
action=pass logtype="filter"#015
<decoder name="netasq-filter">
<parent>netasq</parent>
<prematch>logtype="filter"</prematch>
<regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)"
<prematch>logtype="filter"</prematch>
ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+)
dstport=(\d+) \.+ action=(\S+)</regex>
<order>id, extra_data, extra_data, protocol, protocol, srcip,
dstport=(\d+) \.+ action=(\S+)</regex>
srcport, dstip, dstport, action</order>
</decoder>
the segfaut appears before the display of dstport
</decoder>
For the 'action' item, I can't display it too.
Any ideas?
Jesus Linares
Dec 9, 2016, 6:50:21 AM12/9/16
to ossec-list
Hi,
what OSSEC version are you running?.
Regards.
Bertrand Danos
Dec 9, 2016, 8:35:52 AM12/9/16
to ossec...@googlegroups.com
ossec-logtest -V reports v2.8
Regards
Regards
dan (ddp)
Dec 9, 2016, 10:48:57 AM12/9/16
to ossec...@googlegroups.com
If you remove the action match and order, does it still segfault?
Bertrand Danos
Dec 14, 2016, 9:51:27 AM12/14/16
to ossec...@googlegroups.com
Without the action match and order, it's OK :
<!--
<!-- segfault
</decoder>
result :
**Phase 2: Completed decoding.
decoder: 'netasq'
id: 'firewall'
extra_data: 'FW1'
extra_data: 'port2'
strace ./ossec-logtest
write(2, "\n**Phase 2: Completed decoding.", 31
**Phase 2: Completed decoding.) = 31
write(2, "\n", 1
) = 1
write(2, " decoder: 'netasq'", 24 decoder: 'netasq') = 24
write(2, "\n", 1
) = 1
write(2, " id: 'firewall'", 21 id: 'firewall') = 21
write(2, "\n", 1
) = 1
write(2, " extra_data: 'FW1'", 24 extra_data: 'FW1') = 24
write(2, "\n", 1
) = 1
write(2, " extra_data: 'port2'", 26 extra_data: 'port2') = 26
write(2, "\n", 1
) = 1
write(2, " proto: 'tcp'", 19 proto: 'tcp') = 19
write(2, "\n", 1
) = 1
write(2, " proto: 'ssh'", 19 proto: 'ssh') = 19
write(2, "\n", 1
) = 1
write(2, " srcip: '192.168.10.2'", 28 srcip: '192.168.10.2') = 28
write(2, "\n", 1
) = 1
write(2, " srcport: '33659'", 23 srcport: '33659') = 23
write(2, "\n", 1
) = 1
write(2, " dstip: '192.168.10.1'", 28 dstip: '192.168.10.1') = 28
write(2, "\n", 1
) = 1
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
<!--
Dec 2 14:37:42 192.168.10.1 id=firewall time="2016-12-02 14:37:41"
fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01
slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp
proto=ssh src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp
srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW
action=pass logtype="filter"#015
-->
<decoder name="netasq-filter">
<parent>netasq</parent>
<prematch>logtype="filter"</prematch>
<regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)"
ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+)
dstport=(\d+)</regex>
fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01
slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp
proto=ssh src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp
srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW
action=pass logtype="filter"#015
-->
<decoder name="netasq-filter">
<parent>netasq</parent>
<prematch>logtype="filter"</prematch>
<regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)"
ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+)
<order>id, extra_data, extra_data, protocol, protocol, srcip,
srcport, dstip, dstport</order>
<!-- segfault
<regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)"
ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+)
dstport=(\d+) \.+ action=(\S+)</regex>
<order>id, extra_data, extra_data, protocol, protocol, srcip,
srcport, dstip, dstport, action</order>
-->
ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+)
dstport=(\d+) \.+ action=(\S+)</regex>
<order>id, extra_data, extra_data, protocol, protocol, srcip,
srcport, dstip, dstport, action</order>
</decoder>
result :
**Phase 2: Completed decoding.
decoder: 'netasq'
id: 'firewall'
extra_data: 'FW1'
proto: 'tcp'
proto: 'ssh'
srcip: '192.168.10.2'
srcport: '33659'
dstip: '192.168.10.1'
With the action match and order, it crash :
proto: 'ssh'
srcip: '192.168.10.2'
srcport: '33659'
dstip: '192.168.10.1'
strace ./ossec-logtest
write(2, "\n**Phase 2: Completed decoding.", 31
**Phase 2: Completed decoding.) = 31
write(2, "\n", 1
) = 1
write(2, " decoder: 'netasq'", 24 decoder: 'netasq') = 24
write(2, "\n", 1
) = 1
write(2, " id: 'firewall'", 21 id: 'firewall') = 21
write(2, "\n", 1
) = 1
write(2, " extra_data: 'FW1'", 24 extra_data: 'FW1') = 24
write(2, "\n", 1
) = 1
write(2, " extra_data: 'port2'", 26 extra_data: 'port2') = 26
write(2, "\n", 1
) = 1
write(2, " proto: 'tcp'", 19 proto: 'tcp') = 19
write(2, "\n", 1
) = 1
write(2, " proto: 'ssh'", 19 proto: 'ssh') = 19
write(2, "\n", 1
) = 1
write(2, " srcip: '192.168.10.2'", 28 srcip: '192.168.10.2') = 28
write(2, "\n", 1
) = 1
write(2, " srcport: '33659'", 23 srcport: '33659') = 23
write(2, "\n", 1
) = 1
write(2, " dstip: '192.168.10.1'", 28 dstip: '192.168.10.1') = 28
write(2, "\n", 1
) = 1
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
dan (ddp)
Dec 16, 2016, 10:23:34 AM12/16/16
to ossec...@googlegroups.com
On Wed, Dec 14, 2016 at 9:50 AM, Bertrand Danos <mill...@gmail.com> wrote:
> Without the action match and order, it's OK :
>
I feel like there was a limit in the number of entries in the <order>
> Without the action match and order, it's OK :
>
field. Maybe it's 9?
What about something like this:
> <!--
> Dec 2 14:37:42 192.168.10.1 id=firewall time="2016-12-02 14:37:41"
> fw="FW1" tz=+0000 startime="2016-12-02 14:37:40" pri=5 confid=01
> slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp
> proto=ssh src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp
> srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW
> action=pass logtype="filter"#015
> -->
> <decoder name="netasq-filter">
> <parent>netasq</parent>
> <prematch>logtype="filter"</prematch>
> <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)"
> ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+)
> dstport=(\d+)</regex>
> <order>id, extra_data, extra_data, protocol, protocol, srcip,
> srcport, dstip, dstport</order>
>
> <!-- segfault
> <regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)"
> ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+)
> dstport=(\d+) \.+ action=(\S+)</regex>
> <order>id, extra_data, extra_data, protocol, protocol, srcip,
> srcport, dstip, dstport, action</order>
> -->
> </decoder>
>
<decoder name="netasq-filter">
<parent>netasq</parent>
<prematch>logtype="filter"</prematch>
<regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)"
ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+)
dstport=(\d+) </regex>
<order>id, extra_data, extra_data, protocol, protocol, srcip,
srcport, dstip, dstport</order>
</decoder>
<parent>netasq</parent>
<prematch>logtype="filter"</prematch>
<regex>^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)"
ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+)
dstport=(\d+) </regex>
<order>id, extra_data, extra_data, protocol, protocol, srcip,
srcport, dstip, dstport</order>
<decoder name="netasq-filter">
<parent>netasq</parent>
<order>action</order>
</decoder>
**Phase 1: Completed pre-decoding.
full event: 'Dec 2 14:37:42 192.168.10.1 id=firewall
**Phase 1: Completed pre-decoding.
time="2016-12-02 14:37:41" fw="FW1" tz=+0000 startime="2016-12-02
14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2"
srcifname="port2" ipproto=tcp proto=ssh src=192.168.10.2 srcport=33659
srcportname=ephemeral_fw_tcp srcname=Routeur dst=192.168.10.1
dstport=22 dstportname=ssh dstname=FW action=pass
logtype="filter"#015'
14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2"
srcifname="port2" ipproto=tcp proto=ssh src=192.168.10.2 srcport=33659
srcportname=ephemeral_fw_tcp srcname=Routeur dst=192.168.10.1
dstport=22 dstportname=ssh dstname=FW action=pass
hostname: '192.168.10.1'
program_name: '(null)'
log: 'id=firewall time="2016-12-02 14:37:41" fw="FW1" tz=+0000
startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1
srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh
src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp
srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW
action=pass logtype="filter"#015'
srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh
src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp
srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW
**Phase 2: Completed decoding.
decoder: 'netasq'
id: 'firewall'
extra_data: 'FW1'
extra_data: 'port2'
proto: 'tcp'
proto: 'ssh'
srcip: '192.168.10.2'
srcport: '33659'
dstip: '192.168.10.1'
Reply all
Reply to author
Forward
0 new messages