Netscreen logs

55 views
Skip to first unread message

Reggie Griffin

unread,
Jan 27, 2009, 1:24:19 PM1/27/09
to ossec...@googlegroups.com
Hello,

We are trying to send out Netscreen logs to OSSEC, but it does not
appear to be parsing them.
I have verified with tcpdump that the logs are making it to the OSSEC
server.

Any advice for troubleshooting? I looked at the decoder.xml file, but
it's not helping me much. There
are some walkthroughs for Cisco devices, but the only info I was able to
find was an old mailing list
entry for Netscreen.

Sample log.

Jan 27 13:20:36 1.1.1.1 relative: NetScreen device_id=relative [Root]system-notification-00257(traffic): start_time="2009-01-27 13:20:35" duration=0
policy_id=2 service=tcp/port:9090 proto=6 src zone=Untrust dst zone=DMZ action=Deny sent=0 rcvd=0 src=1.1.2.1 dst=1.1.1.4 src_port=61527 dst_port=9090 session_id=0

-Reggie


Reggie Griffin

unread,
Jan 27, 2009, 2:16:25 PM1/27/09
to ossec...@googlegroups.com
Here is another sample log file.

Jan 27 14:11:23 1.1.1.1 relative: NetScreen device_id=relative [Root]system-warning-00519: Admin user "admin" logged in for Web(http) management
(port 80) from 1.1.1.100:47131 (2009-01-27 14:11:22)

-Reggie

cnk

unread,
Jan 27, 2009, 2:28:35 PM1/27/09
to ossec...@googlegroups.com
Using ossec-logtest you can verify that the log line is being decoded
properly.

hostname: '1.1.1.1'
program_name: 'relative'
log: 'NetScreen device_id=relative


[Root]system-notification-00257(traffic): start_time="2009-01-27
13:20:35" duration=0 policy_id=2 service=tcp/port:9090 proto=6 src
zone=Untrust dst zone=DMZ action=Deny sent=0 rcvd=0 src=1.1.2.1

dst=1.1.1.4 src_port=61527 dst_port=9090 session_id=0'

**Phase 2: Completed decoding.
decoder: 'netscreenfw'
proto: '6'
action: 'Deny'
srcip: '1.1.2.1'
dstip: '1.1.1.4'
srcport: '61527'
dstport: '9090'

**Phase 3: Completed filtering (rules).
Rule id: '4100'
Level: '0'
Description: 'Firewall rules grouped.'

What does your ossec.conf look like? Do you have this stanza:

<remote>
<connection>syslog</connection>
<allowed-ips>172.10.10.2</allowed-ips>
</remote>

Where 172.10.10.2 is the IP of your netscreen device?

Cheers,

cnk

Reggie Griffin

unread,
Jan 27, 2009, 2:55:04 PM1/27/09
to ossec...@googlegroups.com
I do, but I also have another remote section.

<remote>
<connection>secure</connection>
<allowed-ips>1.1.1.0/24</allowed-ips>
<port>1514</port>
</remote>

<remote>
<connection>syslog</connection>
<allowed-ips>2.2.2.2</allowed-ips>
</remote>


Can you have two <remote></remote> sections?

OSSEC is listening on both 514 and 1514 udp ports.

udp 0 0 0.0.0.0:514
0.0.0.0:* 21833/ossec-remoted
udp 0 0 0.0.0.0:1514
0.0.0.0:* 21830/ossec-remoted


-Reggie

Reggie Griffin

unread,
Jan 27, 2009, 3:47:22 PM1/27/09
to ossec...@googlegroups.com
Here is some strace output.

strace -p <processid> output.

recvfrom(4, "<133>relative: NetScreen device_"..., 1024, 0,
{sa_family=AF_INET, sin_port=htons(2934),
sin_addr=inet_addr("1.1.1.1")}, [16]) = 284
stat64("/queue/ossec/.wait", 0xbffd6968) = -1 ENOENT (No such file or
directory)

Not sure if this is helpful.

-Reggie

Reggie Griffin

unread,
Jan 27, 2009, 4:43:51 PM1/27/09
to ossec...@googlegroups.com
Ok, it's definitely getting to the OSSEC server. If I remove the
<allowed-ips>1.1.1.1</allowed-ips> from below:

<remote>
<connection>syslog</connection>
<allowed-ips>1.1.1.1</allowed-ips>
</remote>

I start receiving errors that the message isn't allowed for that IP
address. Add it back and restart OSSEC with
no errors, but still no logs or alerts.

To test, I log in and out of my netscreen device.

Jan 27 16:35:33 1.1.1.1 relative: NetScreen device_id=relative [Root]system-warning-00515: Admin user "admin" logged out for Web(http) management
(port 80) from 1.1.1.4:57396 (2009-01-27 16:35:32)

Stumped.

-Reggie

Reggie Griffin

unread,
Jan 27, 2009, 4:43:51 PM1/27/09
to ossec...@googlegroups.com
Ok, it's definitely getting to the OSSEC server. If I remove the
<allowed-ips>1.1.1.1</allowed-ips> from below:

<remote>
<connection>syslog</connection>
<allowed-ips>1.1.1.1</allowed-ips>
</remote>

I start receiving errors that the message isn't allowed for that IP
address. Add it back and restart OSSEC with
no errors, but still no logs or alerts.

To test, I log in and out of my netscreen device.

Jan 27 16:35:33 1.1.1.1 relative: NetScreen device_id=relative [Root]system-warning-00515: Admin user "admin" logged out for Web(http) management
(port 80) from 1.1.1.4:57396 (2009-01-27 16:35:32)

Stumped.

-Reggie

Reggie Griffin

unread,
Jan 28, 2009, 11:55:45 AM1/28/09
to ossec...@googlegroups.com
Will add another note this this. If I remove my entry:

<remote>
<connection>syslog</connection>
<allowed-ips>2.2.2.2</allowed-ips>
</remote>

Restart OSSEC then startup the normal syslog daemon, the logs are received and added to /var/log/messages.
OSSEC then will pick up the log from the logfile directly. It's a workaround.

Oh, one comment about a rule in /var/ossec/rules/firewall_rules.xml.

<rule id="4101" level="5">
<if_sid>4100</if_sid>
<action>DROP</action>
<options>no_log</options>
<description>Firewall drop event.</description>
<group>firewall_drop,</group>
</rule>

The action is "DENY" from the parse of our logs.

-Reggie

Daniel Cid

unread,
Feb 2, 2009, 12:46:10 PM2/2/09
to ossec...@googlegroups.com
Hi Reggie,

It looks like your previous setup was working. OSSEC by default will store
the firewall logs at /var/ossec/logs/firewall/firewall.log instead of the normal
alerts.log file. That's why it was not showing up in there.

Only if you get multiple drops or other system messages from the firewall
(like logins, logouts, etc) that they will go to alerts.log.

Also, ossec pre-parses firewall events so the DROP is correct in there...

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

Reply all
Reply to author
Forward
0 new messages