OSSEC Decodes for Cisco ASA CX - Context-Aware Firewall - PRSM

[Brent Morris]

Greetings all.

Would it be better to submit a pull request on github to get these included in the next release of OSSEC?  I'm not github aware... never used it other than to download stuff.

Here are my final decodes for ASA CX - These are coming off a Cisco ASA-5515X with PRSM "on-box".  The advantage to sending these to a syslog server is that you can keep the logs from the "on-box" PRSM as long as you like.  "On-Box" PRSM only allows 30 days of rolling logs, and the reporting feature leaves much to be desired.  Off-box PRSM is a separate license/cost item, and does a little more but still leaves much to be desired in reporting.  It also supports Syslog.  Downside to syslog is that the messages sometimes hit the limit of syslog size and are truncated.  I've accommodated for this by picking out the interesting bits usually included toward the beginning of the message.  the URL= portion of the log can sometimes be extremely long in today's world.  After speaking to Cisco TAC - they said 1024 bytes was the max they could send - referencing http://tools.ietf.org/html/rfc3164#section-4 - So without further ado....

local_rules.xml

<group name="syslog,cisco-cx,">

  <rule id="100210" level="0">

  <decoded_as>cisco-cx</decoded_as>

  <description>Cisco CX Flows.</description>

  </rule>

<rule id="100211" level="10">

  <if_sid>100210</if_sid>

  <match>Deny</match>

  <description>Flow Denied</description>

  </rule>

</group>

local_decoder.xml

  <decoder name="cisco-cx">

    <prematch>^\d\s\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d\d\dZ\s\d+.\d+.\d+.\d+\sCiscoNGFW\s\d\d\d\d\s</prematch>

  </decoder>

  <decoder name="cisco-cxalert">

   <parent>cisco-cx</parent>

   <prematch offset="after_parent">^1|^2|^3|^4|^5</prematch>

   <regex offset="after_parent">\.+Flow_DstIp=\p(\d+.\d+.\d+.\d+)\p\.+Flow_SrcIp="(\d+.\d+.\d+.\d+)"\.+Url_Category_Name="(\w+\s*\w*\s*\w*\s*\w*)" \.+Url="(\.+)"\.*</regex>

   <order>dstip,srcip,extra_data,url,action</order>

  </decoder>

  <decoder name="cisco-cxalert2">

   <parent>cisco-cx</parent>

   <prematch offset="after_parent">^6|^7|^8|^9|^10</prematch>

  <regex offset="after_parent">^\.+Web_Reputation_Threat_Type="(\w+\s*\w*\s*\w*\s*\w*)"\.*Event_Type_Name="(\w+\s*\w*\s*\w*\s*\w*)" User_Realm="(\w+\p*\w*\p*\w*\p*\w*)"\.+Url="(\.+)"\.*</regex>

  <order>status,action,user,url</order>

  </decoder>

Sample Logs.

Flow Denied

1 2015-02-02T23:09:03.733Z 1.1.1.23 CiscoNGFW 2827 6 [ngfwEvent@9 Flow_Dst_Service="tcp/80" Flow_Bytes_Sent="396" Event_Type="0" Flow_DstIp="162.255.119.254" Flow_SrcIp="1.2.3.32" Count="1" Url_Category_Name="Uncategorized" Flow_Bytes="396" Web_Reputation_Threat_Type="Related to Phishing" Avc_Tag_Name="" Ev_SrcLabel="CX-CX" Event_Type_Name="HTTP Deny" User_Realm="1.2.3.32" Policy_Name="Implicit Allow" Flow_Transaction_Id="0" Url="http://image2.seethenewscan-updates.us/" Identity_Source_Name="None" Auth_Policy_Name="Default" Flow_SrcIfc="inside" Flow_ConnId="29106287" Flow_DstHostName="image2.seethenewscan-updates.us" Flow_Transaction_Count="1" Ev_Id="2281992" Web_Reputation_Score="-8.4" Event_Type_Action="Deny" Ev_GenTime="1422918630588" Flow_DstPort="80" Policy_Deny_Reason_Name="Web Reputation" Flow_DstIfc="outside" Ev_SrcId="2147484710" Avc_App_Name="HyperText Transfer Protocol" Ev_SrcHwType="ASA-CX" Flow_SrcPort="2260" Smx_Config_Version="56" Flow_Requests_Denied="1" Avc_App_Type="Infrastruct

Normal Flow

1 2015-01-28T22:26:34.371Z 1.1.1.23 CiscoNGFW 2827 5 [ngfwEvent@9 Http_Response_Status="200" Flow_Dst_Service="tcp/80" Flow_Bytes_Sent="519" Flow_Bytes_Received="352" Event_Type="0" Count="1" Flow_DstIp="54.241.20.38" Flow_SrcIp="1.2.3.32" Url_Category_Name="Business and Industry" Flow_Bytes="871" Web_Reputation_Threat_Type="" Avc_Tag_Name="" Ev_SrcLabel="CX-CX" Response_Magic_Type="image/gif" Event_Type_Name="HTTP Complete" User_Realm="1.2.3.32" Policy_Name="Implicit Allow" Flow_Transaction_Id="4" Url="http://nexus.ensighten.com/error/e.gif?msg=Unable%20to%20get%20property%20'onmousedown'%20of%20undefined%20or%20null%20reference&lnn=-1&fn=&cid=1017&client=MSFTsupport&publishPath=prod&rid=602489&did=255875&errorName=TypeError" Identity_Source_Name="None" Auth_Policy_Name="Default" Flow_SrcIfc="inside" Flow_ConnId="28362166" Flow_DstHostName="nexus.ensighten.com" Flow_Transaction_Count="1" Ev_Id="1276022" Web_Reputation_Score="0.5" Event_Type_Action="Info" Ev_GenTime="1422484014848" Flow_DstPort=

[dan (ddp)]

On Tue, Feb 3, 2015 at 8:44 AM, Brent Morris <brent....@gmail.com> wrote:
> Greetings all.
>
> Would it be better to submit a pull request on github to get these included
> in the next release of OSSEC? I'm not github aware... never used it other
> than to download stuff.
>

Submitting a pull request is the best way to get these included. I can
do it if you really need me to.
The basic process is:
create an account/login to your account
Fork the ossec-hids project
Clone your repo on your local system
Apply your changes
`git add` changed files
`git commit` and add a useful commit message
`git push` your changes to your repository
Go to https://github.com/ossec/ossec-hids and click the new link at
the top asking if you want to compare changes/submit a pull request.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Brent Morris]

Thanks Dan.  I'll give it a whirl on github and see how it goes.  I appreciate your task list to get started!

-Brent

[Brent Morris]

Well .... I think it worked..  I stumbled my way through GIT but managed to push my changes back to the project.

I chose some rule id numbers close to the Cisco VPN concentrator - it looked like there was a gap in numbers in that rule section to the next.

I can also submit the decodes for the on-prem Microsoft Azure 2FA if that would help (I posted earlier on this).

Thanks for your help!

On Tuesday, February 3, 2015 at 7:54:48 AM UTC-8, dan (ddpbsd) wrote:

[Christian Beer]

Here is the commit:
https://github.com/score1more4me/ossec-hids/commit/ed45c6fc6fe02a9016e1e709f17a1960fcf42c40

It's not a pull request yet.

Regards
Christian

> <http://image2.seethenewscan-updates.us>"

> > Flow_Transaction_Count="1" Ev_Id="2281992"
> Web_Reputation_Score="-8.4"
> > Event_Type_Action="Deny" Ev_GenTime="1422918630588" Flow_DstPort="80"
> > Policy_Deny_Reason_Name="Web Reputation" Flow_DstIfc="outside"
> > Ev_SrcId="2147484710" Avc_App_Name="HyperText Transfer Protocol"
> > Ev_SrcHwType="ASA-CX" Flow_SrcPort="2260" Smx_Config_Version="56"
> > Flow_Requests_Denied="1" Avc_App_Type="Infrastruct
> >
> > Normal Flow
> >
> > 1 2015-01-28T22:26:34.371Z 1.1.1.23 CiscoNGFW 2827 5 [ngfwEvent@9
> > Http_Response_Status="200" Flow_Dst_Service="tcp/80"
> Flow_Bytes_Sent="519"
> > Flow_Bytes_Received="352" Event_Type="0" Count="1"
> Flow_DstIp="54.241.20.38"
> > Flow_SrcIp="1.2.3.32" Url_Category_Name="Business and Industry"
> > Flow_Bytes="871" Web_Reputation_Threat_Type="" Avc_Tag_Name=""
> > Ev_SrcLabel="CX-CX" Response_Magic_Type="image/gif"
> Event_Type_Name="HTTP
> > Complete" User_Realm="1.2.3.32" Policy_Name="Implicit Allow"
> > Flow_Transaction_Id="4"
> >
> Url="http://nexus.ensighten.com/error/e.gif?msg=Unable%20to%20get%20property%20'onmousedown'%20of%20undefined%20or%20null%20reference&lnn=-1&fn=&cid=1017&client=MSFTsupport&publishPath=prod&rid=602489&did=255875&errorName=TypeError

> <http://nexus.ensighten.com/error/e.gif?msg=Unable%20to%20get%20property%20%27onmousedown%27%20of%20undefined%20or%20null%20reference&lnn=-1&fn=&cid=1017&client=MSFTsupport&publishPath=prod&rid=602489&did=255875&errorName=TypeError>"

>
> > Identity_Source_Name="None" Auth_Policy_Name="Default"
> Flow_SrcIfc="inside"
> > Flow_ConnId="28362166" Flow_DstHostName="nexus.ensighten.com

> <http://nexus.ensighten.com>"

> > Flow_Transaction_Count="1" Ev_Id="1276022" Web_Reputation_Score="0.5"
> > Event_Type_Action="Info" Ev_GenTime="1422484014848" Flow_DstPort=
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send an
> > email to ossec-list+...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout

> <https://groups.google.com/d/optout>.

>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+...@googlegroups.com

> <mailto:ossec-list+...@googlegroups.com>.

[Brent Morris]

Thanks for the tip.  I submitted it as a pull request...

-Brent

> <mailto:ossec-list+unsub...@googlegroups.com>.