Problem with Juniper NetScreen decoder

184 views
Skip to first unread message

James Glaves

unread,
Feb 11, 2016, 5:37:06 AM2/11/16
to Wazuh mailing list
Hi,
I'm new to Wazuh and have just installed a fresh build of OSSEC + Wazuh + ELK to put it through it's paces. I've hit a hurdle pretty much straight away after adding my Juniper ISG firewall via syslog. I'm hoping someone can help.

I've added:

 <remote>
    <connection>syslog</connection>
    <allowed-ips>10.0.0.0/8</allowed-ips>
    <allowed-ips>172.16.0.0/19</allowed-ips>
    <allowed-ips>192.168.0.0/24</allowed-ips>
 </remote>

and

<logall>yes</logall>

To /var/ossec/etc/ossec.conf

I'm seeing messages from my firewall in tcpdump:

[FW_HOSTNAME]: NetScreen device_id=[FW_HOSTNAME]  [Root]system-warning-00518: Admin user "test" login attempt for Web(https) management (port 11111) from 172.16.1.1:24557 failed. (2016-02-11 10:07:45)

and I also see the messages hitting /var/ossec/logs/archives/archives.log

2016 Feb 11 10:07:59 [OSSEC_HOSTNAME]->[FW_IP] [FW_HOSTNAME]: NetScreen device_id=[FW_HOSTNAME]  [Root]system-warning-00518: Admin user "test" login attempt for Web(https) management (port 11111) from 172.16.1.1:24562 failed. (2016-02-11 10:09:06)

But, none of the events appear to be getting decoded as netscreenfw. They are just hitting the general syslog rules (see below screenshot from Kibana).

I've put both examples above through ossec-logtest, and it confirms "No decoder matched". 

I've found an example log line of a NetScreen device from someone else online that is different to mine in two ways:

1. The Date Format (could be related to my region being UK?)
2. The missing "[OSSEC_HOSTNAME]->" e.g. "ossec->"

Aug 15 10:30:14 [FW_IP] [FW_HOSTNAME]: NetScreen device_id=[FW_HOSTNAME] [Root]system-warning-00518: Admin user "userid" login attempt for Web(http) management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 11:33:36)

That format appears to match the decoder. But my logs don't come through like that! Is the netscreenfw decoder out-of-date, or am I missing something else?

I'm not sure if this question is better placed in the OSSEC forums, as I guess it isn't a Wazuh issue - but if anyone can steer me in the right direction, I'd appreciate it.

Thanks,
jjrbg


Jesus Linares

unread,
Feb 11, 2016, 8:41:47 AM2/11/16
to Wazuh mailing list
Hi James,

Your log is: 2016 Feb 11 10:07:59 [OSSEC_HOSTNAME]->[FW_IP] [FW_HOSTNAME]: NetScreen device_id=[FW_HOSTNAME] [Root]system-warning-00518: Admin user "test" login attempt for Web(https) management (port 11111) from 172.16.1.1:24562 failed. (2016-02-11 10:09:06)

We can test it without the header (blue part) and populating the fields (FW_IR, FW_HOSTNAME):
10.10.10.10 james_host: NetScreen device_id=[FW_HOSTNAME] [Root]system-warning-00518: Admin user "test" login attempt for Web(https) management (port 11111) from 172.16.1.1:24562 failed. (2016-02-11 10:09:06)

Phase 1: Completed pre-decoding.
full event: '10.10.10.10 james_host: NetScreen device_id=[FW_HOSTNAME] [Root]system-warning-00518: Admin user "test" login attempt for Web(https) management (port 11111) from 172.16.1.1:24562 failed. (2016-02-11 10:09:06)'
hostname: 'LinMV'
program_name: '(null)'
log: '10.10.10.10 james_host: NetScreen device_id=[FW_HOSTNAME] [Root]system-warning-00518: Admin user "test" login attempt for Web(https) management (port 11111) from 172.16.1.1:24562 failed. (2016-02-11 10:09:06)'

Phase 2: Completed decoding.
No decoder matched.

As you can see, the program_name is null, however the decoder expects a program name:
<decoder name="netscreenfw">
  <program_name />
  <prematch>^NetScreen device_id</prematch>
</decoder>

Let's try with you log but adding a tiemstamp: Mar 16 15:27:56 10.10.10.10 james_host: NetScreen device_id=[FW_HOSTNAME] [Root]system-warning-00518: Admin user "test" login attempt for Web(https) management (port 11111) from 172.16.1.1:24562 failed. (2016-02-11 10:09:06)

Phase 1: Completed pre-decoding.
full event: 'Mar 16 15:27:56 10.10.10.10 james_host: NetScreen device_id=[FW_HOSTNAME] [Root]system-warning-00518: Admin user "test" login attempt for Web(https) management (port 11111) from 172.16.1.1:24562 failed. (2016-02-11 10:09:06)'
hostname: '10.10.10.10'
program_name: 'james_host'
log: 'NetScreen device_id=[FW_HOSTNAME] [Root]system-warning-00518: Admin user "test" login attempt for Web(https) management (port 11111) from 172.16.1.1:24562 failed. (2016-02-11 10:09:06)'

Phase 2: Completed decoding.
decoder: 'netscreenfw'
action: 'warning'
id: '00518'

Now, how the log has program_name there is no problem. So, the first solution would be that syslog write the timestamp. Is that possible?.



Other solution could be change the netscreen decoder:

<decoder name="netscreenfw">
  <prematch>^\S+ \S+: NetScreen device_id</prematch>
</decoder>

Now, it matches only with your log (logs without program_name):

Phase 1: Completed pre-decoding.
full event: '10.10.10.10 james_host: NetScreen device_id=[FW_HOSTNAME] [Root]system-warning-00518: Admin user "test" login attempt for Web(https) management (port 11111) from 172.16.1.1:24562 failed. (2016-02-11 10:09:06)'
hostname: 'LinMV'
program_name: '(null)'
log: '10.10.10.10 james_host: NetScreen device_id=[FW_HOSTNAME] [Root]system-warning-00518: Admin user "test" login attempt for Web(https) management (port 11111) from 172.16.1.1:24562 failed. (2016-02-11 10:09:06)'

Phase 2: Completed decoding.
decoder: 'netscreenfw'
action: 'warning'
id: '00518'


Regards.
Jesus Linares.

James Glaves

unread,
Feb 11, 2016, 10:54:07 AM2/11/16
to Wazuh mailing list
Hi Jesus,
Thanks for your prompt and very detailed response.

I saw the reference to "program_name" in the decoder.xml file, but wasn't quite clear on what it does or how it works. To me it sounded more relevant for logs generated by a Linux host where the name of the process was included in the log. What exactly is <program_name /> telling the netscreenfw decoder to expect? Something before "prematch" which it will populate into program_name?

I have checked the syslog configuration on the ISG NetScreen firewall, and can see no reason why it wouldn't be including a timestamp. Potentially Juniper changed the format of the syslog messages in a software update, but from what I understand it should conform to an RFC which requires a timestamp. I'm lost as to why my Juniper firewall isn't sending logs in the standard format!

So it sounds like my only option is to amend the decoder - if I change decoder.xml that will be overwritten with any subsequent OSSEC or Wazuh updates? Is there a way I can have my "fixed" netscreenfw decoder in local_decoder.xml overriding the builtin decoder?

Thanks again for your help.

jjrbg

Jesus Linares

unread,
Feb 11, 2016, 3:38:00 PM2/11/16
to Wazuh mailing list
Hi,

well, I haven't seen a reference to <program_name /> in the OSSEC documentation. It is hardly used, if you look at the files:

grep -R -P "<program_name\s*/>" /var/ossec/etc/ossec_decoders/
/var/ossec/etc/ossec_decoders/cisco-ios_decoders.xml:  <program_name />
/var/ossec/etc/ossec_decoders/netscreen_decoders.xml:  <program_name />

I think <progam_name /> expects a progam_name, no matter what. Why do you need it?. Example:

<decoder name="netscreenfw">
  <prematch>NetScreen device_id</prematch>
</decoder>


Jan  1 10:02:11 xx ns5gt: NetScreen device_id=ns5gt  Text


**Phase 1: Completed pre-decoding.
       full event: 'Jan  1 10:02:11 xx ns5gt: NetScreen device_id=ns5gt  Text'
       hostname: 'xx'
       program_name: 'ns5gt'
       log: 'NetScreen device_id=ns5gt  Text'


**Phase 2: Completed decoding.
       No decoder matched.

This decoder doesn't match because if a event has program_name you must use the tag program_name instead of prematch. You don't know what is the program_name so you use <program_name />.

Now, let's try with a log without program_name:
NetScreen device_id=ns5gt  Text


**Phase 1: Completed pre-decoding.
       full event: 'NetScreen device_id=ns5gt  Text'
       hostname: 'LinMV'
       program_name: '(null)'
       log: 'NetScreen device_id=ns5gt  Text'


**Phase 2: Completed decoding.
       decoder: 'netscreenfw'

It matches because the program_name is (null) so it applies the tag prematch.

You have to choose between use program_name or prematch depending on if the event is predecoded with program_name. At least, that is my experience. I have to check the code.

But I find out the solution:

<decoder name="netscreenfw">
    <prematch>^\S+ \S+: NetScreen device_id</prematch>
</decoder>


<decoder name="netscreenfw">
      <program_name />
      <prematch>^NetScreen device_id</prematch>
</decoder>


Jan  1 10:02:11 xx ns5gt: NetScreen device_id=ns5gt  Text




**Phase 1: Completed pre-decoding.
       full event: 'Jan  1 10:02:11 xx ns5gt: NetScreen device_id=ns5gt  Text'
       hostname: 'xx'
       program_name: 'ns5gt'
       log: 'NetScreen device_id=ns5gt  Text'


**Phase 2: Completed decoding.
       decoder: 'netscreenfw'


10.10.10.10 james_host: NetScreen device_id=[FW_HOSTNAME] [Root]system-warning-00518: Admin user "test" login attempt for Web(https) management (port 11111) from 172.16.1.1:24562 failed. (2016-02-11 10:09:06)




**Phase 1: Completed pre-decoding.

       full event: '10.10.10.10 james_host: NetScreen device_id=[FW_HOSTNAME] [Root]system-warning-00518: Admin user "test" login attempt for Web(https) management (port 11111) from 172.16.1.1:24562 failed. (2016-02-11 10:09:06)'
       hostname: 'LinMV'
       program_name: '(null)'

       log: '10.10.10.10 james_host: NetScreen device_id=[FW_HOSTNAME] [Root]system-warning-00518: Admin user "test" login attempt for Web(https) management (port 11111) from 172.16.1.1:24562 failed. (2016-02-11 10:09:06)'


**Phase 2: Completed decoding.

       decoder: 'netscreenfw'
       action: 'warning'
       id: '00518'



Copy the last decoders and tell me if it works. I will update it in OSSEC Wazuh, so don't worry with the updates. Anyway, you could use local_decoder.xml.

Regarding the juniper logs with timestamp, I'll take a look.

Regards.
Jesus Linares.

James Glaves

unread,
Feb 15, 2016, 4:39:08 AM2/15/16
to Wazuh mailing list
Hi Jesus,
Sorry for the delay in getting back to you. I've got it working now - but with a small change to your suggested decoder prematch. You had said the blue part was the header...

2016 Feb 11 10:07:59 [OSSEC_HOSTNAME]->[FW_IP] [FW_HOSTNAME]: NetScreen device_id=[FW_HOSTNAME] [Root]system-warning-00518: Admin user "test" login attempt for Web(https) management (port 11111) from 172.16.1.1:24562 failed. (2016-02-11 10:09:06)

But is the source IP of the syslog message also actually part of the header? Example:

2016 Feb 11 10:07:59 [OSSEC_HOSTNAME]->[FW_IP] [FW_HOSTNAME]: NetScreen device_id=[FW_HOSTNAME] [Root]system-warning-00518: Admin user "test" login attempt for Web(https) management (port 11111) from 172.16.1.1:24562 failed. (2016-02-11 10:09:06)

Because the decoder which worked for me, and correctly started hitting netscreen rules, was:

<decoder name="netscreenfw">
  <prematch>^\S+: NetScreen device_id</prematch>
</decoder>

Thanks very much for your help - I am very pleased to report it is now working.

James

On Thursday, February 11, 2016 at 10:37:06 AM UTC, James Glaves wrote:

Jesus Linares

unread,
Feb 15, 2016, 2:13:31 PM2/15/16
to Wazuh mailing list
Hi,

I took a look at the code (function OS_STORE) and you are right.

Also, you can use custom rsyslog templates (rsyslog.conf) and resemble the default syslog format using variables as %fromhost-ip%, %hostname%, %msg%, etc. I guess this is more complex.

Thanks for the information!. It will be updated in the wazuh ruleset.

Regards.
Reply all
Reply to author
Forward
0 new messages