PIX Decoder - Syslog - certain rules not working

346 views

Skip to first unread message

Philip Robson

unread,

Jan 24, 2018, 4:19:10 AM1/24/18

to Wazuh mailing list

Hi,

I have installed Wazuh 3.1 and ELK from the guide on separate servers.

So far i have 1 2016 system setup as an agent and one of my Cisco Firewalls (ASA) sending syslog to the Wazuh manager, i modified the OSSEC file to allow the IP range, the logs are coming in.

I have events been logged and alerts appearing for generic Cisco logs of a warning level with nothing specific within the PIX rule or decoder. However i decided to test failed login attempts and nothing was logged.

I enabled the log all and checked the archive, the event is logged in the archive but not as an alert.

Using the ossec test it seems the event is been flagged as a PIX Generic level 0 and dropped. The issue is that this syslog event is within the PIX decoder and PIX rule.

The test event is - Jan 23 2018 15:15:26: %ASA-6-605004: Login denied from 11.x.x.x/54447 to Workstations:11.x.x.x/ssh for user "*****"

These are the built in rules, any suggestions?

The decoder:

</decoder>

<regex offset="after_parent">^(\S+): Login (\S+) from (\S+)/(\d+) \.+user "(\w+)"</regex>

<order>id, action, srcip, srcport, user</order>

</decoder>

Rule:

<if_sid>4314</if_sid>

<description>PIX: Failed login attempt.</description>

<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,</group>

</rule>

**Phase 1: Completed pre-decoding.

full event: 'Jan 23 2018 15:15:26: %ASA-6-605004: Login denied from 11.x.x.x/54447 to Workstations:11.x.x.x/ssh for user "*****"'

timestamp: '(null)'

hostname: 'Wazah'

program_name: '(null)'

log: 'Jan 23 2018 15:15:26: %ASA-6-605004: Login denied from 11.x.x.x/54447 to Workstations:11.x.x.x/ssh for user "*****"'

**Phase 2: Completed decoding.

decoder: 'pix'

**Rule debugging:

Trying rule: 1 - Generic template for all syslog rules.

*Rule 1 matched.

*Trying child rules.

Trying rule: 600 - Active Response Messages Grouped

Trying rule: 200 - Grouping of wazuh rules.

Trying rule: 2100 - NFS rules grouped.

Trying rule: 2507 - OpenLDAP group.

Trying rule: 2550 - rshd messages grouped.

Trying rule: 2701 - Ignoring procmail messages.

Trying rule: 2800 - Pre-match rule for smartd.

Trying rule: 5100 - Pre-match rule for kernel messages

Trying rule: 5200 - Ignoring hpiod for producing useless logs.

Trying rule: 2830 - Crontab rule group.

Trying rule: 5300 - Initial grouping for su messages.

Trying rule: 5905 - useradd failed.

Trying rule: 5400 - Initial group for sudo messages

Trying rule: 9100 - PPTPD messages grouped

Trying rule: 9200 - Squid syslog messages grouped

Trying rule: 2900 - Dpkg (Debian Package) log.

Trying rule: 2930 - Yum logs.

Trying rule: 2931 - Yum logs.

Trying rule: 2940 - NetworkManager grouping.

Trying rule: 2943 - nouveau driver grouping

Trying rule: 3100 - Grouping of the sendmail rules.

Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules.

Trying rule: 3300 - Grouping of the postfix reject rules.

Trying rule: 3320 - Grouping of the postfix rules.

Trying rule: 3390 - Grouping of the clamsmtpd rules.

Trying rule: 3395 - Grouping of the postfix warning rules.

Trying rule: 3500 - Grouping for the spamd rules

Trying rule: 3600 - Grouping of the imapd rules.

Trying rule: 3700 - Grouping of mailscanner rules.

Trying rule: 3800 - Grouping of Exchange rules.

Trying rule: 3900 - Grouping for the courier rules.

Trying rule: 4300 - Grouping of PIX rules

*Rule 4300 matched.

*Trying child rules.

Trying rule: 4314 - PIX notification/informational message.

Trying rule: 4315 - PIX debug message.

Trying rule: 4310 - PIX alert message.

Trying rule: 4311 - PIX critical message.

Trying rule: 4312 - PIX error message.

Trying rule: 4313 - PIX warning message.

**Phase 3: Completed filtering (rules).

Rule id: '4300'

Level: '0'

Description: 'Grouping of PIX rules'

Javier Izquierdo Vera

unread,

Feb 2, 2018, 7:51:57 AM2/2/18

to Wazuh mailing list

Hi Philip,

I'm Javier, engineer of Wazuh, and I will help you with your issue.

Your problem is located in the decoder "pix-srcip-port".

<decoder name="pix-srcip-port">
  <parent>pix</parent>
  <prematch offset="after_parent">^6-605004|^6-605005</prematch>
  <regex offset="after_parent">^(\S+): Login (\S+) from (\S+)/(\d+) \.+user "(\w+)"</regex>
  <order>id, action, srcip, srcport, user</order>
</decoder>

The regular expression is only looking for users with "A-Z, a-z, 0-9, '-', '@' characters" ("(\w+)") but your user is "*****". If you put "\S" instead of "\w" it works propertly.

<decoder name="pix-srcip-port">

  <parent>pix</parent>
  <prematch offset="after_parent">^6-605004|^6-605005</prematch>


  <regex offset="after_parent">^(\S+): Login (\S+) from (\S+)/(\d+) \.+user "(\S+)"</regex>


  <order>id, action, srcip, srcport, user</order>
</decoder>

ossec-testrule: Type one log per line.


Jan 23 2018 15:15:26: %ASA-6-605004: Login denied from 11.x.x.x/54447 to Workstations:11.x.x.x/ssh for user "*****"'

**Phase 1: Completed pre-decoding.
       full event: 'Jan 23 2018 15:15:26: %ASA-6-605004: Login denied from 11.x.x.x/54447 to Workstations:11.x.x.x/ssh for user "*****"''
       timestamp: '(null)'

hostname: 'manager'

       program_name: '(null)'
       log: 'Jan 23 2018 15:15:26: %ASA-6-605004: Login denied from 11.x.x.x/54447 to Workstations:11.x.x.x/ssh for user "*****"''

**Phase 2: Completed decoding.
       decoder: 'pix'

       id: '6-605004'
       action: 'denied'
       srcip: '11.x.x.x'
       srcport: '54447'
       dstuser: '*****'


**Phase 3: Completed filtering (rules).

       Rule id: '4321'
       Level: '9'
       Description: 'PIX: Failed login attempt.'
**Alert to be generated.

You can learn about how to make a custom regular expression reading this article on the documentation: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

If I can do something else, I'll be happy to help you.

Best regards!

Reply all

Reply to author

Forward

0 new messages