[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] [Bug 60] New: Checkpoint decoder draft

To: ossec-dev@xxxxxxxxx
Subject: [ossec-dev] [Bug 60] New: Checkpoint decoder draft
From: ossec-bugzilla@xxxxxxxxxxxxxxxxxxxxxxxxxxx
Date: Wed, 22 Aug 2007 21:10:42 -0300
Authentication-results: mx.google.com; spf=pass smtp.mail=ossec-dev+caf_=ossec-dev=googlegroups.com@xxxxxxxxx
Authentication-results: mx.google.com; spf=pass (google.com: domain of ossec-bugzilla@xxxxxxxxxxxxxxxxxxxxxxxxxxx designates 75.126.22.154 as permitted sender) smtp.mail=ossec-bugzilla@xxxxxxxxxxxxxxxxxxxxxxxxxxx

http://www.ossec.net/bugs/show_bug.cgi?id=60

           Summary: Checkpoint decoder draft
           Product: OSSEC
           Version: 1.4
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P3
         Component: Signatures
        AssignedTo: ossec-dev@xxxxxxxxx
        ReportedBy: dcid@xxxxxxxxx


*anyone else using checkpoint?


>From Dean Takemori:

When the Checkpoint firewall product is run on top
of linux, you can setup syslog logging from the OS
level.  Unfortunately the exact logfile format varies
slightly depending on the configuration used.  The
following decoder is thus setup for my configuration
and is incompatible with the -g log flag and requires
the "Checkpoint" tag to work.  Again probably not
the cleanest way to code it, but it's working for me.


<!-- Checkpoint via syslog decoder.
  -
  - Does not currently handle ICMP
  -
  - Checkpoint NG(X)/FW-1 logs via (Linux) syslog
  -
  - Ex. fw log -ftnp fw.log | logger -t Checkpoint
  -
  - fw log :
  -         -f select current log file
  -         -t tail file
  -         -n use ip instead of name
  -         -p use port number instead of name
  -
  -         -l add date before timestamp
  -            Use of -l changes log format slightly
  -
  -         -g without : and ; delimiters
  -            use of -g significantly changes log format
  -            this decoder is incompatible with -g
  -
  - logger :
  -         -t <tag> prepends "tag: " to log entry
  -        the tag here must match "program name" in the decoder
  -            
  - Examples:
  -
  - Checkpoint: 21Aug2007 12:00:00 accept 10.10.10.2 >eth0 rule: 100; rule_uid:
{00000000-0000-0000-0000-000000000000}; service_id: nbdatagram; src:
10.10.10.3; dst: 10.10.10.255; proto: udp; product: VPN-1 & FireWall-1;
service: 138; s_port: 138;
  -
  - Checkpoint: 13:00:00 accept 10.10.10.2 >eth0 rule: 101; rule_uid:
{00000000-0000-0000-0000-000000000000}; service_id: http; src: 10.10.10.3; dst:
10.1.2.3; proto: tcp; product: VPN-1 & FireWall-1; service: 80; s_port: 1111;
  -
  - Checkpoint: 21Aug2007 14:49:26 drop   10.10.10.1 >eth4 rule: 102; rule_uid:
{00000000-0000-0000-0000-000000000000}; ICMP: Echo Request; src: 10.10.10.2;
dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 &
FireWall-1;
  -->

<decoder name="cp-syslog">
  <program_name>^Checkpoint</program_name>
</decoder>

<decoder name="cp-syslog-tcp">
  <parent>cp-syslog</parent>
  <type>firewall</type>
  <prematch>^\.+ \S+ \d+.\d+.\d+.\d+ >\S+ rule:</prematch>

  <regex>^\.+ (\S+) (\d+.\d+.\d+.\d+ >\S+ rule: \.+);</regex>
  <regex>\.+src: (\d+.\d+.\d+.\d+); dst: (\d+.\d+.\d+.\d+); proto:
(\S+);</regex>
  <regex>\.+service: (\d+); s_port: (\d+);</regex>

  <order>action,extra_data,srcip,dstip,protocol,dstport,srcport</order>
</decoder>


-- 
Configure bugmail: http://www.ossec.net/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Prev by Date: [ossec-dev] [Bug 59] New: Windows UI not taking the server-hostname tag into consideration
Next by Date: [ossec-dev] [Bug 61] New: Shorewall decoder
Previous by thread: [ossec-dev] [Bug 59] New: Windows UI not taking the server-hostname tag into consideration
Next by thread: [ossec-dev] [Bug 61] New: Shorewall decoder
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.