[ossec-dev] [Bug 61] New: Shorewall decoder

[ossec-bugzilla@xxxxxxxxxxxxxxxxxxxxxxxxxxx]

http://www.ossec.net/bugs/show_bug.cgi?id=61

           Summary: Shorewall decoder
           Product: OSSEC
           Version: 1.4
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P3
         Component: Signatures
        AssignedTo: ossec-dev@xxxxxxxxx
        ReportedBy: dcid@xxxxxxxxx


from: Dean Takemori

The first one is a an iptables variant.  The iptables configuration
generated by shorewall (http://www.shorewall.net/) has a slightly
different beginning than raw iptables logging and isn't matched
by OSSEC 1.3 and looks like this:

Shorewall:zz2qq:REJECT:IN= OUT=eth0 SRC=10.0.0.2 DST=10.0.0.1 LEN=60 TOS=0x10
PREC=0x00 TTL=64 ID=1111 DF PROTO=TCP SPT=ZZ DPT=XX WINDOW=5840 RES=0x00 SYN
URGP=0

I'm sure there's a cleaner way to integrate into the existing
iptables decoders, but I'm sucessfully using the following
right now,


<decoder name="shorewall">
   <parent>iptables</parent>
   <type>firewall</type>
   <prematch>^Shorewall:\S+:\S+:IN=</prematch>

   <regex>^\Shorewall:(\S+):(\S+):IN=\.+ SRC=(\S+) DST=(\S+)</regex>
   <regex> \.+ PROTO=(\w+) SPT=(\d+) DPT=(\d+) </regex>
   <order>extra_data,action,srcip,dstip,protocol,srcport,dstport</order>
</decoder>


-- 
Configure bugmail: http://www.ossec.net/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.