[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Chatty PIX rules

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Chatty PIX rules
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Thu, 7 Sep 2006 16:56:39 -0300
Content-disposition: inline
Content-transfer-encoding: 7bit


Hi Erick,

Changing from debugging to informational would not help, because
these messages have severity 2 (critical).  The problem is that
they are not being treated as a firewall deny event, but as a
pix critical event.
If you add this extra decoder:

<decoder name="pix-fw5">
 <parent>pix</parent>
 <type>firewall</type>
 <prematch offset="after_parent">^2-106006|^2-106007</prematch>
 <regex offset="after_parent">^(\S+): (\w+) \S+ (\w+) from </regex>
 <regex>(\d+.\d+.\d+.\d+)/(\d+) to (\d+.\d+.\d+.\d+)/(\d+) </regex>
 <order>id, action, protocol, srcip, srcport, dstip, dstport</order>
</decoder>

Just after the pix-fw4 one (at /var/ossec/etc/decoder.xml ), this
message will be parsed correctly and be treated as a firewall event
(not causing more false positives). We will also release a new version
soon with all these fixes on it..

*if you can show us the other logs causing false positives, I will fix them
for the next version...

Hope it helps,

--
Daniel B. Cid
dcid ( at ) ossec.net

On 9/7/06, Erick Kinnee <ekinnee@xxxxxxxxxxxx> wrote:


Here's an alert example. These are about the most annoying. Edited...

OSSEC HIDS Notification.
2006 Sep 07 14:11:02

Received From: ***-PIX-1->/mnt/logdisk/***-PIX-1/***-PIX-1.log
Rule: 4381 fired (level 10) -> "Multiple PIX critical messages."
Portion of the log(s):

%PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on
interface vpn
%PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on
interface vpn
%PIX-2-106006: Deny inbound UDP from ***/54481 to ***/1026 on
interface vpn
%PIX-2-106006: Deny inbound UDP from ***9/20031 to ***/20031 on
interface vpn
%PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on
interface vpn
%PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on
interface vpn
%PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on
interface vpn

Log samples are a different story. They are very verbose, I think I
need to crank some stuff down and am researching how to do so. I
already went from "logging trap debugging" to "logging trap
informational" and that didn't seem to help.

On Sep 7, 2006, at 2:05 PM, Daniel Cid wrote:

>
> Hi Erick,
>
> Can you show us a few of these alerts and a sample of your pix logs?
> I made some changes to the pix rules and maybe I broke something
> in the middle. In addition to that, we have a small document in the
> wiki on how to ignore specific rules ...
>
> http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
>
> Hope it helps.
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 9/7/06, Erick Kinnee <ekinnee@xxxxxxxxxxxx> wrote:
>>
>> Have we come up with a workable way to suppress or threshold down
>> alerts for certain devices? I have several PIXes sending syslogs to
>> the OSSEC box and I'm being flooded with alerts. There were 139 of
>> them last night for one PIX as it was doing what it's supposed to and
>> dropping traffic based on ACLs. Maybe I need to turn something down
>> on the PIX? I do have it configured with "logging trap debugging".
>>

References:
- [ossec-list] Chatty PIX rules
  - From: Erick Kinnee
- [ossec-list] Re: Chatty PIX rules
  - From: Daniel Cid
- [ossec-list] Re: Chatty PIX rules
  - From: Erick Kinnee

Prev by Date: [ossec-list] Re: Integrity Checks and Diffs?
Next by Date: [ossec-list] Re: sendmail_rules.xml
Previous by thread: [ossec-list] Re: Chatty PIX rules
Next by thread: [ossec-list] Integrity Checks and Diffs?
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.