[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: OSSEC with Pix

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: OSSEC with Pix
From: ossec@xxxxxxxxxx
Date: Tue, 17 Apr 2007 15:55:19 +0200
Content-transfer-encoding: 7bit


> Apart from the information I am seeing in the
> :/var/ossec/logs/firewall/firewall.log, when I go and type:

What you see here is a log produced by ossec, not the firewall.

I don't use ossec as a syslog server, I use the regular syslogd to
capture de pix logs, and I get something like that :

Apr 16 11:53:37 pix %PIX-6-106015: Deny TCP (no connection) from
202.196.113.xx/4373 to 192.168.0.1/65500 flags FIN ACK  on interface
outside
Apr 16 11:53:48 pix %PIX-5-502103: User priv level changed: Uname:
enable_1 From: 1 To: 15
Apr 16 11:53:48 pix %PIX-5-111008: User 'enable_1' executed the 'enable'
command.
Apr 16 11:54:51 pix %PIX-6-106015: Deny TCP (no connection) from
88.163.87.xx/48871 to 192.168.0.1/80 flags ACK  on interface outside
Apr 16 11:54:52 pix %PIX-4-402106: Rec'd packet not an IPSEC packet.
(ip) dest_addr= 192.168.0.1, src_addr= 88.163.87.127, prot= tcp
Apr 16 11:54:52 pix %PIX-3-201009: TCP connection limit of 187 for host
10.10.12.1 on dmz exceeded
Apr 16 11:54:52 pix %PIX-3-710003: TCP access denied by ACL from
88.163.87.xx/38821 to outside:192.168.0.1/ssh
Apr 16 11:54:53 pix %PIX-3-710003: TCP access denied by ACL from
88.163.87.xx/38832 to outside:192.168.0.1/ssh
Apr 16 11:54:53 pix %PIX-4-402106: Rec'd packet not an IPSEC packet.
(ip) dest_addr= 192.168.0.1, src_addr= 88.163.87.127, prot= tcp
Apr 16 11:54:55 pix %PIX-4-402106: Rec'd packet not an IPSEC packet.
(ip) dest_addr= 192.168.0.1, src_addr= 88.163.87.127, prot= tcp
Apr 16 11:54:56 pix %PIX-3-710003: TCP access denied by ACL from
88.163.87.xx/38846 to outside:192.168.0.1/ssh
Apr 16 11:55:16 pix %PIX-6-106015: Deny TCP (no connection) from
82.123.1.xx/1374 to 192.168.0.1/65500 flags RST  on interface outside
Apr 16 11:55:37 pix %PIX-6-106015: Deny TCP (no connection) from
202.196.113.xx/4373 to 192.168.0.1/65500 flags FIN ACK  on interface
outside
Apr 16 11:55:56 pix %PIX-6-106015: Deny TCP (no connection) from
88.163.87.xx/41079 to 192.168.0.1/443 flags RST ACK  on interface outside
Apr 16 11:56:04 pix %PIX-6-106015: Deny TCP (no connection) from
84.100.14.xx/4662 to 192.168.0.1/46067 flags RST  on interface outside


As you see I get everything.

I've added these commands in the several conf:

/etc/syslogd:
local4.*                        /var/log/pix.log

/etc/default/syslogd:
SYSLOGD="-r"

in the pix conf:
logging enable
logging trap informational
logging host 192.168.0.1

And I've asked ossec to read the pix.log :
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/pix.log</location>
  </localfile>

References:
- [ossec-list] OSSEC with Pix
  - From: Harsem, Jens

Prev by Date: [ossec-list] OSSEC with Pix
Next by Date: [ossec-list] Waiting for server reply (not started)
Previous by thread: [ossec-list] OSSEC with Pix
Next by thread: [ossec-list] IIS rule to alert on blank cs-host
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.