|
Hello all, thank you for the support & help that this list and the
ossec.net web site provides. And I am hoping to stretch this a bit further…
please I have got an Cisco ASA that is currently sending its
syslogs over to my OSSEC machine. This is running on a cut down version of Red
Hat and running very nicely. I get my e-mail alerts as I should when things
happen that should not. I have also been able to configure a little “active-response”
script for this ASA so that IP addresses get shunned & un-shunned as per
the firewall-drop.sh Well, I have been a bit lazy and I have added the Cisco ASA entries
into the Linux section of this script. What I have done is this (in red, bold
are my additions) # We should run on linux if [ "X${UNAME}" =
"XLinux" ]; then if [ "x${ACTION}"
= "xadd" ]; then
ARG1="-I INPUT -s ${IP} -j DROP"
ARG2="-I FORWARD -s ${IP} -j DROP"
echo "shun ${IP}" > /var/ossec/active-response/bin/ASA/${IP}.txt
cat /var/ossec/active-response/bin/ASA/shun1.txt
/var/ossec/active-response/bin/ASA/${IP}.txt /var/ossec/active-response/bin/ASA/shun3.txt
> /var/ossec/active-response/bin/ASA/shun${IP}.txt
expect /var/ossec/active-response/bin/ASA/shun${IP}.txt else
ARG1="-D INPUT -s ${IP} -j DROP"
ARG2="-D FORWARD -s ${IP} -j DROP"
echo "no shun ${IP}" >
/var/ossec/active-response/bin/ASA/un${IP}.txt
cat /var/ossec/active-response/bin/ASA/shun1.txt
/var/ossec/active-response/bin/ASA/un${IP}.txt
/var/ossec/active-response/bin/ASA/shun3.txt >
/var/ossec/active-response/bin/ASA/unshun${IP}.txt
expect /var/ossec/active-response/bin/ASA/unshun${IP}.txt fi # Checking if iptables is
present ls ${IPTABLES} >>
/dev/null 2>&1 if [ $? != 0 ]; then
IPTABLES="/usr"${IPTABLES} ls
${IPTABLES} >> /dev/null 2>&1 if [ $?
!= 0 ]; then
exit 0; fi fi # Executing and exiting ${IPTABLES} ${ARG1} ${IPTABLES} ${ARG2} exit 0; Not what you expected I am sure, it is a kluge, but it works
– and I am a happy man. shun1.txt & shun3.txt are text files that contain the
beginning and end part of an expect script while ${IP}.txt & un${IP}.txt
are the commands to shun & unshun the IP in question from the ASA. This all
works – this is great. The expect line simply runs the command as it
should against a ASA that is hard coded into the shun1.txt file. And here is my problem – I do not want it to be hard
coded, really, I would like this to be picked up from the log entries. I have
another ASA somewhere else that I also want to have send its Syslog messages to
this OSSEC Server. And I want to have the same goodness on that ASA. Hence my question (after a half marathon) – is there
any way that I can extract the IP of the source of the Syslog files for the
shun & un-shun of the hosts for the ASA? I am hoping for a parameter that I
can use in that script so that I can parse it to a text file and use it as
well. Thank you all for any help that you may be able to give. If anyone has ASAs and wants to know how those text files
work with the ASA please let me know – I would be more than happy to
help. Regards, Jens C
Harsem I Regional MIS Manager I
MICROS-Fidelio Asia Pacific I Suite 7, 13 Narabang Way I
Belrose , NSW 2085 I Australia Confidentiality Notice This email is
intended only for the individual/s to whom it is addressed and may contain
information that is confidential or privileged. If you are not the intended
recipient/s, or the employee or person responsible for delivering it to the
intended recipient/s you are hereby notified that any dissemination,
distribution, copying or use is strictly prohibited. If you have received this
communication in error, please notify the sender immediately by telephone and
return the original email to the sender. |