[ossec-list] Re: OSSEC log iptables problems (not all are loggued by OSSEC)

["xtz.info@xxxxxxxxx" <dead.but.dreamer@xxxxxxxxx>]

Daniel Cid a écrit :
> The issue is with the format of the logs. OSSEc is very strict in the 
> regexes
> (for performance reasons) and it will not match if the logging action 
> from
> iptables has spaces on it. If you can change it from "DROP FLOOD" to
> "DROP_FLOOD" it will work...
work fine ;) thx
> *the same applies for the other logs provided.
> *You can also tweak the regexes to match on actions with spaces.
>
> Hope it helps.
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 2/1/07, xtz.info@xxxxxxxxx <xtz.info@xxxxxxxxx> wrote:
> > this are not loggued:
> >
> > Feb  1 18:00:58 gatlan kernel: DROP FLOOD_ICMP IN=ppp0 OUT= MAC=
> > SRC=90.19.58.253 DST=90.20.131.158 LEN=60 TOS=0x00 PREC=0x00 TTL=125
> > ID=41650 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=10241
> >
> >
> > On Feb 1, 5:53 pm, "xtz.i...@xxxxxxxxx" <dead.but.drea...@xxxxxxxxx>
> > wrote:
> > > I have a problem when OSSEC log iptables logFeb  1 17:47:41 gatlan 
> > kernel: DROP ICMP_ERROR IN=ppp0 OUT= MAC= SRC=203.141.119.233 
> > DST=90.20.131.158 LEN=94 TOS=0x00 PREC=0x00 TTL=44 ID=59875 
> > PROTO=ICMP TYPE=3 CODE=1 [SRC=90.20.131.158 DST=192.168.11.2 LEN=66 
> > TOS=0x00 PREC=0x00 TTL=43 ID=47914 PROTO=UDP SPT=9689 DPT=4672 LEN=46 ]
> > > this are loggued, but this:Feb  1 17:51:35 gatlan kernel: DROP 
> > SPOOF IN=ppp0 OUT= MAC= SRC=192.168.1.2 DST=90.20.131.158 LEN=40 
> > TOS=0x00 PREC=0x00 TTL=113 ID=5460 DF PROTO=TCP SPT=4662 DPT=4346 
> > WINDOW=65205 RES=0x00 ACK FIN URGP=0
> > > are not loggued by OSSEC, i don't not why...