Security

last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

No matches against new Ingress Event dictionary

This thread has been viewed 3 times

  • 1.  No matches against new Ingress Event dictionary

    Posted May 19, 2017 04:54 AM

    Hi All,

    On the CPPM I've been trying to filter out some FW Syslog events.
    This is the syslog entry found in /var/avenda/tips/log/igesyslog/igesyslog.log:

    <134>1 2017-05-19T10:16:24.721156+02:00 192.168.10.1 - - - 1495181784.703443386 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495181783.871463 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:50165 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query

     


    Though when looking in the actual syslog PCAP I see the following:

    1 1495179161.921631238 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495179160.951639 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:63354 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query

     

     

    I started off with the second entry with no luck, so I've made a grok filter for the first one as well:

    I've verified the filters with this tool: http://grokconstructor.appspot.com/do/match

     

    1.

    %{DATA:identifier}%{NUMBER:deny_action1} %{TIMESTAMP_ISO8601:datum} %{IP:gatewayip} %{DATA:dash1} %{DATA:dash1} %{DATA:dash1} %{NUMBER:timestamp_fw} %{WORD:appliancename} %{WORD:type} %{WORD:IDS_Event} signature=%{DATA:signature} priority=%{NUMBER:priority} %{DATA:timestamp} shost=%{DATA:host_mac_src} direction=%{DATA:direction} protocol=%{DATA:protocol} src=%{IP:host_ip_src}:%{DATA:port_src} dst=%{IP:host_ip_dst}:%{DATA:port_dst} message:%{GREEDYDATA:syslog_message}

     

     

    2.

    %{NUMBER:deny_action1} %{NUMBER:timestamp_cppm} %{WORD:appliancename} %{WORD:type} %{WORD:IDS_Event} signature=%{DATA:signature} priority=%{NUMBER:priority} %{DATA:timestamp} shost=%{DATA:host_mac_src} direction=%{DATA:direction} protocol=%{DATA:protocol} src=%{IP:host_ip_src}:%{DATA:port_src} dst=%{IP:host_ip_dst}:%{DATA:port_dst} message:%{GREEDYDATA:syslog_message} 

     

    I've attached both XML Ingress Event Dicitionaries and the output of a tail -F /var/avenda/tips/log/async-netd/ingressproc.log for an event.

     

    Could somebody point me in the right direction? Thanks!

     

    Regards,

     

    Mitchell

    Attachment(s)

    txt
    log.txt   23 KB 1 version
    txt
    FW_2.txt   2 KB 1 version
    txt
    FW_1.txt   3 KB 1 version


  • 2.  RE: No matches against new Ingress Event dictionary

    Posted Dec 27, 2017 05:37 AM

    Ciao,

    Do  you have some news ? I've same problem trying to do a new Ingress Event dictionary.

     

    Thanks



  • 3.  RE: No matches against new Ingress Event dictionary

    Posted Dec 29, 2017 03:08 AM
      |   view attached

    Hi ipagliani,

     

    It seems that a working/matching grok filter isn't the only thing to consider in an Ingress Event dictionary... I've created a TAC case in the end and they came up with the attached solution/Ingress event dictionary. This one works.

     

    Attachment(s)

    txt
    IngressEvent.txt   4 KB 1 version


  • 4.  RE: No matches against new Ingress Event dictionary

    Posted Jan 02, 2018 02:28 PM

    Which firewall vendor is this for?



  • 5.  RE: No matches against new Ingress Event dictionary

    EMPLOYEE
    Posted Jan 04, 2018 03:34 AM

    This was used for the Meraki MX Firewall.