Security

Reply
MPM
New Contributor

No matches against new Ingress Event dictionary

Hi All,

On the CPPM I've been trying to filter out some FW Syslog events.
This is the syslog entry found in /var/avenda/tips/log/igesyslog/igesyslog.log:

<134>1 2017-05-19T10:16:24.721156+02:00 192.168.10.1 - - - 1495181784.703443386 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495181783.871463 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:50165 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query

 


Though when looking in the actual syslog PCAP I see the following:

1 1495179161.921631238 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495179160.951639 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:63354 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query

 

 

I started off with the second entry with no luck, so I've made a grok filter for the first one as well:

I've verified the filters with this tool: http://grokconstructor.appspot.com/do/match

 

1.

%{DATA:identifier}%{NUMBER:deny_action1} %{TIMESTAMP_ISO8601:datum} %{IP:gatewayip} %{DATA:dash1} %{DATA:dash1} %{DATA:dash1} %{NUMBER:timestamp_fw} %{WORD:appliancename} %{WORD:type} %{WORD:IDS_Event} signature=%{DATA:signature} priority=%{NUMBER:priority} %{DATA:timestamp} shost=%{DATA:host_mac_src} direction=%{DATA:direction} protocol=%{DATA:protocol} src=%{IP:host_ip_src}:%{DATA:port_src} dst=%{IP:host_ip_dst}:%{DATA:port_dst} message:%{GREEDYDATA:syslog_message}

 

 

2.

%{NUMBER:deny_action1} %{NUMBER:timestamp_cppm} %{WORD:appliancename} %{WORD:type} %{WORD:IDS_Event} signature=%{DATA:signature} priority=%{NUMBER:priority} %{DATA:timestamp} shost=%{DATA:host_mac_src} direction=%{DATA:direction} protocol=%{DATA:protocol} src=%{IP:host_ip_src}:%{DATA:port_src} dst=%{IP:host_ip_dst}:%{DATA:port_dst} message:%{GREEDYDATA:syslog_message} 

 

I've attached both XML Ingress Event Dicitionaries and the output of a tail -F /var/avenda/tips/log/async-netd/ingressproc.log for an event.

 

Could somebody point me in the right direction? Thanks!

 

Regards,

 

Mitchell

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: