Security

Reply
MPM
New Contributor
Posts: 1
Registered: ‎01-30-2017

No matches against new Ingress Event dictionary

Hi All,

On the CPPM I've been trying to filter out some FW Syslog events.
This is the syslog entry found in /var/avenda/tips/log/igesyslog/igesyslog.log:

<134>1 2017-05-19T10:16:24.721156+02:00 192.168.10.1 - - - 1495181784.703443386 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495181783.871463 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:50165 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query

 


Though when looking in the actual syslog PCAP I see the following:

1 1495179161.921631238 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495179160.951639 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:63354 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query

 

 

I started off with the second entry with no luck, so I've made a grok filter for the first one as well:

I've verified the filters with this tool: http://grokconstructor.appspot.com/do/match

 

1.

%{DATA:identifier}%{NUMBER:deny_action1} %{TIMESTAMP_ISO8601:datum} %{IP:gatewayip} %{DATA:dash1} %{DATA:dash1} %{DATA:dash1} %{NUMBER:timestamp_fw} %{WORD:appliancename} %{WORD:type} %{WORD:IDS_Event} signature=%{DATA:signature} priority=%{NUMBER:priority} %{DATA:timestamp} shost=%{DATA:host_mac_src} direction=%{DATA:direction} protocol=%{DATA:protocol} src=%{IP:host_ip_src}:%{DATA:port_src} dst=%{IP:host_ip_dst}:%{DATA:port_dst} message:%{GREEDYDATA:syslog_message}

 

 

2.

%{NUMBER:deny_action1} %{NUMBER:timestamp_cppm} %{WORD:appliancename} %{WORD:type} %{WORD:IDS_Event} signature=%{DATA:signature} priority=%{NUMBER:priority} %{DATA:timestamp} shost=%{DATA:host_mac_src} direction=%{DATA:direction} protocol=%{DATA:protocol} src=%{IP:host_ip_src}:%{DATA:port_src} dst=%{IP:host_ip_dst}:%{DATA:port_dst} message:%{GREEDYDATA:syslog_message} 

 

I've attached both XML Ingress Event Dicitionaries and the output of a tail -F /var/avenda/tips/log/async-netd/ingressproc.log for an event.

 

Could somebody point me in the right direction? Thanks!

 

Regards,

 

Mitchell

Search Airheads
Showing results for 
Search instead for 
Did you mean: