Security

Reply
MPM
New Contributor

No matches against new Ingress Event dictionary

Hi All,

On the CPPM I've been trying to filter out some FW Syslog events.
This is the syslog entry found in /var/avenda/tips/log/igesyslog/igesyslog.log:

<134>1 2017-05-19T10:16:24.721156+02:00 192.168.10.1 - - - 1495181784.703443386 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495181783.871463 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:50165 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query

 


Though when looking in the actual syslog PCAP I see the following:

1 1495179161.921631238 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495179160.951639 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:63354 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query

 

 

I started off with the second entry with no luck, so I've made a grok filter for the first one as well:

I've verified the filters with this tool: http://grokconstructor.appspot.com/do/match

 

1.

%{DATA:identifier}%{NUMBER:deny_action1} %{TIMESTAMP_ISO8601:datum} %{IP:gatewayip} %{DATA:dash1} %{DATA:dash1} %{DATA:dash1} %{NUMBER:timestamp_fw} %{WORD:appliancename} %{WORD:type} %{WORD:IDS_Event} signature=%{DATA:signature} priority=%{NUMBER:priority} %{DATA:timestamp} shost=%{DATA:host_mac_src} direction=%{DATA:direction} protocol=%{DATA:protocol} src=%{IP:host_ip_src}:%{DATA:port_src} dst=%{IP:host_ip_dst}:%{DATA:port_dst} message:%{GREEDYDATA:syslog_message}

 

 

2.

%{NUMBER:deny_action1} %{NUMBER:timestamp_cppm} %{WORD:appliancename} %{WORD:type} %{WORD:IDS_Event} signature=%{DATA:signature} priority=%{NUMBER:priority} %{DATA:timestamp} shost=%{DATA:host_mac_src} direction=%{DATA:direction} protocol=%{DATA:protocol} src=%{IP:host_ip_src}:%{DATA:port_src} dst=%{IP:host_ip_dst}:%{DATA:port_dst} message:%{GREEDYDATA:syslog_message} 

 

I've attached both XML Ingress Event Dicitionaries and the output of a tail -F /var/avenda/tips/log/async-netd/ingressproc.log for an event.

 

Could somebody point me in the right direction? Thanks!

 

Regards,

 

Mitchell

Occasional Contributor II

Re: No matches against new Ingress Event dictionary

Ciao,

Do  you have some news ? I've same problem trying to do a new Ingress Event dictionary.

 

Thanks

MPM
New Contributor

Re: No matches against new Ingress Event dictionary

Hi ipagliani,

 

It seems that a working/matching grok filter isn't the only thing to consider in an Ingress Event dictionary... I've created a TAC case in the end and they came up with the attached solution/Ingress event dictionary. This one works.

 

Moderator

Re: No matches against new Ingress Event dictionary

Which firewall vendor is this for?


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
New Contributor

Re: No matches against new Ingress Event dictionary

This was used for the Meraki MX Firewall.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: