Hi All,
On the CPPM I've been trying to filter out some FW Syslog events.
This is the syslog entry found in /var/avenda/tips/log/igesyslog/igesyslog.log:
<134>1 2017-05-19T10:16:24.721156+02:00 192.168.10.1 - - - 1495181784.703443386 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495181783.871463 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:50165 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query
Though when looking in the actual syslog PCAP I see the following:
1 1495179161.921631238 FW01 security_event ids_alerted signature=1:39867:3 priority=3 timestamp=1495179160.951639 shost=F0:DE:F1:80:EE:2E direction=egress protocol=udp/ip src=192.168.10.29:63354 dst=192.168.1.204:53 message: INDICATOR-COMPROMISE Suspicious .tk dns query
I started off with the second entry with no luck, so I've made a grok filter for the first one as well:
I've verified the filters with this tool: http://grokconstructor.appspot.com/do/match
1.
%{DATA:identifier}%{NUMBER:deny_action1} %{TIMESTAMP_ISO8601:datum} %{IP:gatewayip} %{DATA:dash1} %{DATA:dash1} %{DATA:dash1} %{NUMBER:timestamp_fw} %{WORD:appliancename} %{WORD:type} %{WORD:IDS_Event} signature=%{DATA:signature} priority=%{NUMBER:priority} %{DATA:timestamp} shost=%{DATA:host_mac_src} direction=%{DATA:direction} protocol=%{DATA:protocol} src=%{IP:host_ip_src}:%{DATA:port_src} dst=%{IP:host_ip_dst}:%{DATA:port_dst} message:%{GREEDYDATA:syslog_message}
2.
%{NUMBER:deny_action1} %{NUMBER:timestamp_cppm} %{WORD:appliancename} %{WORD:type} %{WORD:IDS_Event} signature=%{DATA:signature} priority=%{NUMBER:priority} %{DATA:timestamp} shost=%{DATA:host_mac_src} direction=%{DATA:direction} protocol=%{DATA:protocol} src=%{IP:host_ip_src}:%{DATA:port_src} dst=%{IP:host_ip_dst}:%{DATA:port_dst} message:%{GREEDYDATA:syslog_message}
I've attached both XML Ingress Event Dicitionaries and the output of a tail -F /var/avenda/tips/log/async-netd/ingressproc.log for an event.
Could somebody point me in the right direction? Thanks!
Regards,
Mitchell