Skip to content

Commit

Permalink
Showing 6 changed files with 87 additions and 1 deletion.
1 change: 1 addition & 0 deletions doc/rule_ids.txt
Original file line number Diff line number Diff line change
@@ -31,6 +31,7 @@
3400 - 3499 vsftpd
3500 - 3599 Pam unix
3600 - 3699 Telnetd
3700 - 3799 Netscreen Firewall
4000 - 4999 IDS rules
5000 - 5999 Squid rules
6000 - 6199 Postfix rules
36 changes: 36 additions & 0 deletions etc/decoder.xml
Original file line number Diff line number Diff line change
@@ -424,6 +424,42 @@
</decoder>


<!-- Netscreen Firewall decoder.
- Will extract the action,srcip,dstip,protocol,srcport,dstport
- Examples:
- Jan 1 10:02:11 [11.210.1.193.1.132] ns5gt: NetScreen device_id=ns5gt [No Name]system-notification-00257(traffic): start_time="2006-01-01 10:09:38" duration=0 policy_id=310101 service=tcp/port:1526 proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=38 src=10.1.2.3 dst=10.1.1.1 src_port=51350 dst_port=1426
- <13>Mar 16 15:27:56 192.168.2.1 ns5gt: NetScreen device_id=ns5gt [No Name]system-notification-00257(traffic): start_time=\"2004-03-16 16:31:22\" duration=0 policy_id=310001 service=tcp/port:120 proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=60 src=10.1.1.1 dst=10.1.2.1 src_port=32047 dst_port=22
- Jun 2 11:24:16 fire00 sav00: NetScreen device_id=sav00 [Root]system-critical-00436: Large ICMP packet! From 210.232.20.7 to 148.100.114.126, proto 1 (zone Untrust, int ethernet1/2). Occurred 1 times. (2006-06-02 11:24:16)
- NetScreen device_id=ns5gt [Root]system-critical-00027: Multiple login failures occurred for user netscreen from IP address 1.2.3.4:1567 (2004-10-07)
-->

<decoder name="netscreenfw">
<prematch>^\w+: NetScreen device_id</prematch>
</decoder>

<decoder name="netscreen-traffic">
<parent>netscreenfw</parent>
<type>firewall</type>
<prematch>system-notification-00257(traffic): </prematch>
<regex> proto=(\w+) \.+ action=(\w+) \.+ src=(\S+) </regex>
<regex>dst=(\S+) src_port=(\d+) dst_port=(\d+)</regex>
<order>protocol, action, srcip, dstip, srcport, dstport</order>
</decoder>

<decoder name="netscreen-critical">
<parent>netscreenfw</parent>
<prematch>system-critical-\.+ from </prematch>
<regex>system-(\w+)-(\d+): \.+ from\.+(\d+.\d+\d+\d+)</regex>
<order>action, id, srcip</order>
</decoder>

<decoder name="netscreen-admin">
<parent>netscreenfw</parent>
<regex>]system-(\w+)-(\d+):</regex>
<order>action, id</order>
</decoder>


<!-- Snort decoder.
- Will extract the id, srcip and dstip
- Examples:
42 changes: 42 additions & 0 deletions etc/rules/netscreenfw_rules.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
<!-- Netscreen fw rules for the OSSEC HIDS
- Author: Ahmet Ozturk
- Date: Dec 02, 2005
-->


<group name="netscreenfw,syslog">
<rule id="3700" level="0">
<match>netscreenfw</match>
<description>Grouping for the Netscreen Firewall rules</description>
</rule>

<rule id="3701" level="3">
<if_sid>3700</if_sid>
<action>^notification$</action>
<description>Netscreen notification message.</description>
</rule>

<rule id="3702" level="4">
<if_sid>3700</if_sid>
<action>^warning$</action>
<description>Netscreen warning message.</description>
</rule>

<rule id="3703" level="5">
<if_sid>3700</if_sid>
<action>^critical$</action>
<description>Netscreen critical message.</description>
</rule>

<rule id="3704" level="10" frequency="4" timeframe="120" ignore="60">
<if_matched_sid>3703</if_matched_sid>
<same_source_ip />
<description>Multiple Netscreen critical messages from </description>
<description>same source IP.</description>
</rule>

<rule id="3705" level="10" frequency="8" timeframe="120" ignore="60">
<if_matched_sid>3703</if_matched_sid>
<description>Multiple Netscreen critical messages.</description>
</rule>
</group> <!-- SYSLOG,NETSCREENFW -->
1 change: 1 addition & 0 deletions etc/templates/config/rules.template
Original file line number Diff line number Diff line change
@@ -15,6 +15,7 @@
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
6 changes: 6 additions & 0 deletions src/analysisd/decoders/decoder.c
Original file line number Diff line number Diff line change
@@ -86,6 +86,12 @@ void DecodeEvent(Eventinfo *lf)
{
lf->log_tag = nnode->name;
}

/* Setting the type */
if(nnode->type)
{
lf->type = nnode->type;
}
break;
}
}
2 changes: 1 addition & 1 deletion src/os_maild/sendmail.c
Original file line number Diff line number Diff line change
@@ -209,7 +209,7 @@ int OS_Sendmail(MailConfig *mail, struct tm *p)

/* Sending date */
memset(snd_msg,'\0',128);
strftime(snd_msg, 127, "Date: %a, %d %b %Y %T %z\r\n",p);
strftime(snd_msg, 127, "Date: %a, %d %b %Y %T %Z\r\n",p);
OS_SendTCP(socket,snd_msg);


0 comments on commit 585c85f

Please sign in to comment.