Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cisco logs match syslog rules #379

Open
Lopuiz opened this issue May 6, 2019 · 1 comment
Open

Cisco logs match syslog rules #379

Lopuiz opened this issue May 6, 2019 · 1 comment
Assignees
@Lopuiz
Labels
bug rules Rules related issues

Comments

@Lopuiz
Copy link
Contributor

Lopuiz commented May 6, 2019

Hi team,

This cisco's log should match rule 4715.

Apr 30 15:10:58: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID`

**Phase 1: Completed pre-decoding.
       full event: 'Apr 30 15:10:58: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID'
       timestamp: '(null)'
       hostname: 'lopezziur-S551LN'
       program_name: '(null)'
       log: 'Apr 30 15:10:58: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID'

**Phase 2: Completed decoding.
       decoder: 'cisco-ios'
       id: '%DOT1X-5-FAIL'

**Phase 3: Completed filtering (rules).
       Rule id: '4715'
       Level: '6'
       Description: 'Cisco IOS notification message.'
**Alert to be generated.

This event is comunicated from agent by syslog. And its full log is 2019 May 06 09:28:12 vm-ubuntu16->10.0.0.16 May 6 07:28:11 vm-ubuntu16 fortinet Apr 30 15:10:58: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID (from archives.log).
This log match rule 2501 not 4715.

2019 May 06 09:28:12 vm-ubuntu16->10.0.0.16 May  6 07:28:11 vm-ubuntu16 fortinet Apr 30 15:10:58: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID


**Phase 1: Completed pre-decoding.
       full event: '2019 May 06 09:28:12 vm-ubuntu16->10.0.0.16 May  6 07:28:11 vm-ubuntu16 fortinet Apr 30 15:10:58: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID'
       timestamp: '2019 May 06 09:28:12'
       hostname: 'lopezziur-S551LN'
       program_name: '(null)'
       log: 'vm-ubuntu16->10.0.0.16 May  6 07:28:11 vm-ubuntu16 fortinet Apr 30 15:10:58: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID'

**Phase 2: Completed decoding.
       No decoder matched.

**Phase 3: Completed filtering (rules).
       Rule id: '2501'
       Level: '5'
       Description: 'syslog: User authentication failure.'
**Alert to be generated.
@Lopuiz Lopuiz added bug rules Rules related issues labels May 6, 2019
@Lopuiz
Copy link
Contributor Author

Lopuiz commented May 6, 2019

We have to create new decoders that match full log

@Lopuiz Lopuiz self-assigned this May 6, 2019
@Lopuiz Lopuiz mentioned this issue May 6, 2019
Closed
@rossengeorgiev rossengeorgiev mentioned this issue May 15, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Lopuiz Lopuiz

Labels
bug rules Rules related issues
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Cisco rules and decoders improvements rossengeorgiev/wazuh-ruleset
1 participant
@Lopuiz