Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add decoder for UFW logs #649

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add decoder for UFW logs #649

wants to merge 1 commit into from

Conversation

danimegar
Copy link
Contributor

@danimegar danimegar commented May 12, 2020

Description

The UFW logs have the following format and there is no decoder that matches the logs:

Nov 18 13:39:49 UFW kernel: [10051.313745] [UFW BLOCK] IN=eth0 OUT= MAC=c2:56:27:73:33:cf:c4:f0:81:b0:93:24:08:00 SRC=205.205.205.205 DST=192.168.8.100 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=43131 PROTO=UDP SPT=40952 DPT=23 LEN=194
Nov 18 13:39:49 UFW kernel: [10051.313745] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:17:08:ae:7a:40:08:00 SRC=205.205.205.205 DST=192.168.8.100 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=4949 PROTO=2

For that reason, I have created the UFW decoder.

Tests

UFW tests

/var/ossec/bin/ossec-logtest
Nov 18 13:39:49 UFW kernel: [10051.313745] [UFW BLOCK] IN=eth0 OUT= MAC=c2:56:27:73:33:cf:c4:f0:81:b0:93:24:08:00 SRC=205.205.205.205 DST=192.168.8.100 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=43131 PROTO=UDP SPT=40952 DPT=23 LEN=194

**Phase 1: Completed pre-decoding.
full event: 'Nov 18 13:39:49 UFW kernel: [10051.313745] [UFW BLOCK] IN=eth0 OUT= MAC=c2:56:27:73:33:cf:c4:f0:81:b0:93:24:08:00 SRC=205.205.205.205 DST=192.168.8.100 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=43131 PROTO=UDP SPT=40952 DPT=23 LEN=194'
timestamp: 'Nov 18 13:39:49'
hostname: 'UFW'
program_name: 'kernel'
log: '[10051.313745] [UFW BLOCK] IN=eth0 OUT= MAC=c2:56:27:73:33:cf:c4:f0:81:b0:93:24:08:00 SRC=205.205.205.205 DST=192.168.8.100 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=43131 PROTO=UDP SPT=40952 DPT=23 LEN=194'

**Phase 2: Completed decoding.
decoder: 'kernel'
action: 'BLOCK'
srcip: '205.205.205.205'
dstip: '192.168.8.100'
protocol: 'UDP'
srcport: '40952'
dstport: '23'

**Phase 3: Completed filtering (rules).
Rule id: '4100'
Level: '0'
Description: 'Firewall rules grouped.'

/var/ossec/bin/ossec-logtest
Nov 18 13:39:49 UFW kernel: [10051.313745] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:17:08:ae:7a:40:08:00 SRC=205.205.205.205 DST=192.168.8.100 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=4949 PROTO=2

**Phase 1: Completed pre-decoding.
full event: 'Nov 18 13:39:49 UFW kernel: [10051.313745] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:17:08:ae:7a:40:08:00 SRC=205.205.205.205 DST=192.168.8.100 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=4949 PROTO=2'
timestamp: 'Nov 18 13:39:49'
hostname: 'UFW'
program_name: 'kernel'
log: '[10051.313745] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:17:08:ae:7a:40:08:00 SRC=205.205.205.205 DST=192.168.8.100 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=4949 PROTO=2'

**Phase 2: Completed decoding.
decoder: 'kernel'
action: 'BLOCK'
srcip: '205.205.205.205'
dstip: '192.168.8.100'
protocol: '2'

**Phase 3: Completed filtering (rules).
Rule id: '4100'
Level: '0'
Description: 'Firewall rules grouped.'

OpenWRT test

/var/ossec/bin/ossec-logtest
Nov 18 13:39:49 OpenWRT kernel: [10051.313745] DROP(src wan)IN=eth0 OUT= MAC=c2:56:27:73:33:cf:c4:f0:81:b0:93:24:08:00 SRC=205.205.205.205 DST=192.168.8.100 LEN=44 TOS=0x00 PREC=0x00 TTL=31 ID=8549 PROTO=TCP SPT=40952 DPT=23 WINDOW=64144 RES=0x00 SYN URGP=0 MARK=0xff00

**Phase 1: Completed pre-decoding.
full event: 'Nov 18 13:39:49 OpenWRT kernel: [10051.313745] DROP(src wan)IN=eth0 OUT= MAC=c2:56:27:73:33:cf:c4:f0:81:b0:93:24:08:00 SRC=205.205.205.205 DST=192.168.8.100 LEN=44 TOS=0x00 PREC=0x00 TTL=31 ID=8549 PROTO=TCP SPT=40952 DPT=23 WINDOW=64144 RES=0x00 SYN URGP=0 MARK=0xff00'
timestamp: 'Nov 18 13:39:49'
hostname: 'OpenWRT'
program_name: 'kernel'
log: '[10051.313745] DROP(src wan)IN=eth0 OUT= MAC=c2:56:27:73:33:cf:c4:f0:81:b0:93:24:08:00 SRC=205.205.205.205 DST=192.168.8.100 LEN=44 TOS=0x00 PREC=0x00 TTL=31 ID=8549 PROTO=TCP SPT=40952 DPT=23 WINDOW=64144 RES=0x00 SYN URGP=0 MARK=0xff00'

**Phase 2: Completed decoding.
decoder: 'kernel'
action: 'DROP'
srcip: '205.205.205.205'
dstip: '192.168.8.100'
protocol: 'TCP'
srcport: '40952'
dstport: '23'

**Phase 3: Completed filtering (rules).
Rule id: '4101'
Level: '5'
Description: 'Firewall drop event.'

Runtests

runtests.py was run and no error found related to this PR.

@vikman90 vikman90 changed the base branch from 3.13 to develop July 31, 2020 12:04
@vikman90 vikman90 changed the base branch from develop to master September 25, 2020 08:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants