Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cisco Accesslog and firewall rules doesn't match #208

Closed
migruiz4 opened this issue Oct 9, 2018 · 2 comments
Closed

Cisco Accesslog and firewall rules doesn't match #208

migruiz4 opened this issue Oct 9, 2018 · 2 comments
Assignees
@72nomada
Labels
operations threatintel Threat Intelligence

Comments

@migruiz4
Copy link
Contributor

migruiz4 commented Oct 9, 2018
edited
Loading

Hi team,
while testing some rules, I noticed the decoder cisco-ios-acl can't trigger the firewall drop alerts.

This is a sample of cisco-acl log:

3924923: *Oct  6 03:32:04.114 gmt: %SEC-6-IPACCESSLOGP: list bcv_out denied tcp 10.0.3.100(50150) -> 192.168.216.1(443), 1 packet

Actually is matching rule 4100

wazuh-ruleset/rules/0060-firewall_rules.xml

Lines 9 to 13 in 09b105a

<group name="firewall,">
<rule id="4100" level="0">
<category>firewall</category>
<description>Firewall rules grouped.</description>
</rule>

And I think this should trigger the drop alert, because Cisco devices don't have the ACCEPT, REJECT, DROP actions.
Instead, they have "deny" and "permit"
So the equivalent to DROP would be "deny", and it doesn't match the rule.

wazuh-ruleset/rules/0060-firewall_rules.xml

Lines 15 to 24 in 09b105a

<!-- We don't log firewall events, because they go
- to their own log file.
-->
<rule id="4101" level="5">
<if_sid>4100</if_sid>
<action>DROP</action>
<options>no_log</options>
<description>Firewall drop event.</description>
<group>firewall_drop,pci_dss_1.4,gpg13_4.12,gdpr_IV_35.7.d,</group>
</rule>

Best regards,
Miguel
@migruiz4 migruiz4 changed the title cisco-ios-acl decoder problem Cisco Accesslog and firewall rules doesn't match Oct 9, 2018
@migruiz4 migruiz4 mentioned this issue Oct 9, 2018
Closed
@rossengeorgiev rossengeorgiev mentioned this issue May 15, 2019
Closed
@h0rv4th h0rv4th mentioned this issue Jan 30, 2020
Draft
@MiguelCasaresRobles MiguelCasaresRobles added the threatintel Threat Intelligence label Jan 8, 2021
@fabamatic
Copy link

Sample log currently matches to rule 4716 - Cisco IOS informational message - IPACCESSLOGP. A rule looking for "denied" string may be added

@JavierBejMen
Copy link
Member

This will be handle on the outgoing cisco rework in https://github.com/wazuh/feed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@72nomada 72nomada

Labels
operations threatintel Threat Intelligence
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Cisco rules and decoders improvements rossengeorgiev/wazuh-ruleset
5 participants
@fabamatic @MiguelCasaresRobles @JavierBejMen @72nomada @migruiz4