Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes for PIX 6-308001 6-605005, and 6-605004 #1124

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Fixes for PIX 6-308001 6-605005, and 6-605004 #1124

wants to merge 3 commits into from

Conversation

crlorentzen
Copy link
Contributor

@crlorentzen crlorentzen commented May 15, 2017
edited
Loading

Through further testing with PIX and ASA we have updated the decoder once more to support the current state of the ASA software.

It was noticed that in Cisco ASA as apposed to PIX. the username is not provided in 6-605004. We think this is a security enhancement Cisco made, if a user fails to log in it is possible that a password was improperly put into the username field and thus it shouldn't be logged. Cisco instead puts asterisks(*) in place for the user on 605004

The only way we could see to fix the decoder for this was to remove the username from being selected. Perhaps someone with a better understanding of OSSEC regex could create something better.

Some more example logs and their phase 2 output before the fix.
Examples are also in the comment section of the decoder.xml.

%ASA-6-308001: Console enable password incorrect for 3 tries (from ssh (remote 198.18.1.100))
**Phase 2: Completed decoding.
       decoder: 'pix'
       id: '6-308001'
       srcip: 'enable'


%ASA-6-605005: Login permitted from 198.18.1.100/47849 to outside:198.18.1.254/ssh for user "t@stuser123"
**Phase 2: Completed decoding.
       decoder: 'pix'
       id: '6-605004'
       action: 'denied'
       srcip: '198.18.1.100'
       srcport: '56332'
       dstuser: 't@stuser123'

%ASA-6-605004: Login denied from 198.18.1.100/56332 to outside:198.18.1.254/ssh for user "*****"

**Phase 2: Completed decoding.
       decoder: 'pix'

Log test output after the fix.

%ASA-6-308001: Console enable password incorrect for 3 tries (from ssh (remote 198.18.1.100))
**Phase 2: Completed decoding.
       decoder: 'pix'
       id: '6-308001'

%ASA-6-605005: Login permitted from 198.18.1.100/47849 to outside:198.18.1.254/ssh for user "us3rn@m3"
**Phase 2: Completed decoding.
       decoder: 'pix'
       id: '6-605005'
       action: 'permitted'
       srcip: '198.18.1.100'
       srcport: '47849'
       dstuser: 'us3rn@m3'

%ASA-6-605004: Login denied from 198.18.1.100/56332 to outside:198.18.1.254/ssh for user "*****" 
**Phase 2: Completed decoding.
       decoder: 'pix'
       id: '6-605004'
       action: 'denied'
       srcip: '198.18.1.100'
       srcport: '56332'

This change is Reviewable

@crlorentzen
Copy link
Contributor Author

If someone can help me figure out how to accept either word characters, or asterisks (*) between the quotes (") then I'd be happy to update the single rule to include username in all cases.

@ddpbsd
Copy link
Member

ddpbsd commented May 25, 2017

\S should allow any non-whitespace characters.

@crlorentzen
Copy link
Contributor Author

While that is true, it unfortunately then chomps the " characters and fails to match properly.

@ddpbsd
Copy link
Member

ddpbsd commented May 26, 2017

I've run into this before. Can't remember how I solved it off hand.

@Know1
Copy link

Know1 commented Jul 13, 2017
edited
Loading

Not sure if you ever figured it out but this piece of Regex maybe what you need
works for these test cases
"*****"
"us3rn@m3"
"Testuser123"

<regex offset="after_parent">^(\S+): Login (\S+) from (\S+)/(\d+) \.+user \"([aA-zZ0-9*@]+)\"</regex>

Can also add additional punctuation if required e.g. (Not sure what chars Pix/ASA will accept, but should test for all)
\"([aA-zZ0-9*@!?&#]+)\"

@Know1
Copy link

Know1 commented Jul 13, 2017
edited
Loading

Actually after further thinking about \S matches all non space so should work. Greediness should exclude the chomping of "
I plugged \S only into a regex tester with the above full strings and the snippet matched so I've gone back to the drawing board and come up with this that I tested against the following full strings

%ASA-6-605005: Login permitted from 198.18.1.100/47849 to outside:198.18.1.254/ssh for user "us3rn@m3"
%ASA-6-605005: Login permitted from 198.18.1.100/47849 to outside:198.18.1.254/ssh for user "t@stuser123"
%ASA-6-605004: Login denied from 198.18.1.100/56332 to outside:198.18.1.254/ssh for user "*****"

This piece of code breaks them out into $1, $2, $3, $4, $5
<regex offset="after_parent">^(\S+): Login (\S+) from (\S+)\/(\d+).*user \"(\S+)\"</regex>

@crlorentzen
Copy link
Contributor Author

@Know1 unfortunately OSSEC does not use perl compatible regex (PCRE) #199 So while a regex tester may indicate success, the only true test for OSSEC is to use the ossec-logtest tool which comes with the installation. I may have missued the term chomp, but the \S includes the quote (") character and doesn't work. Also OSSEC regex does not appear to support creating classes (e.g. [aA-zZ0-9*@]), although I haven't retested this in awhile, and my role on the ossec project at work is over, so I may not have time to retest.

@Jupnnn
Copy link

Jupnnn commented Nov 5, 2021

Actually after further thinking about \S matches all non space so should work. Greediness should exclude the chomping of " I plugged \S only into a regex tester with the above full strings and the snippet matched so I've gone back to the drawing board and come up with this that I tested against the following full strings

%ASA-6-605005: Login permitted from 198.18.1.100/47849 to outside:198.18.1.254/ssh for user "us3rn@m3" %ASA-6-605005: Login permitted from 198.18.1.100/47849 to outside:198.18.1.254/ssh for user "t@stuser123" %ASA-6-605004: Login denied from 198.18.1.100/56332 to outside:198.18.1.254/ssh for user "*****"

This piece of code breaks them out into $1, $2, $3, $4, $5 <regex offset="after_parent">^(\S+): Login (\S+) from (\S+)\/(\d+).*user \"(\S+)\"</regex>

Hello Sunshine

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@crlorentzen @ddpbsd @Know1 @Jupnnn