I rank OSSEC as one of my favorite pieces of open source software, and finally decided to play around with it more in my own free time. (Yup, I do this sort of stuff for fun). My goal was quite simple: send syslog packets from my Cisco to my "proxy" server, running OSSEC. I found that, although OSSEC supports Cisco IOS logging, it didn't really work. In fact, I couldn't find any examples or articles of anybody actually getting it to work.
I initially tried to get it to work "correctly," and soon settled to "just getting it to work." I implemented some rules in the local_rules.xml file, which worked, but I'm pretty stubborn, and wanted to do it "correctly." With a couple pots of tea, and the support of my girlfriend, I became much, much more familiar with OSSEC. The key (and a lot of credit) goes to Jeremy Melanson for hinting at some of the updates to the decoder.xml file that need to take place.
The first step is to read the OSSEC + Cisco IOS wiki page. Everything on that page is pretty straight forward. I then added three explicit drop rules at the end of my Cisco's ACL:
... access-list 101 deny tcp any host 220.244.xxx.xxx log access-list 101 deny ip any host 220.244.xxx.xxx log access-list 101 deny udp any host 220.244.xxx.xxx log
(220.244.xxx.xxx is my WAN IP, and I'm sure you could figure out xxx.xxx pretty darn easily, but I'll x them out anyways).
To reiterate, OSSEC needs to be told to listen for syslog traffic, which you should be set on the Cisco. If you haven't done this, go re-read the wiki above.
On or around line 1550 in /var/ossec/etc/decoder.xml I needed to update the regex that was used to detect the syslog stream.
^%\w+-\d-\w+: |^: %\w+-\d-\w+: ^%\w+-\d-\w+: |^: %\w+-\d-\w+: ... cisco-ios firewall ^%SEC-6-IPACCESSLOGP: |^: %SEC-6-IPACCESSLOGP: ^list \d+ (\w+) (\w+) (\S+)\((\d+)\) -> (\S+)\((\d+)\), action, protocol, srcip, srcport, dstip, dstport
In the general OSSEC configuration file, re-order the list of rules. I had to do this because syslog_rules.xml includes a search for "denied", and that triggers an alarm.
telnetd_rules.xml cisco-ios_rules.xml syslog_rules.xml arpwatch_rules.xml...
Remember that these dropped events will go into /var/ossec/logs/firewall/firewall.log. Because this is my home connection, and I don't have any active_responses configured (yet!), I tightened the firewall_rules.xml file (lowering the frequency, raising the timeframe).
And in the end, I get a pretty email when somebody tries to port scan me.
OSSEC HIDS Notification. 2008 Nov 15 23:19:36 Received From: proxy->xxx.xxx.xxx.xxx Rule: 4151 fired (level 10) -> "Multiple Firewall drop events from same source." Portion of the log(s): : %SEC-6-IPACCESSLOGP: list 101 denied tcp 184.108.40.206(36183) -> 220.244.xxx.xxx(244), 1 packet : %SEC-6-IPACCESSLOGP: list 101 denied tcp 220.127.116.11(36183) -> 220.244.xxx.xxx(253), 1 packet : %SEC-6-IPACCESSLOGP: list 101 denied tcp 18.104.22.168(36183) -> 220.244.xxx.xxx(243), 1 packet : %SEC-6-IPACCESSLOGP: list 101 denied tcp 22.214.171.124(36183) -> 220.244.xxx.xxx(254), 1 packet --END OF NOTIFICATION