Nov. 15, 2008
I rank OSSEC as one of my favorite pieces of open source software, and finally decided to play around with it more in my own free time. (Yup, I do this sort of stuff for fun). My goal was quite simple: send syslog packets from my Cisco to my "proxy" server, running OSSEC. I found that, although OSSEC supports Cisco IOS logging, it didn't really work. In fact, I couldn't find any examples or articles of anybody actually getting it to work.
I initially tried to get it to work "correctly," and soon settled to "just getting it to work." I implemented some rules in the local_rules.xml file, which worked, but I'm pretty stubborn, and wanted to do it "correctly." With a couple pots of tea, and the support of my girlfriend, I became much, much more familiar with OSSEC. The key (and a lot of credit) goes to Jeremy Melanson for hinting at some of the updates to the decoder.xml file that need to take place.
The first step is to read the OSSEC + Cisco IOS wiki page. Everything on that page is pretty straight forward. I then added three explicit drop rules at the end of my Cisco's ACL:
... access-list 101 deny tcp any host 220.244.xxx.xxx log access-list 101 deny ip any host 220.244.xxx.xxx log access-list 101 deny udp any host 220.244.xxx.xxx log
(220.244.xxx.xxx is my WAN IP, and I'm sure you could figure out xxx.xxx pretty darn easily, but I'll x them out anyways).
On or around line 1550 in /var/ossec/etc/decoder.xml I needed to update the regex that was used to detect the syslog stream.
... <decoder name="cisco-ios"> <!--<prematch>^%\w+-\d-\w+: </prematch>--> <prematch>^%\w+-\d-\w+: |^: %\w+-\d-\w+:</prematch> </decoder> <decoder name="cisco-ios"> <program_name /> <!--<prematch>^%\w+-\d-\w+: </prematch>--> <prematch>^%\w+-\d-\w+: |^: %\w+-\d-\w+: </prematch> </decoder> <decoder name="cisco-ios-acl"> <parent>cisco-ios</parent> <type>firewall</type> <prematch>^%SEC-6-IPACCESSLOGP: |^: %SEC-6-IPACCESSLOGP: </prematch> <regex offset="after_prematch">^list \d+ (\w+) (\w+) </regex> <regex>(\S+)\((\d+)\) -> (\S+)\((\d+)\),</regex> <order>action, protocol, srcip, srcport, dstip, dstport</order> </decoder> ...
In the general OSSEC configuration file, re-order the list of rules. I had to do this because syslog_rules.xml includes a search for "denied", and that triggers an alarm.
...
telnetd_rules.xml
cisco-ios_rules.xml
syslog_rules.xml
arpwatch_rules.xml
...
Remember that these dropped events will go into /var/ossec/logs/firewall/firewall.log. Because this is my home connection, and I don't have any active_responses configured (yet!), I tightened the firewall_rules.xml file (lowering the frequency, raising the timeframe).
And in the end, I get a pretty email when somebody tries to port scan me.
Pretty email
OSSEC HIDS Notification. 2008 Nov 15 23:19:36 Received From: proxy->xxx.xxx.xxx.xxx Rule: 4151 fired (level 10) -> "Multiple Firewall drop events from same source." Portion of the log(s): : %SEC-6-IPACCESSLOGP: list 101 denied tcp 4.79.142.206(36183) -> 220.244.xxx.xxx(244), 1 packet : %SEC-6-IPACCESSLOGP: list 101 denied tcp 4.79.142.206(36183) -> 220.244.xxx.xxx(253), 1 packet : %SEC-6-IPACCESSLOGP: list 101 denied tcp 4.79.142.206(36183) -> 220.244.xxx.xxx(243), 1 packet : %SEC-6-IPACCESSLOGP: list 101 denied tcp 4.79.142.206(36183) -> 220.244.xxx.xxx(254), 1 packet --END OF NOTIFICATIONUpgrading Cisco Wireless Firmware
Nov. 3, 2008
I'm always forgetting the exact string to enter at the CLI for updating the IOS on a wireless Cisco AP, so I'll just put it here to end my future searches:
Chimp# archive download-sw /force-reload /overwrite tftp://192.168.83.150/c1100-k9w7-tar.123-8.JEC1.tar
192.168.83.150 obviously being your tftp server, and the .tar file sitting in the root of the tftp server.
I suppose if you wanted to backup your IOS you could do something along the lines of:
Chimp# archive upload-sw tftp://192.168.83.150/someimage.tar
But I haven't tried it...
Slope Finder for the MissusNov. 2, 2008
Since I do sysadminy stuff all day, I don't really get a chance to do much coding (or not as much of a chance as I would like). You can imagine my joy when my girlfriend expressed a problem she needed solved: "I'm going to need to solve 100s of slope equations, i.e. where two lines intersect. Can you write a program to do it?" Sure!
I asked if she wanted to do a batch input or just a one-off type of deal, she decided on the latter. Although I've done a fair bit of PyGTK stuff, I had never actually needed to convert it to Windows. I debated using IronPython -- but needed to use a special library to help solve the equations (I'm lazy).
So, where is the power in Python? After about 15-20m I had a console based app that could solve the slopes. I added the Linux GUI part in maybe 45m, and then the Windows part in, well, not 45m!
Either way, screenshots are below. Thanks girlfriend, I had fun!
Capped Internet
Nov. 1, 2008
I've lived in several different parts of the world, and they all do internet differently. Back in the US I had 8Mb/sec cable (leaving just before Fios was really an option, darn!) In New Zealand, for instance, I was paying for "high speed ADSL" rated at 1.5Mb/256k. Vrooom. Up in Taiwan I was paying 1/2 what I paid in New Zealand, but for 12Mb/1Mb. Down to Sydney and we have a rated 24Mb/1Mb.
But there's a catch with the plans in New Zealand and Australia: they are 'capped'. This means you only get XGB/month -- and it isn't like Comcast capping at 250GB/month, I'm talking about 1GB/5GB/10GB and so forth. And there's more -- just like mobile phones, you get on-peak and off-peak times.
This all does make a bit of sense to me -- there are only X amount of tubes going in and out of NZ and AU, and I would imagine they get pretty clogged.
Either way, last month was pretty painful. Two weeks into our plan I checked out usage: 14GB of 18GB! We had only 4GB left to use for 15 days. This sounds like a lot, but for the two of us, and my 10 virtual servers, it isn't. The first thing I did was looking at a way to do WSUS with Linux -- I ended up using apt-cacher (I'm using only Ubuntu at home). BitTorrent, out; downloading any new ISOs, out; streaming music, totally out. For a while I has to VPN to home, and then VPN to a client, as our router at work didn't seem to like letting us access one of our clients. I even disconnected from the VPN if I wouldn't be doing work for 20m!
We eventually made it, and used only 2GB in two weeks. What an accomplishment!
Oh, I forgot. My Cisco captures SNMP traffic and logs it to my 'monitoring server'. Below is the relevant graph.
VM Automatic Startup in Server 2
Aug. 2, 2008
I think possibly one of the most practical upgrades in VMware Server 2 appears to be the ability to automatically turn on virtual machines in a stagnated order. I have fond memories of turning on a server with 10 virtual machines, and when they all turn on at once, the hard disk grinds to a halt. This forced me to turn on the machines manually afterwards.
+1 VMware in my books.
About This Page
This page lists the technology-related issues I have written.
Recent Entries 
- Integrating OSSEC with Cisco IOS, 5 days, 9 hours ago
- Using Django with SQL Server and IIS, 1 week, 5 days ago
- Upgrading Cisco Wireless Firmware, 2 weeks, 3 days ago
- PyGTK + py2exe for Windows, 2 weeks, 4 days ago
- Configure Timevault to Remote Server, 2 weeks, 4 days ago
Recent Comments
- Capped Internet by Kelvin Nicholson
- Capped Internet by Sean
- Capped Internet by Bunny
- Taming the Jungle by Kelvin
- Using Raw Disks with VMware Server 2 by Kelvin Nicholson