• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

Untangle Plugin

pops106pops106

New Life Form

I am having problems trying to get the Untangle
plugin to give better results, so I can create directives or cross correlation
rules.

It appears the way the logs come in from
Untangle have two “class:” event within the same syslog message which I think
is confusing OSSIM to think everything is event_id 9 when it should be event_id
4 for example.

The other issue is the syslog coming in from
Untangle uses the same event_id for a block or a allow, so event_id 4 for
example is used for both allow and block but with a statement of “true” or “false”
within the message.

Also it

Here is an example of the message coming in
from Untangle;

********************************

Sep  9
20:24:07 INFO
  uvm[0]:  {"timeStamp":"2018-09-09

20:24:07.588","flagged":false,"application":"TCP","protochain":"/TCP","blocked":false,"confidence":0,"detail":"","state":0,"tag":"uvm[0]:

","class":"class

com.untangle.app.application_control.ApplicationControlLogEvent","sessionEvent":{"entitled":true,"partitionTablePostfix":"_2018_09_09","protocol":6,"hostname":"192.168.2.110","CServerPort":443,"protocolName":"TCP","tag":"uvm[0]:

","serverLatitude":39.0481,"localAddr":"/192.168.2.110","class":"class

com.untangle.uvm.app.SessionEvent","SServerAddr":"/54.83.144.140","remoteAddr":"/54.83.144.140","serverIntf":1,"CClientAddr":"/192.168.2.110","serverCountry":"US","sessionId":100626965133969,"SClientAddr":"/194.207.121.70","clientCountry":"XL","CClientPort":33922,"policyRuleId":0,"timeStamp":"2018-09-09

20:24:07.461","serverLongitude":-77.4728,"clientIntf":2,"policyId":1,"SClientPort":16257,"bypassed":false,"SServerPort":443,"CServerAddr":"/54.83.144.140","tagsString":""},"partitionTablePostfix":"_2018_09_09"}

**********************************

As you can see it states “com.untangle.app.application_control.ApplicationControlLogEvent”
as the event but then also states “com.untangle.uvm.app.SessionEvent” in the
same event which I think is confusing the OSSIM plugin for untangle.

Plugin translation rules;

[translation]
# Rule 1
class com.untangle.node.firewall.FirewallEvent = 1
class com.untangle.node.virus_blocker.VirusHttpEvent = 2
class com.untangle.node.web_filter.WebFilterEvent = 3
class com.untangle.uvm.logging.InterfaceStatEvent = 4
class com.untangle.uvm.node.SessionEvent = 5
class com.untangle.uvm.node.SessionMinuteEvent = 6
class com.untangle.uvm.node.SessionNatEvent = 7
class com.untangle.uvm.node.SessionStatsEvent = 8
class com.untangle.uvm.app.SessionEvent = 9
class com.untangle.uvm.app.SessionStatsEvent = 12
class com.untangle.app.firewall.FirewallEvent = 13
class com.untangle.uvm.app.SessionMinuteEvent = 14
class com.untangle.app.application_control.ApplicationControlLogEvent = 15
class com.untangle.app.virus_blocker.VirusSmtpEvent = 16
class com.untangle.app.application_control.ApplicationControlLogEvent = 17
class com.untangle.app.virus_blocker.VirusHttpEvent = 19
class com.untangle.uvm.SettingsChangesEvent = 23
#   Default
_DEFAULT_ = 20000000

 

So, the event should come in as event_id 15 but
is coming in as event_id 9 which also means all the useful information is lost.

Event if the event_id came in as 15 the plugin/rules
would still have to work out if is states “blocked:false” or “blocked:true”

I have posted the question on the untangle forum
as well, it would make it very easy if event_id 15 was blocked and event_id 16
was allowed.

Does the plugin require an update ?

 

Cheers

 

 

Share post:

Sign In or Register to comment.