OSSEC adding allowed fields from decoders to rules description - ids

I am using OSSEC for HIDS.
I have created a custom decoder and extracted fields from the log like srcip, dstip and protocol.
Here is the log tested with the ./ossec-logtest
Sep 2 14:39:23 rana-HP-Notebook kernel: [21261.042146] [UFW BLOCK] IN=wlp19s0 OUT= MAC=cc:b0:da:66:20:c3:00:23:15:d4:dd:70:08:00 SRC=192.153.41.125 DST=192.153.41.12 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=28858 PROTO=TCP SPT=2662 DPT=0 WINDOW=512 RES=0x00 URGP=0
Decoder written for the log is:
<decoder name="iptables-blockedip">
<parent>iptables</parent>
<prematch offset="after_parent">^\S+ [UFW BLOCK] IN=\S+ OUT= MAC=\S+ </prematch>
<regex offset="after_prematch">^SRC=(\S+) DST=(\S+) LEN=\S+ TOS=\S+ PREC=\S+ TTL=\S+ ID=\S+ PROTO=(\S+) SPT=(\S+) DPT=(\S+) WINDOW=\S+ RES=\S+ URGP=\S+$</regex>
<order>srcip,dstip,protocol,srcport,dstport</order>
</decoder>
The rule for it is:
<rule id="100002" level="8">
<decoded_as>iptables</decoded_as>
<description>An ip was blocked by the firewall</description>
</rule>
This is the result of the ossec-logtest
**Phase 1: Completed pre-decoding.
full event: 'Sep 2 14:39:23 rana-HP-Notebook kernel: [21261.042146] [UFW BLOCK] IN=wlp19s0 OUT= MAC=cc:b0:da:66:20:c3:00:23:15:d4:dd:70:08:00 SRC=192.153.41.125 DST=192.153.41.12 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=28858 PROTO=TCP SPT=2662 DPT=0 WINDOW=512 RES=0x00 URGP=0'
hostname: 'rana-HP-Notebook'
program_name: 'kernel'
log: '[21261.042146] [UFW BLOCK] IN=wlp19s0 OUT= MAC=cc:b0:da:66:20:c3:00:23:15:d4:dd:70:08:00 SRC=192.153.41.125 DST=192.153.41.12 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=28858 PROTO=TCP SPT=2662 DPT=0 WINDOW=512 RES=0x00 URGP=0'
**Phase 2: Completed decoding.
decoder: 'iptables'
srcip: '192.153.41.125'
dstip: '192.153.41.12'
proto: 'TCP'
srcport: '2662'
dstport: '0'
**Phase 3: Completed filtering (rules).
Rule id: '100002'
Level: '8'
Description: 'An ip was blocked by the firewall'
Now main question is that:
is it possible to add the srcip from the decoder to the rule description so that it will be shown in the description when the alert was raised.
My expected result for the phase3 of the ossec-logtest is :
**Phase 3: Completed filtering (rules).
Rule id: '100002'
Level: '8'
Description: 'An ip 192.153.41.125 was blocked by the firewall'


You can use the following syntax in the description: $(field_name).
Your rule would look like this:
<rule id="100002" level="8">
<decoded_as>iptables</decoded_as>
<description>An ip $(srcip) was blocked by the firewall</description>
</rule>
You have more information on this in the Wazuh documentation: https://documentation.wazuh.com/3.13/user-manual/ruleset/ruleset-xml-syntax/rules.html#description

Related

postman http get request with authentification fails with 401 reply

I have an IOT device (PV inverter). As with many of these there is an official API mostly for data retrival and some settings. However, given the right credentials (admin account) you can configure significantly more in the webinterface.
I would like to be able to do this from my home automation server directly (via node red finally). So I tried to have a look at the communication between the browser and the inverter via Wireshark.
I found some GET an POST calls, and wanted to start with the replication of a GET call via node-red or Postman first.
However, no matter what I tried so far I only get 401 replies.
Seemingly, I'm not able to setup the message with proper authentificaion. In wireshark the Postman and the original GET request are very close.
Here is the original (followed by a "200 OK" response):
Internet Protocol Version 4, Src: 192.168.0.64, Dst: 192.168.0.5
Transmission Control Protocol, Src Port: 56183, Dst Port: 80, Seq: 1, Ack: 1, Len: 601
Source Port: 56183
Destination Port: 80
[Stream index: 1]
[Conversation completeness: Incomplete (28)]
[TCP Segment Len: 601]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 2463465501
[Next Sequence Number: 602 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 1894190984
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
[TCP Flags: ·······AP···]
Window: 512
[Calculated window size: 512]
[Window size scaling factor: -1 (unknown)]
Checksum: 0x8409 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
[SEQ/ACK analysis]
TCP payload (601 bytes)
Hypertext Transfer Protocol
GET /commands/StandbyState HTTP/1.1\r\n
Host: 192.168.0.5\r\n
Connection: keep-alive\r\n
Accept: application/json, text/plain, /\r\n
Authorization: Digest username="technician", realm="Webinterface area",
nonce="63af2777:24350f8b8a09fb90b82b6ac480d325cc", uri="/commands/StandbyState", response="a09ac5fe504563040d0ff8acfd68653e", qop=auth, nc=00000022, cnonce="NaN"\r\n
username="technician"
realm="Webinterface area"
nonce="63af2777:24350f8b8a09fb90b82b6ac480d325cc"
uri="/commands/StandbyState"
response="a09ac5fe504563040d0ff8acfd68653e"
qop=auth
nc=00000022
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/108.0.0.0 Safari/537.36\r\n
Referer: http://192.168.0.5/\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7\r\n
\r\n
[Full request URI: http://192.168.0.5/commands/StandbyState]
and here is the captured Postman packet
Internet Protocol Version 4, Src: 192.168.0.64, Dst: 192.168.0.5
Transmission Control Protocol, Src Port: 43404, Dst Port: 80, Seq: 1, Ack: 1, Len: 471
Source Port: 43404
Destination Port: 80
[Stream index: 5]
[Conversation completeness: Incomplete, DATA (15)]
[TCP Segment Len: 471]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 990556558
[Next Sequence Number: 472 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 2175082347
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
[TCP Flags: ·······AP···]
Window: 513
[Calculated window size: 131328]
[Window size scaling factor: 256]
Checksum: 0x8387 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
[SEQ/ACK analysis]
TCP payload (471 bytes)
Hypertext Transfer Protocol
GET /commands/StandbyState HTTP/1.1\r\n
[truncated]Authorization: Digest username="technician", realm="Webinterface area", nonce="63af2777:24350f8b8a09fb90b82b6ac480d325cc", uri="/commands/StandbyState", algorithm="MD5", qop=auth, nc=00000022, cnonce="NaN", response="a09ac5fe5
username="technician"
realm="Webinterface area"
nonce="63af2777:24350f8b8a09fb90b82b6ac480d325cc"
uri="/commands/StandbyState"
algorithm="MD5"
qop=auth
nc=00000022
cnonce="NaN"
User-Agent: PostmanRuntime/7.30.0\r\n
Accept: /\r\n
Postman-Token: e5d8ee2c-37fb-49ae-aa37-1cf05bfe8608\r\n
Host: 192.168.0.5\r\n
Accept-Encoding: gzip, deflate, br\r\n
Connection: keep-alive\r\n
\r\n
[Full request URI: http://192.168.0.5/commands/StandbyState]
[HTTP request 1/1]
Why does this not work?

VNF do not forward packets sent from Client in Openstack using VNFF Graph

I'm trying to ping from Client to 8.8.8.8 via VNF1 so I use VNFFG to force ICMP traffic of Client go through VNF1 before going out to internet.
After I apply the VNFFG rule in openstack, VNF1 can see MPLS packet encapsulated from Client's ICMP packet by openstack when I use tcpdump but the Forwarding Table of VNF1 do not receive any packet to continue forward that packet.
This is packet seen on VNF1:
09:15:12.161830 MPLS (label 13311, exp 0, [S], ttl 255) IP 12.0.0.58 > 8.8.8.8: ICMP echo request, id 10531, seq 15, length 64
I capture that packet, see that the content can be read (without encryption) and src, dst MAC belong to Client and VNF1 respectively.
This is my VNFFG template:
tosca_definitions_version: tosca_simple_profile_for_nfv_1_0_0
description: Sample VNFFG template
topology_template:
node_templates:
Forwarding_path1:
type: tosca.nodes.nfv.FP.TackerV2
description: demo chain
properties:
id: 51
policy:
type: ACL
criteria:
- name: block_icmp
classifier:
network_src_port_id: 0304e8b5-6c37-4634-bde2-1351cdee5134 #CLIENT PORT ID
ip_proto: 1
- name: block_udp
classifier:
network_src_port_id: 0304e8b5-6c37-4634-bde2-1351cdee5134 #CLIENT PORT ID
ip_proto: 17
path:
- forwarder: VNF1
capability: CP1
groups:
VNFFG1:
type: tosca.groups.nfv.VNFFG
description: Traffic to server
properties:
vendor: tacker
version: 1.0
number_of_endpoints: 1
dependent_virtual_link: [VL1]
connection_point: [CP1]
constituent_vnfs: [VNF1]
members: [Forwarding_path1]
This is my VNF Descriptor:
tosca_definitions_version: tosca_simple_profile_for_nfv_1_0_0
description: Demo example
metadata:
template_name: sample-tosca-vnfd
topology_template:
node_templates:
VDU1:
type: tosca.nodes.nfv.VDU.Tacker
capabilities:
nfv_compute:
properties:
num_cpus: 1
mem_size: 2 GB
disk_size: 20 GB
properties:
image: VNF1
availability_zone: nova
mgmt_driver: noop
key_name: my-key-pair
config: |
param0: key1
param1: key2
CP1:
type: tosca.nodes.nfv.CP.Tacker
properties:
management: true
order: 0
anti_spoofing_protection: false
requirements:
- virtualLink:
node: VL1
- virtualBinding:
node: VDU1
VL1:
type: tosca.nodes.nfv.VL
properties:
network_name: my-private-network
vendor: Tacker
FIP1:
type: tosca.nodes.network.FloatingIP
properties:
floating_network: public
requirements:
- link:
node: CP1
I used this command to deploy VNFGG rule:
tacker vnffg-create --vnffgd-template vnffg_test.yaml forward_traffic
I do not know if the problem can come from the key I defined for VNF1 because I do not know what param0: key0 and param1: key1 used for and where are they?
How can I resolve to make the VNF forward these packet.

eth1 disappear after use new kernel 5.6.0 | uSID | Centos

In order to test SRv6 uSID in Linux, I compiled the new kernel 5.6.0 that in following Github:
https://github.com/netgroup/srv6-usid-linux-kernel.git
After compiled and reboot, my 2nd network adapter port(eth1) disappeared, two network adapter ports should the same type, and only eth0 was renamed to ens3, as follow:
[root#frank cisco]# uname -a
Linux frank 5.6.0+ #3 SMP Tue Jun 30 17:32:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root#frank cisco]# dmesg |grep eth
[ 2.311925] e1000 0000:00:03.0 eth0: (PCI:33MHz:32-bit) 5e:00:00:00:00:00
[ 2.314897] e1000 0000:00:03.0 eth0: Intel(R) PRO/1000 Network Connection
[ 2.770167] e1000 0000:00:04.0 eth1: (PCI:33MHz:32-bit) fa:16:3e:38:fd:91
[ 2.773194] e1000 0000:00:04.0 eth1: Intel(R) PRO/1000 Network Connection
[ 5.352825] e1000 0000:00:03.0 ens3: renamed from eth0
[root#frank cisco]#
[root#frank cisco]# lshw -class network -businfo
Bus info Device Class Description
========================================================
pci#0000:00:03.0 ens3 network 82540EM Gigabit Ethernet Controller
pci#0000:00:04.0 network 82540EM Gigabit Ethernet Controller
Follow is dmesg for two ports:
[root#frank cisco]# dmesg |grep 00:03.0
[ 0.700489] pci 0000:00:03.0: [8086:100e] type 00 class 0x020000
[ 0.702057] pci 0000:00:03.0: reg 0x10: [mem 0xfeb80000-0xfeb9ffff]
[ 0.703921] pci 0000:00:03.0: reg 0x14: [io 0xc000-0xc03f]
[ 0.707532] pci 0000:00:03.0: reg 0x30: [mem 0xfeb00000-0xfeb3ffff pref]
[ 2.311925] e1000 0000:00:03.0 eth0: (PCI:33MHz:32-bit) 5e:00:00:00:00:00
[ 2.314897] e1000 0000:00:03.0 eth0: Intel(R) PRO/1000 Network Connection
[ 5.352825] e1000 0000:00:03.0 ens3: renamed from eth0
[root#frank cisco]#
[root#frank cisco]# dmesg |grep 00:04.0
[ 0.708456] pci 0000:00:04.0: [8086:100e] type 00 class 0x020000
[ 0.710057] pci 0000:00:04.0: reg 0x10: [mem 0xfeba0000-0xfebbffff]
[ 0.711846] pci 0000:00:04.0: reg 0x14: [io 0xc040-0xc07f]
[ 0.715515] pci 0000:00:04.0: reg 0x30: [mem 0xfeb40000-0xfeb7ffff pref]
[ 2.770167] e1000 0000:00:04.0 eth1: (PCI:33MHz:32-bit) fa:16:3e:38:fd:91
[ 2.773194] e1000 0000:00:04.0 eth1: Intel(R) PRO/1000 Network Connection
Follow lshw cmd
"driver=uio_pci_generic"
[root#frank v2.81]# lshw -c network
*-network:0
description: Ethernet interface
product: 82540EM Gigabit Ethernet Controller
vendor: Intel Corporation
physical id: 3
bus info: pci#0000:00:03.0
logical name: ens3
version: 03
serial: 5e:00:00:00:00:00
size: 1Gbit/s
capacity: 1Gbit/s
width: 32 bits
clock: 33MHz
capabilities: bus_master rom ethernet physical tp 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=e1000 driverversion=7.3.21-k8-NAPI duplex=full ip=172.16.1.140 latency=0 link=yes multicast=yes port=twisted pair speed=1Gbit/s
resources: irq:10 memory:feb80000-feb9ffff ioport:c000(size=64) memory:feb00000-feb3ffff
*-network:1
description: Ethernet controller
product: 82540EM Gigabit Ethernet Controller
vendor: Intel Corporation
physical id: 4
bus info: pci#0000:00:04.0
version: 03
width: 32 bits
clock: 33MHz
capabilities: bus_master rom
configuration: driver=uio_pci_generic latency=0 <<<
resources: irq:11 memory:feba0000-febbffff ioport:c040(size=64) memory:feb40000-feb7ffff
And found the port bound by dpdk, but I didn't set any bound config...
[root#frank v2.81]# ./dpdk_setup_ports.py -s
Network devices using DPDK-compatible driver
============================================
0000:00:04.0 '82540EM Gigabit Ethernet Controller' drv=uio_pci_generic unused=e1000,igb_uio,vfio-pci <<<
Network devices using kernel driver
===================================
0000:00:03.0 '82540EM Gigabit Ethernet Controller' if=ens3 drv=e1000 unused=igb_uio,vfio-pci,uio_pci_generic
Other network devices
=====================
<none>
Does anyone know what is going on...and how to solve this problem...?
Thanks a lot!
Frank

After discussed with colleagues, the issue should be followed by this link:
https://www.kernel.org/doc/html/v4.12/driver-api/uio-howto.html
And as above guide, I can workaround the issue, but issue appear again after reboot...
[root#frank v2.81]# ls -l /sys/bus/pci/devices/0000:00:04.0/driver
lrwxrwxrwx. 1 root root 0 Jun 30 17:59 /sys/bus/pci/devices/0000:00:04.0/driver -> ../../../bus/pci/drivers/uio_pci_generic
[root#frank v2.81]# echo -n 0000:00:04.0 > /sys/bus/pci/drivers/uio_pci_generic/unbind
[root#frank v2.81]# echo -n 0000:00:04.0 > /sys/bus/pci/drivers/e1000/bind
[79965.358393] e1000 0000:00:04.0 eth0: (PCI:33MHz:32-bit) fa:16:3e:38:fd:91
[79965.360499] e1000 0000:00:04.0 eth0: Intel(R) PRO/1000 Network Connection
[root#frank v2.81]# ls -l /sys/bus/pci/devices/0000:00:04.0/driver
lrwxrwxrwx. 1 root root 0 Jul 1 16:12 /sys/bus/pci/devices/0000:00:04.0/driver -> ../../../bus/pci/drivers/e1000
[root#frank cisco]# ifconfig eth0 up
[ 221.792886] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
[ 221.796553] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[root#frank cisco]# lshw -c network
*-network:0
description: Ethernet interface
product: 82540EM Gigabit Ethernet Controller
vendor: Intel Corporation
physical id: 3
bus info: pci#0000:00:03.0
logical name: ens3
version: 03
serial: 5e:00:00:00:00:00
size: 1Gbit/s
capacity: 1Gbit/s
width: 32 bits
clock: 33MHz
capabilities: bus_master rom ethernet physical tp 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=e1000 driverversion=7.3.21-k8-NAPI duplex=full ip=172.16.1.140 latency=0 link=yes multicast=yes port=twisted pair speed=1Gbit/s
resources: irq:11 memory:feb80000-feb9ffff ioport:c000(size=64) memory:feb00000-feb3ffff
*-network:1
description: Ethernet interface
product: 82540EM Gigabit Ethernet Controller
vendor: Intel Corporation
physical id: 4
bus info: pci#0000:00:04.0
logical name: eth0
version: 03
serial: fa:16:3e:38:fd:91
size: 1Gbit/s
capacity: 1Gbit/s
width: 32 bits
clock: 33MHz
capabilities: bus_master rom ethernet physical tp 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=e1000 driverversion=7.3.21-k8-NAPI duplex=full latency=0 link=yes multicast=yes port=twisted pair speed=1Gbit/s
resources: irq:11 memory:feba0000-febbffff ioport:c040(size=64) memory:feb40000-feb7ffff

<< "[read] I/O error: Read timed out" immediately upon sending headers

We see time-outs during some calls to external REST service from within a Spring Boot application. They do not seem to occur when we connect to the REST service directly. Debug logging on org.apache.http has given us a very peculiar aspect of the failing requests: it contains an inbound log entry '<< "[read] I/O error: Read timed out"' in the middle of sending headers - the same millisecond the first headers were sent.
How can we see an inbound 'Read timed out' a few milliseconds after sending the first headers? And why does it not immediately interrupt the request/connection with a time-out, but instead waits the full 4500ms until it times out with an exception?
Here is our production log for a failing request, redacted. Note the 4500ms delay between lines two and three. My question is about the occurrence of http-outgoing-104 << "[read] I/O error: Read timed out" at 16:55:08.258, not the first one on line 2.
16:55:12.764 Connection released: [id: 104][route: {s}-><<website-redacted>>:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
16:55:12.763 http-outgoing-104 << "[read] I/O error: Read timed out"
16:55:08.259 http-outgoing-104 >> "<<POST Body Redacted>>"
16:55:08.259 http-outgoing-104 >> "[\r][\n]"
16:55:08.258 http-outgoing-104: set socket timeout to 4500
16:55:08.258 Executing request POST <<Endpoint Redacted>> HTTP/1.1
16:55:08.258 Target auth state: UNCHALLENGED
16:55:08.258 Proxy auth state: UNCHALLENGED
16:55:08.258 Connection leased: [id: 104][route: {s}-><<website-redacted>>:443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
....
16:55:08.258 http-outgoing-104 >> "POST <<Endpoint Redacted>> HTTP/1.1[\r][\n]"
16:55:08.258 http-outgoing-104 >> "Accept: text/plain, application/json, application/*+json, */*[\r][\n]"
16:55:08.258 http-outgoing-104 >> Cookie: <<Redacted>>
16:55:08.258 http-outgoing-104 >> "Content-Type: application/json[\r][\n]"
16:55:08.258 http-outgoing-104 >> "Connection: close[\r][\n]"
16:55:08.258 http-outgoing-104 >> "X-B3-SpanId: <<ID>>[\r][\n]"
16:55:08.258 http-outgoing-104 << "[read] I/O error: Read timed out"
16:55:08.258 http-outgoing-104 >> "X-Span-Name: https:<<Endpoint Redacted>>[\r][\n]"
16:55:08.258 http-outgoing-104 >> "X-B3-TraceId: <<ID>>[\r][\n]"
16:55:08.258 http-outgoing-104 >> "X-B3-ParentSpanId: <<ID>>[\r][\n]"
16:55:08.258 http-outgoing-104 >> "Content-Length: 90[\r][\n]"
16:55:08.258 http-outgoing-104 >> "User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_172)[\r][\n]"
16:55:08.258 http-outgoing-104 >> "Cookie: <<Redacted>>"
16:55:08.258 http-outgoing-104 >> "Host: <<Host redacted>>[\r][\n]"
16:55:08.258 http-outgoing-104 >> "Accept-Encoding: gzip,deflate[\r][\n]"
16:55:08.258 http-outgoing-104 >> "X-B3-Sampled: 1[\r][\n
Update 1: a second occurrence:
In another request that timed out the same behavior roughly occurs, but the timeout message is logged even before sending headers and eventually receiving the actual timeout. Note: this request is actually older, after it I have configured the request to include 'Connection: close' to circumvent a firewall dropping the connection under 'Keep Alive'.
19:28:08.102 http-outgoing-36 << "[read] I/O error: Read timed out"
19:28:08.102 http-outgoing-36: Shutdown connection
19:28:08.102 http-outgoing-36: Close connection
19:28:03.598 http-outgoing-36 >> "Connection: Keep-Alive[\r][\n]"
19:28:03.598 http-outgoing-36 >> "Content-Type: application/json;charset=UTF-8[\r][\n]"
...
19:28:03.598 http-outgoing-36 >> "Accept-Encoding: gzip,deflate[\r][\n]"
...
19:28:03.597 http-outgoing-36 >> Cookie: ....
19:28:03.597 http-outgoing-36 >> Accept-Encoding: gzip,deflate
19:28:03.597 http-outgoing-36 >> User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_172)
19:28:03.596 Connection leased: [id: 36][route: {s}-><< Site redacted >>:443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
19:28:03.596 http-outgoing-36: set socket timeout to 4500
19:28:03.596 Executing request POST HTTP/1.1
19:28:03.596 Target auth state: UNCHALLENGED
19:28:03.596 http-outgoing-36 << "[read] I/O error: Read timed out"
19:28:03.594 Connection request: [route: {s}-><< Site redacted >>:443][total kept alive: 1; route allocated: 1 of 2; total allocated: 1 of 20]
19:28:03.594 Auth cache not set in the context
Update 2: added HttpClientBuilder configuration
RequestConfig.Builder requestBuilder = RequestConfig.custom()
.setSocketTimeout(socketTimeout)
.setConnectTimeout(connectTimeout);
CloseableHttpClient httpClient = HttpClientBuilder.create()
.setDefaultRequestConfig(requestBuilder.build())
.build();
HttpComponentsClientHttpRequestFactory rf = new HttpComponentsClientHttpRequestFactory(httpClient);
return new RestTemplate(rf);

asterisk PAMI Originate Call issue

Received an unknown call with DID
[rawContent:protected] =>
Event: Newexten
Privilege: call,all
Channel: SIP/701-000056ff
ChannelState: 6
ChannelStateDesc: Up
CallerIDNum: 701
CallerIDName: 701
ConnectedLineNum:
ConnectedLineName:
Language: en
AccountCode:
Context: from-digital
Exten: xxxxxx
Priority: 2
Uniqueid: 1483958245.105223
Linkedid: 1483958245.105223
Extension: xxxxxx
Application: NoOp
AppData: Received an unknown call with DID set to xxxxx

Acordinly to this fragment call origination was successfull, your dialplan for context from-digital have application Noop with that message
That message is from your dialplan and have no any relation to asterisk internals.

Resources