Decoder and rules for syslog

3,199 views
Skip to first unread message

Humbert Gast

unread,
Nov 13, 2020, 7:42:18 AM11/13/20
to Wazuh mailing list
Hi all,

I try to add so custom rules to get my firewall (Stromshiled and sophos) logs on wazuh.

Regex are not easy for me so if someone can help me to create them.
Pearhaps and idea, create a tool to help to create regex.. :)

Exemple log :
2020 Nov 12 17:12:51 srv-log-01->192.168.80.254 1 2020-11-12T17:14:51+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-12 17:14:51" fw="FW01-DCL" tz=+0100 startime="2020-11-12 17:14:50" pri=5 confid=01 slotlevel=2 ruleid=385 srcif="vlan27" srcifname="Net-Back-17" ipproto=vrrp proto=vrrp src=192.168.96.5 srcname=192.168.96.5 srcmac=00:50:56:9b:05:73 dst=224.0.0.18 ipv=4 sent=0 rcvd=0 duration=0.00 action=block logtype="filter"

local_decoder.xml
<!-- Stormshiled via syslog 13.11.2020 -->
<decoder name="stormshiled-firewall">
    <prematch>\.*asqd - - - id=firewall </prematch>
    <type>syslog</type>
</decoder>

<decoder name="stormshiled-firewall-filter">
    <parent>stormshiled-firewall</parent>
    <prematch offset="after_parent">time="\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d" </prematch>
    <regex offset="after_prematch">fw="(\.*)" tz=+0100 startime="2020-11-12 17:14:50" pri=5 confid=01 slotlevel=2 ruleid=385 srcif="vlan27" srcifname="Net-Back-17" ipproto=vrrp proto=(\S+) src=(\S+) srcname=(\.*) dst=(\S+) action=(\w+) logtype="(\.+)"</regex>
    <order>name, extra_data, protocol, srcip, srcuser, dstip, action, extra_data</order>
</decoder>

local_rules.xml
 <rule id="100002" level="5">
   <decoded_as>stormshiled-firewall</decoded_as>
   <description>filtrage stormshiled</description>
   <field name="action_name">filtrage</field>
   <group>authentication_failed</group>
 </rule>

Test with logtest
 /var/ossec/bin/ossec-logtest
2020/11/13 13:33:25 ossec-testrule: INFO: Started (pid: 103854).
ossec-testrule: Type one log per line.

2020 Nov 12 17:12:51 srv-log-01->192.168.80.254 1 2020-11-12T17:14:51+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-12 17:14:51" fw="FW01-DCL" tz=+0100 startime="2020-11-12 17:14:50" pri=5 confid=01 slotlevel=2 ruleid=385 srcif="vlan27" srcifname="Net-Back-17" ipproto=vrrp proto=vrrp src=192.168.96.5 srcname=192.168.96.5 srcmac=00:50:56:9b:05:73 dst=224.0.0.18 ipv=4 sent=0 rcvd=0 duration=0.00 action=block logtype="filter"


**Phase 1: Completed pre-decoding.
       full event: '2020 Nov 12 17:12:51 srv-log-01->192.168.80.254 1 2020-11-12T17:14:51+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-12 17:14:51" fw="FW01-DCL" tz=+0100 startime="2020-11-12 17:14:50" pri=5 confid=01 slotlevel=2 ruleid=385 srcif="vlan27" srcifname="Net-Back-17" ipproto=vrrp proto=vrrp src=192.168.96.5 srcname=192.168.96.5 srcmac=00:50:56:9b:05:73 dst=224.0.0.18 ipv=4 sent=0 rcvd=0 duration=0.00 action=block logtype="filter"'
       timestamp: '2020 Nov 12 17:12:51'
       hostname: 'srv-log-01'
       program_name: '(null)'
       log: 'srv-log-01->192.168.80.254 1 2020-11-12T17:14:51+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-12 17:14:51" fw="FW01-DCL" tz=+0100 startime="2020-11-12 17:14:50" pri=5 confid=01 slotlevel=2 ruleid=385 srcif="vlan27" srcifname="Net-Back-17" ipproto=vrrp proto=vrrp src=192.168.96.5 srcname=192.168.96.5 srcmac=00:50:56:9b:05:73 dst=224.0.0.18 ipv=4 sent=0 rcvd=0 duration=0.00 action=block logtype="filter"'

**Phase 2: Completed decoding.
       decoder: 'stormshiled-firewall'


Thanks a lot.
Alex





Juan Pablo Saez

unread,
Nov 13, 2020, 10:34:20 AM11/13/20
to Wazuh mailing list

Hello Humbert,

The yellow portion of your example log contains additional appended by Wazuh:

2020 Nov 12 17:12:51 srv-log-01->192.168.80.254 1 2020-11-12T17:14:51+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-12 17:14:51" fw="FW01-DCL" tz=+0100 startime="2020-11-12 17:14:50" pri=5 confid=01 slotlevel=2 ruleid=385 srcif="vlan27" srcifname="Net-Back-17" ipproto=vrrp proto=vrrp src=192.168.96.5 srcname=192.168.96.5 srcmac=00:50:56:9b:05:73 dst=224.0.0.18 ipv=4 sent=0 rcvd=0 duration=0.00 action=block logtype="filter"

You should use just the green portion in the ossec-logtest tools. Based on this, the following decoders and rule should fit you use case. Feel free to rename any field.

Decoders (Place it on /var/ossec/etc/rules/local_rules.xml)

<decoder name="stormshield_decoder">
  <prematch>asqd - - - id=firewall</prematch>
</decoder>

<decoder name="stormshield_decoder_1">
    <parent>stormshield_decoder</parent>
    <regex>time="(\.*)" fw="(\.*)" tz=(\S+) startime="(\.*)" pri=(\S+) confid=(\S+) slotlevel=(\S+)</regex>
    <order>time, fw, tz, startime, pri, confid, slotlevel </order>
</decoder>

<decoder name="stormshield_decoder_1">
    <parent>stormshield_decoder</parent>
    <regex offset="after_regex">ruleid=(\S+) srcif="(\.*)" srcifname="(\.*)" ipproto=(\S+) proto=(\S+) src=(\S+)</regex>
    <order>ruleid, srcif, srcifname, ipproto, proto, src</order>
</decoder>

<decoder name="stormshield_decoder_1">
    <parent>stormshield_decoder</parent>
    <regex offset="after_regex">srcname=(\S+) srcmac=(\S+) dst=(\S+) ipv=(\S+) sent=(\S+) rcvd=(\S+) duration=(\S+) action=(\S+) logtype="(\.*)"</regex>
    <order>srcname, srcmac, dst, ipv, sent, rcvd, duration, action, logtype</order>
</decoder>

Rule (You should place it on /var/ossec/etc/rules/local_rules.xml)

<rule id="100005" level="5">
  <decoded_as>stormshield_decoder</decoded_as>
  <description>Stormshield logs grouping rule</description>
</rule>

Example alert using the ossec-logtest binary

**Phase 1: Completed pre-decoding.
       full event: ' 1 2020-11-12T17:14:51+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-12 17:14:51" fw="FW01-DCL" tz=+0100 startime="2020-11-12 17:14:50" pri=5 confid=01 slotlevel=2 ruleid=385 srcif="vlan27" srcifname="Net-Back-17" ipproto=vrrp proto=vrrp src=192.168.96.5 srcname=192.168.96.5 srcmac=00:50:56:9b:05:73 dst=224.0.0.18 ipv=4 sent=0 rcvd=0 duration=0.00 action=block logtype="filter"'
       timestamp: '(null)'
       hostname: 'wazuh-manager-master'
       program_name: '(null)'
       log: ' 1 2020-11-12T17:14:51+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-12 17:14:51" fw="FW01-DCL" tz=+0100 startime="2020-11-12 17:14:50" pri=5 confid=01 slotlevel=2 ruleid=385 srcif="vlan27" srcifname="Net-Back-17" ipproto=vrrp proto=vrrp src=192.168.96.5 srcname=192.168.96.5 srcmac=00:50:56:9b:05:73 dst=224.0.0.18 ipv=4 sent=0 rcvd=0 duration=0.00 action=block logtype="filter"'

**Phase 2: Completed decoding.
       decoder: 'stormshield_decoder'
       time: '2020-11-12 17:14:51'
       fw: 'FW01-DCL'
       tz: '+0100'
       startime: '2020-11-12 17:14:50'
       pri: '5'
       confid: '01'
       slotlevel: '2'
       ruleid: '385'
       srcif: 'vlan27'
       srcifname: 'Net-Back-17'
       ipproto: 'vrrp'
       proto: 'vrrp'
       src: '192.168.96.5'
       srcname: '192.168.96.5'
       srcmac: '00:50:56:9b:05:73'
       dst: '224.0.0.18'
       ipv: '4'
       sent: '0'
       rcvd: '0'
       duration: '0.00'
       action: 'block'
       logtype: 'filter'

**Phase 3: Completed filtering (rules).
       Rule id: '100005'
       Level: '5'
       Description: 'Stormshield logs grouping rule'
**Alert to be generated.

I hope it helps. Let me know how it goes.

Greetings,

JP

Humbert Gast

unread,
Nov 13, 2020, 10:43:58 AM11/13/20
to Wazuh mailing list
Hi JP,

Thanks a lot for this very nice answer !! 
I check and it work well now.

Do you think to put on intergated rules this for Sophos firewall and Stormshield firewall in next version ?

Regards,
Alex

Humbert Gast

unread,
Nov 13, 2020, 11:19:31 AM11/13/20
to Wazuh mailing list
Sorry, another question, but where could I find this logs on wazuh ?
I check on kibana dashboard with the KQL request  decoder.name :  'stormshield_decoder' but nothing appear.

Thanks
Alex

Juan Pablo Saez

unread,
Nov 13, 2020, 11:39:08 AM11/13/20
to Wazuh mailing list

Hello again Humbert,

Sorry, another question, but where could I find this logs on wazuh ?

You could try using the rule.id field: rule.id: “100005”

In case the related alerts keep being missing: where did you get the example log you pasted ? Did you enable the <logall> option in the manager side?

Greetings,

JP

Humbert Gast

unread,
Nov 13, 2020, 12:19:58 PM11/13/20
to Wazuh mailing list
Yes I try too with rule.id but no alerts.

Below my logall (without mail configuration)
<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>yes</logall>
    <logall_json>no</logall_json>
    <email_notification>yes</email_notification>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
  </global>

I don't paste specific log but I have many traffic come to syslog.

Regards,
Alex


Juan Pablo Saez

unread,
Nov 13, 2020, 1:07:07 PM11/13/20
to Wazuh mailing list
Yes I try too with rule.id but no alerts.

Could you paste several example logs from your `/var/ossec/logs/archives/archives.log`? This way I could see if there is something missing on the decoders.

Greetings,
JP

Humbert Gast

unread,
Nov 13, 2020, 1:15:03 PM11/13/20
to Wazuh mailing list
Hi,

Thanks a lot you can find below some last logs from your `/var/ossec/logs/archives/archives.log

Thx


2020 Nov 13 18:24:10 srv-log-01->192.168.80.254 1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz             =+0100 startime="2020-11-13 18:26:17" pri=5 confid=00 slotlevel=2 ruleid=12 rulename="17457b97272_8" srcif="ipsec" srcifname="ipsec" ipproto=icmp icmpt             ype=3 icmpcode=1 proto=icmp src=10.0.51.6 srcname=10.0.51.6 srcmac=30:7c:5e:03:a7:00 dst=192.168.80.254 dstname=Firewall_inside ipv=4 sent=0 rcvd=0 dur             ation=0.00 action=pass logtype="filter"
2020 Nov 13 18:24:10 srv-log-01->192.168.80.254 1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz             =+0100 startime="2020-11-13 18:26:17" pri=5 confid=00 slotlevel=2 ruleid=12 rulename="17457b97272_8" srcif="ipsec" srcifname="ipsec" ipproto=icmp icmpt             ype=3 icmpcode=1 proto=icmp src=10.0.51.6 srcname=10.0.51.6 srcmac=30:7c:5e:03:a7:00 dst=192.168.80.254 dstname=Firewall_inside ipv=4 sent=0 rcvd=0 dur             ation=0.00 action=pass logtype="filter"
2020 Nov 13 18:24:11 srv-log-01->192.168.80.254 1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz             =+0100 startime="2020-11-13 18:26:17" pri=5 confid=01 slotlevel=2 ruleid=370 srcif="vlan27" srcifname="Net-Back-17" ipproto=tcp dstif="Ethernet0" dstif             name="OLKY-IP-002" proto=https src=192.168.96.30 srcport=52081 srcportname=ephemeral_fw_tcp srcname=Mammouth srcmac=ac:87:a3:36:cb:b6 dst=217.69.29.10              dstport=443 dstportname=https dstcontinent="eu" dstcountry="fr" modsrc=80.92.79.58 modsrcport=52081 origdst=217.69.29.10 origdstport=443 ipv=4 sent=983              rcvd=5733 duration=0.43 action=pass logtype="connection"
2020 Nov 13 18:24:11 srv-log-01->192.168.80.254 1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz             =+0100 startime="2020-11-13 18:26:18" pri=5 confid=01 slotlevel=2 ruleid=21 rulename="Net-VPN-01-002" srcif="Ethernet1" srcifname="inside" ipproto=icmp              dstif="Ethernet0" dstifname="IP-002" icmptype=8 icmpcode=0 proto=icmp src=192.168.80.227 srcname=dc1cvm03 srcmac=50:6b:8d:78:e6:ce dst=192.168.1.             235 dstname=dc2ntnx01 ipv=4 sent=0 rcvd=0 duration=0.00 action=pass logtype="filter"
2020 Nov 13 18:24:11 srv-log-01->192.168.80.254 1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz             =+0100 startime="2020-11-13 18:26:18" pri=5 confid=01 slotlevel=2 ruleid=12 rulename="17457b97272_8" srcif="Ethernet1" srcifname="inside" ipproto=icmp              icmptype=3 icmpcode=3 proto=icmp src=192.168.80.14 srcname=HOST_IPA_1 srcmac=50:6b:8d:18:4e:e3 dst=192.168.80.254 dstname=Firewall_inside ipv=4 sent=0              rcvd=0 duration=0.00 action=pass logtype="filter"
2020 Nov 13 18:24:11 srv-log-01->192.168.80.254 1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz             =+0100 startime="2020-11-13 18:26:18" pri=5 confid=01 slotlevel=2 ruleid=356 srcif="vlan31" srcifname="Net-Front-12" ipproto=tcp dstif="vlan27" dstifna             me="Net-Back-17" proto=http src=172.16.12.21 srcport=52060 srcportname=ephemeral_fw_tcp srcname=OLKY-Symwis-02 srcmac=00:50:56:9b:40:a7 dst=192.168.96.             10 dstport=80 dstportname=http dstname=SolR modsrc=172.16.12.21 modsrcport=52060 origdst=192.168.96.10 origdstport=80 ipv=4 sent=809 rcvd=593 d             uration=0.02 action=pass logtype="connection"
2020 Nov 13 18:24:11 srv-log-01->192.168.80.254 1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz             =+0100 startime="2020-11-13 18:26:18" pri=5 confid=00 slotlevel=2 ruleid=20 rulename="Net-VPN-01-002" srcif="ipsec" srcifname="ipsec" ipproto=tcp dstif             ="Ethernet1" dstifname="inside" proto=Port.OKP.TCP.NFS-2048 src=192.168.6.1 srcport=996 srcname=ATBE-DBO-02 srcmac=30:7c:5e:03:a7:00 dst=192.168.80.4 d             stport=2049 dstportname=Port.OKP.TCP.NFS-2048 dstname=NAS01-QNAP ipv=4 sent=0 rcvd=0 duration=0.00 action=pass logtype="filter"
2020 Nov 13 18:24:11 srv-log-01->192.168.80.254 1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz             =+0100 startime="2020-11-13 18:26:18" pri=5 confid=00 slotlevel=2 ruleid=20 rulename="Net-VPN-01-002" srcif="ipsec" srcifname="ipsec" ipproto=tcp dstif             ="Ethernet1" dstifname="inside" proto=Port.OKP.TCP.NFS-2048 src=192.168.6.1 srcport=996 srcname=ATBE-DBO-02 dst=192.168.80.4 dstport=2049 dstportname=P             ort.OKP.TCP.NFS-2048 dstname=NAS01-QNAP modsrc=192.168.6.1 modsrcport=996 origdst=192.168.80.4 origdstport=2049 ipv=4 sent=0 rcvd=0 duration=0.00 actio             n=pass logtype="connection"
2020 Nov 13 18:24:11 srv-log-01->192.168.80.254 1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz             =+0100 startime="2020-11-13 18:26:18" pri=5 confid=01 slotlevel=2 ruleid=385 srcif="vlan6" srcifname="Net-Front-02" ipproto=tcp dstif="Ethernet1" dstif             name="inside" proto=ad2003-dyn_tcp src=172.16.2.2 srcport=64939 srcportname=ad2008-dyn_tcp srcname=H-Thor-Prod-B2B srcmac=50:6b:8d:07:62:c9 dst=192.168             .80.235 dstport=2074 dstportname=ad2003-dyn_tcp dstname=dc1ntnx01 ipv=4 sent=0 rcvd=0 duration=0.00 action=block logtype="filter"


Juan Pablo Saez

unread,
Nov 16, 2020, 10:18:47 AM11/16/20
to Wazuh mailing list

Hey Humbert,

I just performed some tests using your example logs:

  • They include whitespaces that prevent the decoder from firing. Is this a matter of format when pasting it here or do they also appear with those spaces in the file archives?
  • After removing the whitespaces and the extra header I was able to see alerts on ossec-logtest i.e:

1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz=+0100 startime="2020-11-13 18:26:18" pri=5 confid=01 slotlevel=2 ruleid=12 rulename="17457b97272_8" srcif="Ethernet1" srcifname="inside" ipproto=icmp icmptype=3 icmpcode=3 proto=icmp src=192.168.80.14 srcname=HOST_IPA_1 srcmac=50:6b:8d:18:4e:e3 dst=192.168.80.254 dstname=Firewall_inside ipv=4 sent=0 rcvd=0 duration=0.00 action=pass logtype="filter"

**Phase 1: Completed pre-decoding.
       full event: '1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz=+0100 startime="2020-11-13 18:26:18" pri=5 confid=01 slotlevel=2 ruleid=12 rulename="17457b97272_8" srcif="Ethernet1" srcifname="inside" ipproto=icmp icmptype=3 icmpcode=3 proto=icmp src=192.168.80.14 srcname=HOST_IPA_1 srcmac=50:6b:8d:18:4e:e3 dst=192.168.80.254 dstname=Firewall_inside ipv=4 sent=0 rcvd=0 duration=0.00 action=pass logtype="filter"'
       timestamp: '(null)'
       hostname: 'puppet'
       program_name: '(null)'
       log: '1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz=+0100 startime="2020-11-13 18:26:18" pri=5 confid=01 slotlevel=2 ruleid=12 rulename="17457b97272_8" srcif="Ethernet1" srcifname="inside" ipproto=icmp icmptype=3 icmpcode=3 proto=icmp src=192.168.80.14 srcname=HOST_IPA_1 srcmac=50:6b:8d:18:4e:e3 dst=192.168.80.254 dstname=Firewall_inside ipv=4 sent=0 rcvd=0 duration=0.00 action=pass logtype="filter"'

**Phase 2: Completed decoding.
       decoder: 'stormshield_decoder'
       time: '2020-11-13 18:26:18'
       fw: 'FW01-DCL'
       tz: '+0100'
       startime: '2020-11-13 18:26:18'
       pri: '5'
       confid: '01'
       slotlevel: '2'

**Phase 3: Completed filtering (rules).
       Rule id: '100005'
       Level: '5'
       Description: 'Stormshield logs grouping rule'
**Alert to be generated.

Greetings,

JP

Humbert Gast

unread,
Nov 16, 2020, 12:18:26 PM11/16/20
to Juan Pablo Saez, Wazuh mailing list
Hi JP,

I just copy/paste here the logs so I think space are on the logs too.

Perhaps, the 1rst log sent in the initial openning message I delete space... 

So could you help me to ajust rules please?

Regards,
Alex

<div title="MDH:SGV5IEh1bWJlcnQsPGRpdj48YnI+PC9kaXY+PGRpdj5JIGp1c3QgcGVyZm9ybWVkIHNvbWUgdGVz dHMgdXNpbmcgeW91ciBleGFtcGxlIGxvZ3M6PC9kaXY+PGRpdj48dWw+PGxpPlRoZXkgaW5jbHVk ZSB3aGl0ZXNwYWNlcyB0aGF0IHByZXZlbnQgdGhlIGRlY29kZXIgZnJvbSBmaXJpbmcuIElzIHRo aXMgYSBtYXR0ZXIgb2YgZm9ybWF0IHdoZW4gcGFzdGluZyBpdCBoZXJlIG9yIGRvIHRoZXkgYWxz byBhcHBlYXIgd2l0aCB0aG9zZSBzcGFjZXMgaW4gdGhlIGZpbGUgYXJjaGl2ZXM/PGJyPjwvbGk+ PGxpPkFmdGVyIHJlbW92aW5nIHRoZSB3aGl0ZXNwYWNlcyBhbmQgdGhlIGV4dHJhIGhlYWRlciBJ IHdhcyBhYmxlIHRvIHNlZSBhbGVydHMgb24gb3NzZWMtbG9ndGVzdCBpLmU6PC9saT48L3VsPjxk aXY+PGJyPjwvZGl2PjxkaXY+YGBgPC9kaXY+PGRpdj48ZGl2PjEgMjAyMC0xMS0xM1QxODoyNjox OCswMTowMCBGVzAxLURDTCBhc3FkIC0gLSAtIGlkPWZpcmV3YWxsIHRpbWU9IjIwMjAtMTEtMTMg MTg6MjY6MTgiIGZ3PSJGVzAxLURDTCIgdHo9KzAxMDAgc3RhcnRpbWU9IjIwMjAtMTEtMTMgMTg6 MjY6MTgiIHByaT01IGNvbmZpZD0wMSBzbG90bGV2ZWw9MiBydWxlaWQ9MTIgcnVsZW5hbWU9IjE3 NDU3Yjk3MjcyXzgiIHNyY2lmPSJFdGhlcm5ldDEiIHNyY2lmbmFtZT0iaW5zaWRlIiBpcHByb3Rv PWljbXAgaWNtcHR5cGU9MyBpY21wY29kZT0zIHByb3RvPWljbXAgc3JjPTE5Mi4xNjguODAuMTQg c3JjbmFtZT1IT1NUX0lQQV8xIHNyY21hYz01MDo2Yjo4ZDoxODo0ZTplMyBkc3Q9MTkyLjE2OC44 MC4yNTQgZHN0bmFtZT1GaXJld2FsbF9pbnNpZGUgaXB2PTQgc2VudD0wIHJjdmQ9MCBkdXJhdGlv bj0wLjAwIGFjdGlvbj1wYXNzIGxvZ3R5cGU9ImZpbHRlciI8L2Rpdj48ZGl2Pjxicj48L2Rpdj48 ZGl2Pjxicj48L2Rpdj48ZGl2PioqUGhhc2UgMTogQ29tcGxldGVkIHByZS1kZWNvZGluZy48L2Rp dj48ZGl2PiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO2Z1bGwgZXZlbnQ6ICcxIDIwMjAtMTEt MTNUMTg6MjY6MTgrMDE6MDAgRlcwMS1EQ0wgYXNxZCAtIC0gLSBpZD1maXJld2FsbCB0aW1lPSIy MDIwLTExLTEzIDE4OjI2OjE4IiBmdz0iRlcwMS1EQ0wiIHR6PSswMTAwIHN0YXJ0aW1lPSIyMDIw LTExLTEzIDE4OjI2OjE4IiBwcmk9NSBjb25maWQ9MDEgc2xvdGxldmVsPTIgcnVsZWlkPTEyIHJ1 bGVuYW1lPSIxNzQ1N2I5NzI3Ml84IiBzcmNpZj0iRXRoZXJuZXQxIiBzcmNpZm5hbWU9Imluc2lk ZSIgaXBwcm90bz1pY21wIGljbXB0eXBlPTMgaWNtcGNvZGU9MyBwcm90bz1pY21wIHNyYz0xOTIu MTY4LjgwLjE0IHNyY25hbWU9SE9TVF9JUEFfMSBzcmNtYWM9NTA6NmI6OGQ6MTg6NGU6ZTMgZHN0 PTE5Mi4xNjguODAuMjU0IGRzdG5hbWU9RmlyZXdhbGxfaW5zaWRlIGlwdj00IHNlbnQ9MCByY3Zk PTAgZHVyYXRpb249MC4wMCBhY3Rpb249cGFzcyBsb2d0eXBlPSJmaWx0ZXIiJzwvZGl2PjxkaXY+ Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7dGltZXN0YW1wOiAnKG51bGwpJzwvZGl2PjxkaXY+ Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7aG9zdG5hbWU6ICdwdXBwZXQnPC9kaXY+PGRpdj4m bmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDtwcm9ncmFtX25hbWU6ICcobnVsbCknPC9kaXY+PGRp dj4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDtsb2c6ICcxIDIwMjAtMTEtMTNUMTg6MjY6MTgr MDE6MDAgRlcwMS1EQ0wgYXNxZCAtIC0gLSBpZD1maXJld2FsbCB0aW1lPSIyMDIwLTExLTEzIDE4 OjI2OjE4IiBmdz0iRlcwMS1EQ0wiIHR6PSswMTAwIHN0YXJ0aW1lPSIyMDIwLTExLTEzIDE4OjI2 OjE4IiBwcmk9NSBjb25maWQ9MDEgc2xvdGxldmVsPTIgcnVsZWlkPTEyIHJ1bGVuYW1lPSIxNzQ1 N2I5NzI3Ml84IiBzcmNpZj0iRXRoZXJuZXQxIiBzcmNpZm5hbWU9Imluc2lkZSIgaXBwcm90bz1p Y21wIGljbXB0eXBlPTMgaWNtcGNvZGU9MyBwcm90bz1pY21wIHNyYz0xOTIuMTY4LjgwLjE0IHNy Y25hbWU9SE9TVF9JUEFfMSBzcmNtYWM9NTA6NmI6OGQ6MTg6NGU6ZTMgZHN0PTE5Mi4xNjguODAu MjU0IGRzdG5hbWU9RmlyZXdhbGxfaW5zaWRlIGlwdj00IHNlbnQ9MCByY3ZkPTAgZHVyYXRpb249 MC4wMCBhY3Rpb249cGFzcyBsb2d0eXBlPSJmaWx0ZXIiJzwvZGl2PjxkaXY+PGJyPjwvZGl2Pjxk aXY+KipQaGFzZSAyOiBDb21wbGV0ZWQgZGVjb2RpbmcuPC9kaXY+PGRpdj4mbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDtkZWNvZGVyOiAnc3Rvcm1zaGllbGRfZGVjb2Rlcic8L2Rpdj48ZGl2PiZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO3RpbWU6ICcyMDIwLTExLTEzIDE4OjI2OjE4JzwvZGl2 PjxkaXY+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7Znc6ICdGVzAxLURDTCc8L2Rpdj48ZGl2 PiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO3R6OiAnKzAxMDAnPC9kaXY+PGRpdj4mbmJzcDsg Jm5ic3A7ICZuYnNwOyAmbmJzcDtzdGFydGltZTogJzIwMjAtMTEtMTMgMTg6MjY6MTgnPC9kaXY+ PGRpdj4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDtwcmk6ICc1JzwvZGl2PjxkaXY+Jm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7Y29uZmlkOiAnMDEnPC9kaXY+PGRpdj4mbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDtzbG90bGV2ZWw6ICcyJzwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+KipQ aGFzZSAzOiBDb21wbGV0ZWQgZmlsdGVyaW5nIChydWxlcykuPC9kaXY+PGRpdj4mbmJzcDsgJm5i c3A7ICZuYnNwOyAmbmJzcDtSdWxlIGlkOiAnMTAwMDA1JzwvZGl2PjxkaXY+Jm5ic3A7ICZuYnNw OyAmbmJzcDsgJm5ic3A7TGV2ZWw6ICc1JzwvZGl2PjxkaXY+Jm5ic3A7ICZuYnNwOyAmbmJzcDsg Jm5ic3A7RGVzY3JpcHRpb246ICdTdG9ybXNoaWVsZCBsb2dzIGdyb3VwaW5nIHJ1bGUnPC9kaXY+ PGRpdj4qKkFsZXJ0IHRvIGJlIGdlbmVyYXRlZC48L2Rpdj48L2Rpdj48ZGl2PmBgYDwvZGl2Pjxk aXY+PGJyPjwvZGl2PjxkaXY+PGJyPk9uIEZyaWRheSwgTm92ZW1iZXIgMTMsIDIwMjAgYXQgNzox NTowMyBQTSBVVEMrMSwgSHVtYmVydCBHYXN0IHdyb3RlOjxibG9ja3F1b3RlIGNsYXNzPSJnbWFp bF9xdW90ZSIgc3R5bGU9Im1hcmdpbjogMDttYXJnaW4tbGVmdDogMC44ZXg7Ym9yZGVyLWxlZnQ6 IDFweCAjY2NjIHNvbGlkO3BhZGRpbmctbGVmdDogMWV4OyI+SGksPGRpdj48YnI+PC9kaXY+PGRp dj5UaGFua3MgYSBsb3QgeW91IGNhbiBmaW5kIGJlbG93IHNvbWUgbGFzdCBsb2dzIGZyb20geW91 ciBgL3Zhci9vc3NlYy9sb2dzL2FyY2hpdmVzLzx3YnI+YXJjaGl2ZXMubG9nPC9kaXY+PGRpdj48 YnI+PC9kaXY+PGRpdj5UaHg8L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2 PjxkaXY+MjAyMCBOb3YgMTMgMTg6MjQ6MTAgc3J2LWxvZy0wMS0mZ3Q7MTkyLjE2OC44MC4yNTQg MSAyMDIwLTExLTEzVDE4OjI2OjE4KzAxOjAwIEZXMDEtRENMIGFzcWQgLSAtIC0gaWQ9ZmlyZXdh bGwgdGltZT0iMjAyMC0xMS0xMyAxODoyNjoxOCIgZnc9IkZXMDEtRENMIiB0eiZuYnNwOyAmbmJz cDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOz0rMDEwMCBzdGFydGltZT0iMjAy MC0xMS0xMyAxODoyNjoxNyIgcHJpPTUgY29uZmlkPTAwIHNsb3RsZXZlbD0yIHJ1bGVpZD0xMiBy dWxlbmFtZT0iMTc0NTdiOTcyNzJfOCIgc3JjaWY9Imlwc2VjIiBzcmNpZm5hbWU9Imlwc2VjIiBp cHByb3RvPWljbXAgaWNtcHQmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw OyAmbmJzcDt5cGU9MyBpY21wY29kZT0xIHByb3RvPWljbXAgc3JjPTEwLjAuNTEuNiBzcmNuYW1l PTEwLjAuNTEuNiBzcmNtYWM9MzA6N2M6NWU6MDM6YTc6MDAgZHN0PTE5Mi4xNjguODAuMjU0IGRz dG5hbWU9RmlyZXdhbGxfaW5zaWRlIGlwdj00IHNlbnQ9MCByY3ZkPTAgZHVyJm5ic3A7ICZuYnNw OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7YXRpb249MC4wMCBhY3Rpb249cGFz cyBsb2d0eXBlPSJmaWx0ZXIiPC9kaXY+PGRpdj4yMDIwIE5vdiAxMyAxODoyNDoxMCBzcnYtbG9n LTAxLSZndDsxOTIuMTY4LjgwLjI1NCAxIDIwMjAtMTEtMTNUMTg6MjY6MTgrMDE6MDAgRlcwMS1E Q0wgYXNxZCAtIC0gLSBpZD1maXJld2FsbCB0aW1lPSIyMDIwLTExLTEzIDE4OjI2OjE4IiBmdz0i RlcwMS1EQ0wiIHR6Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i c3A7PSswMTAwIHN0YXJ0aW1lPSIyMDIwLTExLTEzIDE4OjI2OjE3IiBwcmk9NSBjb25maWQ9MDAg c2xvdGxldmVsPTIgcnVsZWlkPTEyIHJ1bGVuYW1lPSIxNzQ1N2I5NzI3Ml84IiBzcmNpZj0iaXBz ZWMiIHNyY2lmbmFtZT0iaXBzZWMiIGlwcHJvdG89aWNtcCBpY21wdCZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO3lwZT0zIGljbXBjb2RlPTEgcHJvdG89aWNt cCBzcmM9MTAuMC41MS42IHNyY25hbWU9MTAuMC41MS42IHNyY21hYz0zMDo3Yzo1ZTowMzphNzow MCBkc3Q9MTkyLjE2OC44MC4yNTQgZHN0bmFtZT1GaXJld2FsbF9pbnNpZGUgaXB2PTQgc2VudD0w IHJjdmQ9MCBkdXImbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJz cDthdGlvbj0wLjAwIGFjdGlvbj1wYXNzIGxvZ3R5cGU9ImZpbHRlciI8L2Rpdj48ZGl2PjIwMjAg Tm92IDEzIDE4OjI0OjExIHNydi1sb2ctMDEtJmd0OzE5Mi4xNjguODAuMjU0IDEgMjAyMC0xMS0x M1QxODoyNjoxOCswMTowMCBGVzAxLURDTCBhc3FkIC0gLSAtIGlkPWZpcmV3YWxsIHRpbWU9IjIw MjAtMTEtMTMgMTg6MjY6MTgiIGZ3PSJGVzAxLURDTCIgdHombmJzcDsgJm5ic3A7I

Juan Pablo Saez

unread,
Nov 16, 2020, 1:05:35 PM11/16/20
to Wazuh mailing list

Hello again Humbert,

So could you help me to ajust rules please?

Sure! I just sliced the decoders so these are more tolerant to the whitespaces inside the logs. You should replace the previous decoders with the hereunder ones (The rule remains the same):

<decoder name="custom-decoder">
  <prematch>\d\d\d\d/\d\d/\d\d \d\d:\d\d:\d\d</prematch>
</decoder>


<decoder name="stormshield_decoder">
  <prematch>asqd - - - id=firewall</prematch>
</decoder>

<decoder name="stormshield_decoder_1">
    <parent>stormshield_decoder</parent>

    <regex>time="(\.*)" fw="(\.*)"</regex>
    <order>time, fw</order>

</decoder>

<decoder name="stormshield_decoder_1">
    <parent>stormshield_decoder</parent>

    <regex>tz=(\S+) startime="(\.*)"</regex>
    <order>tz, startime</order>

</decoder>

<decoder name="stormshield_decoder_1">
    <parent>stormshield_decoder</parent>

    <regex>pri=(\S+) confid=(\S+) slotlevel=(\S+)</regex>
    <order>pri, confid, slotlevel</order>

</decoder>

<decoder name="stormshield_decoder_1">
    <parent>stormshield_decoder</parent>

    <regex offset="after_regex">ruleid=(\S+) srcif="(\.*)"</regex>
    <order>ruleid, srcif</order>

</decoder>

<decoder name="stormshield_decoder_1">
    <parent>stormshield_decoder</parent>

    <regex offset="after_regex">srcifname="(\.*)" ipproto=(\S+)</regex>
    <order>srcifname, ipproto</order>

</decoder>

<decoder name="stormshield_decoder_1">
    <parent>stormshield_decoder</parent>

    <regex offset="after_regex">proto=(\S+) src=(\S+)</regex>
    <order>proto, src</order>

</decoder>

<decoder name="stormshield_decoder_1">
    <parent>stormshield_decoder</parent>

    <regex offset="after_regex">srcname=(\S+) srcmac=(\S+)</regex>
    <order>srcname, srcmac</order>

</decoder>

<decoder name="stormshield_decoder_1">
    <parent>stormshield_decoder</parent>

    <regex offset="after_regex">dst=(\S+) ipv=(\S+)</regex>
    <order>dst, ipv</order>

</decoder>

<decoder name="stormshield_decoder_1">
    <parent>stormshield_decoder</parent>

    <regex offset="after_regex">sent=(\S+) rcvd=(\S+)</regex>
    <order>sent, rcvd</order>

</decoder>

<decoder name="stormshield_decoder_1">
    <parent>stormshield_decoder</parent>

    <regex offset="after_regex">duration=(\S+) action=(\S+)</regex>
    <order>duration, action</order>

</decoder>

<decoder name="stormshield_decoder_1">
    <parent>stormshield_decoder</parent>

    <regex offset="after_regex">logtype="(\.*)"</regex>
    <order>logtype</order>
</decoder>

I hope it works now! Let me know how it goes,

Greetings,

JP

Humbert Gast

unread,
Nov 16, 2020, 4:23:20 PM11/16/20
to Juan Pablo Saez, Wazuh mailing list
Hi JP,

Thanks a lot, I replaced all decoders with the last one and restart wazuh-manager but alway no logs in Kibana (with filter on rule.id ou decoder.name).

Regards,
Alex



--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6b584ce6-3c42-4c8f-8713-49c51fd1aab7o%40googlegroups.com.

Juan Pablo Saez

unread,
Nov 17, 2020, 10:03:47 AM11/17/20
to Wazuh mailing list

Hey Humbert,

Thanks a lot, I replaced all decoders with the last one and restart wazuh-manager but alway no logs in Kibana (with filter on rule.id ou decoder.name).

This is weird, could you enter the example logs you pasted in the ossec-logtest binary and paste here the output? Remember to remove the 2020 Nov 13 18:24:10 srv-log-01->192.168.80.254 portion

I hope we sort it soon! Greetings,

JP

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

Humbert Gast

unread,
Nov 18, 2020, 11:22:15 AM11/18/20
to Juan Pablo Saez, Wazuh mailing list
HI JP,

I forgot to put Wazuh mailing list on my previous email so perhaps you didn't received them.

I find the pbm was on prematch rule, perhaps the space ?
I replaced <prematch>asqd - - - id=firewall</prematch> by <prematch>id=firewall</prematch> and alerts go to kibana dashboard !!

Is it normal to get this king of message dashboard ?  With sophos FW I don't have this warning.
image.png
Regards,
Alex



Le mer. 18 nov. 2020 à 11:32, Humbert Gast <micr...@gmail.com> a écrit :
HI JP,

To test with my other FW, I added this decoder :

<decoder name="fwsophos_decoder_ulogd">
  <prematch>sophos ulogd</prematch>
</decoder>

<decoder name="fwsophos_decoder_ulogd_1">
    <parent>fwsophos_decoder_ulogd</parent>
    <regex>id="(\.*)" severity="(\.*)" sys="(\.*)" sub="(\.*)" name="(\.*)" action="(\.*)" fwrule="(\.*)" initf="(\.*)" outitf="(\.*)" srcmac="(\S+)" dstmac="(\S+)" srcip="(\.*)" dstip="(\.*)" proto="(\.*)" length="(\.*)" tos="(\.*)" prec="(\.*)" ttl="(\.*)" srcport="(\.*)" dstport="(\.*)"</regex>
    <order>id, severity, sys, sub, name, action, fwrule, initf, outitf, srcmac, dstmac, srcip, dstip, proto, length, tos, prec, ttl, srcport, dstport</order>
</decoder>

And this rules:
<!-- Shophos fw -->
<rule id="100006" level="5">
  <decoded_as>fwsophos_decoder_ulogd</decoded_as>
  <description>Shophos fw logs grouping rule</description>
</rule>

With logtest I get same good result as the stromshiled FW but I can see this on the kibana Dashboard....

Regards,
Alex


Le mar. 17 nov. 2020 à 20:50, Humbert Gast <micr...@gmail.com> a écrit :
Hi JP,

Thanks a lot and sorry for my late answer.

Yes I check with and without space and with the beginning on logtest and it was always good ... But on Kibana nothing appears ... So I don't understand ...

Exemple with all logs (start and space)  = OK
# /var/ossec/bin/ossec-logtest
2020/11/17 20:37:44 ossec-testrule: INFO: Started (pid: 239577).

ossec-testrule: Type one log per line.

2020 Nov 13 18:24:10 srv-log-01->192.168.80.254 1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz             =+0100 startime="2020-11-13 18:26:17" pri=5 confid=00 slotlevel=2 ruleid=12 rulename="17457b97272_8" srcif="ipsec" srcifname="ipsec" ipproto=icmp icmpt             ype=3 icmpcode=1 proto=icmp src=10.0.51.6 srcname=10.0.51.6 srcmac=30:7c:5e:03:a7:00 dst=192.168.80.254 dstname=Firewall_inside ipv=4 sent=0 rcvd=0 dur             ation=0.00 action=pass logtype="filter"


**Phase 1: Completed pre-decoding.
       full event: '2020 Nov 13 18:24:10 srv-log-01->192.168.80.254 1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz             =+0100 startime="2020-11-13 18:26:17" pri=5 confid=00 slotlevel=2 ruleid=12 rulename="17457b97272_8" srcif="ipsec" srcifname="ipsec" ipproto=icmp icmpt             ype=3 icmpcode=1 proto=icmp src=10.0.51.6 srcname=10.0.51.6 srcmac=30:7c:5e:03:a7:00 dst=192.168.80.254 dstname=Firewall_inside ipv=4 sent=0 rcvd=0 dur             ation=0.00 action=pass logtype="filter"'
       timestamp: '2020 Nov 13 18:24:10'
       hostname: 'srv-log-01'
       program_name: '(null)'
       log: 'srv-log-01->192.168.80.254 1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz             =+0100 startime="2020-11-13 18:26:17" pri=5 confid=00 slotlevel=2 ruleid=12 rulename="17457b97272_8" srcif="ipsec" srcifname="ipsec" ipproto=icmp icmpt             ype=3 icmpcode=1 proto=icmp src=10.0.51.6 srcname=10.0.51.6 srcmac=30:7c:5e:03:a7:00 dst=192.168.80.254 dstname=Firewall_inside ipv=4 sent=0 rcvd=0 dur             ation=0.00 action=pass logtype="filter"'


**Phase 2: Completed decoding.
       decoder: 'stormshield_decoder'
       time: '2020-11-13 18:26:18'
       fw: 'FW01-DCL'
       pri: '5'
       confid: '00'
       slotlevel: '2'
       srcifname: 'ipsec'
       ipproto: 'icmp'
       proto: 'icmp'
       src: '10.0.51.6'
       srcname: '10.0.51.6'
       srcmac: '30:7c:5e:03:a7:00'
       sent: '0'
       rcvd: '0'

       logtype: 'filter'

**Phase 3: Completed filtering (rules).
       Rule id: '100005'
       Level: '5'
       Description: 'Stormshield logs grouping rule'
**Alert to be generated.


  Exemple with all logs (start without space)  = OK  

2020 Nov 13 18:24:10 srv-log-01->192.168.80.254 1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz=+0100 startime="2020-11-13 18:26:17" pri=5 confid=00 slotlevel=2 ruleid=12 rulename="17457b97272_8" srcif="ipsec" srcifname="ipsec" ipproto=icmp icmptype=3 icmpcode=1 proto=icmp src=10.0.51.6 srcname=10.0.51.6 srcmac=30:7c:5e:03:a7:00 dst=192.168.80.254 dstname=Firewall_inside ipv=4 sent=0 rcvd=0 duration=0.00 action=pass logtype="filter"


**Phase 1: Completed pre-decoding.
       full event: '2020 Nov 13 18:24:10 srv-log-01->192.168.80.254 1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz=+0100 startime="2020-11-13 18:26:17" pri=5 confid=00 slotlevel=2 ruleid=12 rulename="17457b97272_8" srcif="ipsec" srcifname="ipsec" ipproto=icmp icmptype=3 icmpcode=1 proto=icmp src=10.0.51.6 srcname=10.0.51.6 srcmac=30:7c:5e:03:a7:00 dst=192.168.80.254 dstname=Firewall_inside ipv=4 sent=0 rcvd=0 duration=0.00 action=pass logtype="filter"'
       timestamp: '2020 Nov 13 18:24:10'
       hostname: 'srv-log-01'
       program_name: '(null)'
       log: 'srv-log-01->192.168.80.254 1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz=+0100 startime="2020-11-13 18:26:17" pri=5 confid=00 slotlevel=2 ruleid=12 rulename="17457b97272_8" srcif="ipsec" srcifname="ipsec" ipproto=icmp icmptype=3 icmpcode=1 proto=icmp src=10.0.51.6 srcname=10.0.51.6 srcmac=30:7c:5e:03:a7:00 dst=192.168.80.254 dstname=Firewall_inside ipv=4 sent=0 rcvd=0 duration=0.00 action=pass logtype="filter"'


**Phase 2: Completed decoding.
       decoder: 'stormshield_decoder'
       time: '2020-11-13 18:26:18'
       fw: 'FW01-DCL'
       tz: '+0100'
       startime: '2020-11-13 18:26:17'
       pri: '5'
       confid: '00'
       slotlevel: '2'
       srcifname: 'ipsec'
       ipproto: 'icmp'
       proto: 'icmp'
       src: '10.0.51.6'
       srcname: '10.0.51.6'
       srcmac: '30:7c:5e:03:a7:00'

       sent: '0'
       rcvd: '0'
       duration: '0.00'
       action: 'pass'

       logtype: 'filter'

**Phase 3: Completed filtering (rules).
       Rule id: '100005'
       Level: '5'
       Description: 'Stormshield logs grouping rule'
**Alert to be generated.

  Exemple without start part with spaces  = OK  

1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz             =+0100 startime="2020-11-13 18:26:17" pri=5 confid=00 slotlevel=2 ruleid=12 rulename="17457b97272_8" srcif="ipsec" srcifname="ipsec" ipproto=icmp icmpt             ype=3 icmpcode=1 proto=icmp src=10.0.51.6 srcname=10.0.51.6 srcmac=30:7c:5e:03:a7:00 dst=192.168.80.254 dstname=Firewall_inside ipv=4 sent=0 rcvd=0 dur             ation=0.00 action=pass logtype="filter"


**Phase 1: Completed pre-decoding.
       full event: '1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz             =+0100 startime="2020-11-13 18:26:17" pri=5 confid=00 slotlevel=2 ruleid=12 rulename="17457b97272_8" srcif="ipsec" srcifname="ipsec" ipproto=icmp icmpt             ype=3 icmpcode=1 proto=icmp src=10.0.51.6 srcname=10.0.51.6 srcmac=30:7c:5e:03:a7:00 dst=192.168.80.254 dstname=Firewall_inside ipv=4 sent=0 rcvd=0 dur             ation=0.00 action=pass logtype="filter"'
       timestamp: '(null)'
       hostname: 'srv-log-01'
       program_name: '(null)'
       log: '1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz             =+0100 startime="2020-11-13 18:26:17" pri=5 confid=00 slotlevel=2 ruleid=12 rulename="17457b97272_8" srcif="ipsec" srcifname="ipsec" ipproto=icmp icmpt             ype=3 icmpcode=1 proto=icmp src=10.0.51.6 srcname=10.0.51.6 srcmac=30:7c:5e:03:a7:00 dst=192.168.80.254 dstname=Firewall_inside ipv=4 sent=0 rcvd=0 dur             ation=0.00 action=pass logtype="filter"'


**Phase 2: Completed decoding.
       decoder: 'stormshield_decoder'
       time: '2020-11-13 18:26:18'
       fw: 'FW01-DCL'
       pri: '5'
       confid: '00'
       slotlevel: '2'
       srcifname: 'ipsec'
       ipproto: 'icmp'
       proto: 'icmp'
       src: '10.0.51.6'
       srcname: '10.0.51.6'
       srcmac: '30:7c:5e:03:a7:00'
       sent: '0'
       rcvd: '0'

       logtype: 'filter'

**Phase 3: Completed filtering (rules).
       Rule id: '100005'
       Level: '5'
       Description: 'Stormshield logs grouping rule'
**Alert to be generated.

 Exemple without start part and without spaces  = OK    
1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz=+0100 startime="2020-11-13 18:26:17" pri=5 confid=00 slotlevel=2 ruleid=12 rulename="17457b97272_8" srcif="ipsec" srcifname="ipsec" ipproto=icmp icmptype=3 icmpcode=1 proto=icmp src=10.0.51.6 srcname=10.0.51.6 srcmac=30:7c:5e:03:a7:00 dst=192.168.80.254 dstname=Firewall_inside ipv=4 sent=0 rcvd=0 duration=0.00 action=pass logtype="filter"


**Phase 1: Completed pre-decoding.
       full event: '1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz=+0100 startime="2020-11-13 18:26:17" pri=5 confid=00 slotlevel=2 ruleid=12 rulename="17457b97272_8" srcif="ipsec" srcifname="ipsec" ipproto=icmp icmptype=3 icmpcode=1 proto=icmp src=10.0.51.6 srcname=10.0.51.6 srcmac=30:7c:5e:03:a7:00 dst=192.168.80.254 dstname=Firewall_inside ipv=4 sent=0 rcvd=0 duration=0.00 action=pass logtype="filter"'
       timestamp: '(null)'
       hostname: 'srv-log-01'
       program_name: '(null)'
       log: '1 2020-11-13T18:26:18+01:00 FW01-DCL asqd - - - id=firewall time="2020-11-13 18:26:18" fw="FW01-DCL" tz=+0100 startime="2020-11-13 18:26:17" pri=5 confid=00 slotlevel=2 ruleid=12 rulename="17457b97272_8" srcif="ipsec" srcifname="ipsec" ipproto=icmp icmptype=3 icmpcode=1 proto=icmp src=10.0.51.6 srcname=10.0.51.6 srcmac=30:7c:5e:03:a7:00 dst=192.168.80.254 dstname=Firewall_inside ipv=4 sent=0 rcvd=0 duration=0.00 action=pass logtype="filter"'


**Phase 2: Completed decoding.
       decoder: 'stormshield_decoder'
       time: '2020-11-13 18:26:18'
       fw: 'FW01-DCL'
       tz: '+0100'
       startime: '2020-11-13 18:26:17'
       pri: '5'
       confid: '00'
       slotlevel: '2'
       srcifname: 'ipsec'
       ipproto: 'icmp'
       proto: 'icmp'
       src: '10.0.51.6'
       srcname: '10.0.51.6'
       srcmac: '30:7c:5e:03:a7:00'

       sent: '0'
       rcvd: '0'
       duration: '0.00'
       action: 'pass'

       logtype: 'filter'

**Phase 3: Completed filtering (rules).
       Rule id: '100005'
       Level: '5'
       Description: 'Stormshield logs grouping rule'
**Alert to be generated.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/dee13ba7-b7ac-406b-8be9-53746d2b5bc1o%40googlegroups.com.

Humbert Gast

unread,
Nov 24, 2020, 10:22:24 AM11/24/20
to Juan Pablo Saez, Wazuh mailing list
Hi JP,

Have you seen my previous mail?

regards,
Alex

Juan Pablo Saez

unread,
Dec 2, 2020, 10:52:51 AM12/2/20
to Wazuh mailing list
Hello again Humbert, 

First of all sorry for the late reply. 

I find the pbm was on prematch rule, perhaps the space ?
I replaced <prematch>asqd - - - id=firewall</prematch> by <prematch>id=firewall</prematch> and alerts go to kibana dashboard !!

I'm glad you completed the fine-tuning over the decoders! Let me know if you find further issues with the decoders or rules.

Is it normal to get this king of message dashboard ?  With sophos FW I don't have this warning.

Seems like you should refresh the alerts index pattern. You should go to Kibana > Stack Management > Index patterns, select the wazuh-alerts index pattern and click the refresh button
at the top right corner ("Refresh field list").



I hope it helps, let me know how it goes.

JP

Humbert Gast

unread,
Dec 3, 2020, 10:19:40 AM12/3/20
to Wazuh mailing list
Hi JP,

Thanks a lot, after refresh all seems to be good.

Regards,
Alex
Reply all
Reply to author
Forward
0 new messages