Stormshield syslog decoders

[wn3r3r]

Hello Guys,

I am trying to write decoders and rules for Firewall stormshield  which is in syslog format.

I have already went through the previous threads in wazuh group with some example decoders written for stormshield. But the problem is that the decoder is not dynamic and it misses a lot of fields during decoding phase. 

I managed to extract all field in one type of log but same does not work for others. I thought of writing something like generic dynamic decoder for stormshield syslog.

Example Logs:
```
id=firewall time="2022-03-17 14:49:51" fw="SN12345678912345" tz=+0100 startime="2022-03-17 14:49:51" pri=5 confid=01 slotlevel=5 ruleid=48 srcif="Ethernet3" srcifname="in" ipproto=tcp dstif="Ethernet2" dstifname="out" proto=https src=55  
.66.77.88 srcport=39618 srcportname=ephemeral_fw_tcp srcname=MGDFS-Proxy-02 srcmac=00:00:00:00:00:00 dst=11.22.33.44 dstport=443 dstportname=https dstcontinent="na" dstcountry="us" ipv=4 sent=0 rcvd=0 duration=0.00 logtype="filter"  
      
id=firewall time="2022-03-03 14:21:10" fw="SN12345678912345" tz=+0100 startime="2022-03-03 14:21:10" pri=5 confid=01 slotlevel=2 ruleid=100 srcif="Ethernet3" srcifname="in" ipproto=tcp dstif="Ethernet2" dstifname="out" proto=https src=4  
2.123.123.123 srcport=60355 srcportname=ad2009-dyn_tcp srcname=DLEM-AMPD02 srcmac=00:00:00:00:00:00 dst=11.11.11.11 dstport=443 dstportname=https dstname=example_dest dstcontinent="na" dstcountry="us" ipv=4 sent=0 rcvd=0 duration=2.00 a  
ction=pass logtype="filter"  
          
id=firewall "time="2022-03-16 19:36:03" fw="SN12345678912345" tz=+0100 startime="" pri=5 confid=01 slotlevel=2 ruleid=103 srcif="Ethernet3" srcifname="in" ipproto=tcp dstif="Ethernet2" dstifname="out" proto=https src=11.11.11.11 srcport  
=49586 srcportname=ephemeral_fw_tcp srcname=foo_bar srcmac=00:00:00:00:00:00 srccontinent="na" srccountry="us" dst=22.22.22.22 dstport=443 dstportname=https dstcontinent="eu" dstcountry="be" modsrc=11.11.11.11 modsrcport=49586 origdst=2  
2.22.22.22 origdstport=443 ipv=4 sent=2827291 rcvd=2728401 duration=107331.18 action=pass logtype="connection"  
```

Decoder:
```
<decoder name="stormshield_decoder">  
 <prematch>id=firewall</prematch>  
</decoder>  
 
<decoder name="stormshield_decoder_1">  
   <parent>stormshield_decoder</parent>  
   <regex>time="(\.*)" fw="(\.*)"</regex>  
   <order>time, fw</order>  
</decoder>  
 
<decoder name="stormshield_decoder_1">  
   <parent>stormshield_decoder</parent>  
   <regex>tz=(\S+) startime="(\.*)"</regex>  
   <order>tz, startime</order>  
</decoder>  
 
<decoder name="stormshield_decoder_1">  
   <parent>stormshield_decoder</parent>  
   <regex>pri=(\S+) confid=(\S+) slotlevel=(\S+)</regex>  
   <order>pri, confid, slotlevel</order>  
</decoder>  
 
<decoder name="stormshield_decoder_1">  
   <parent>stormshield_decoder</parent>  
   <regex offset="after_regex">ruleid=(\S+) srcif="(\.*)"</regex>  
   <order>ruleid, srcif</order>  
</decoder>  
 
<decoder name="stormshield_decoder_1">  
   <parent>stormshield_decoder</parent>  
   <regex offset="after_regex">srcifname="(\.*)" ipproto=(\S+)</regex>  
   <order>srcifname, ipproto</order>  
</decoder>  
 
<decoder name="stormshield_decoder_1">  
   <parent>stormshield_decoder</parent>  
   <regex offset="after_regex">proto=(\S+) src=(\S+)</regex>  
   <order>proto, src</order>  
</decoder>  
 
<decoder name="stormshield_decoder_1">  
   <parent>stormshield_decoder</parent>  
   <regex offset="after_regex">srcname=(\S+) srcmac=(\S+)</regex>  
   <order>srcname, srcmac</order>  
</decoder>  
 
<decoder name="stormshield_decoder_1">  
   <parent>stormshield_decoder</parent>  
   <regex offset="after_regex">dst=(\S+) ipv=(\S+)</regex>  
   <order>dst, ipv</order>  
</decoder>  
 
<decoder name="stormshield_decoder_1">  
   <parent>stormshield_decoder</parent>  
   <regex offset="after_regex">sent=(\S+) rcvd=(\S+)</regex>  
   <order>sent, rcvd</order>  
</decoder>  
 
<decoder name="stormshield_decoder_1">  
   <parent>stormshield_decoder</parent>  
   <regex offset="after_regex">duration=(\S+) action=(\S+)</regex>  
   <order>duration, action</order>  
</decoder>  
 
<decoder name="stormshield_decoder_1">  
   <parent>stormshield_decoder</parent>  
   <regex offset="after_regex">logtype="(\.*)"</regex>  
   <order>logtype</order>  
</decoder>  
```  
 
Rule:  
```
<rule id="100010" level="5">  
 <decoded_as>stormshield_decoder</decoded_as>  
 <description>Stormshield logs grouping rule</description>  
</rule>
```

[Octavio Valle López]

Hi,

In this case, it's best to separate each regex individually to prevent any issues with the sequence of the regex you're using.
Instead of handling two fields simultaneously in the decoder, process them one by one, even if they have some interdependencies.
If we tie ourselves to two fields, we force the rule matcher to be more extreme when it comes to individualizing fields.

Below is the documentation that explains what I'm referring to, along with the feature you need to use.

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/sibling-decoders.html

[tech]

Hello Octavio,

Seperating regex worked.

Thanks.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/MjlQXIw3EhU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/78d1c099-6401-42f1-a495-670a07ee12acn%40googlegroups.com.