Sonicwall Logs not matched

[Nicolas Pasquarè]

Hello everyone,

i'm new in community, i'm related new to wazuh. 

After i have installed all components, i need to collect sonicwall's log and generate alert. But at this moment the logs cannot be matched by any decoder.

The logs send by my sonicwall are in this format:

{"timestamp":"2020-04-13T08:56:34.751+0000","agent":{"id":"000","name":"wazuhserver"},"manager":{"name":"wazuhserver"},"id":"1586768194.340214581","full_log":"  id=firewall sn=xxxxxxxx time=\"2020-04-13 10:56:34\" fw=x.x.x.x pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" src=x.x.x.x:51053:X2 srcZone=Encrypted dst=x.x.x.x:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule=\"70 (VPN->LAN)\" vpnpolicy=\"TOI have runt\" app=49178 appName='General HTTPS MGMT' n=408226 fw_action=\"NA\" dpi=0","decoder":{},"location":"x.x.x.x"}

i have run logtest -v, but any decoder match.

The decoders are the default because i have read here that it will worked.

Could you give me some ideas?.

Thanks

[Blason R]

Those seems to be in Json format. I guess you can write your own parsers for Json.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ecafd6cf-9ab7-4db2-9167-9c12862cac49%40googlegroups.com.

[Jonathan Martín Valera]

Hi Nicolas Pasquarè,

I think that the your shared log corresponds to the event log generated in the manager, and not the original sonicwall log.

In the ossec-logtest you have to enter the original log (without the wazuh headers). In your case, it would correspond to the "full log" field, so we would have the following:

id=firewall sn=xxxxxxxx time=\"2020-04-13 10:56:34\" fw=x.x.x.x pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" src=x.x.x.x:51053:X2 srcZone=Encrypted dst=x.x.x.x:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule=\"70 (VPN->LAN)\" vpnpolicy=\"TOI have runt\" app=49178 appName='General HTTPS MGMT' n=408226 fw_action=\"NA\" dpi=0

If we introduce this log in ossec-logtest we have the following:

id=firewall sn=xxxxxxxx time=\"2020-04-13 10:56:34\" fw=x.x.x.x pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" src=x.x.x.x:51053:X2 srcZone=Encrypted dst=x.x.x.x:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule=\"70 (VPN->LAN)\" vpnpolicy=\"TOI have runt\" app=49178 appName='General HTTPS MGMT' n=408226 fw_action=\"NA\" dpi=0

**Phase 1: Completed pre-decoding.
       full event: 'id=firewall sn=xxxxxxxx time=\"2020-04-13 10:56:34\" fw=x.x.x.x pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" src=x.x.x.x:51053:X2 srcZone=Encrypted dst=x.x.x.x:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule=\"70 (VPN->LAN)\" vpnpolicy=\"TOI have runt\" app=49178 appName='General HTTPS MGMT' n=408226 fw_action=\"NA\" dpi=0'
       timestamp: '(null)'
       hostname: 'centos7-2'
       program_name: '(null)'
       log: 'id=firewall sn=xxxxxxxx time=\"2020-04-13 10:56:34\" fw=x.x.x.x pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" src=x.x.x.x:51053:X2 srcZone=Encrypted dst=x.x.x.x:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule=\"70 (VPN->LAN)\" vpnpolicy=\"TOI have runt\" app=49178 appName='General HTTPS MGMT' n=408226 fw_action=\"NA\" dpi=0'

**Phase 2: Completed decoding.
       decoder: 'sonicwall'

**Phase 3: Completed filtering (rules).
       Rule id: '4800'
       Level: '0'
       Description: 'SonicWall messages grouped.'

As you can see, in this case it finds the sonicwall decoder and generates a level 0 alert.

In case you want to generate new related alerts, you will have to create a custom decoder to decode your fields and then a custom rule to generate alerts under the desired conditions.

Please check it and if you need help with the decoder or rules don't hesitate to ask.

I hope this information helps you :)

[Nicolas Pasquarè]

Hi Jonathan,

Thanks for your answer.

Ok, i understand, but the log that i pubblished it's refer a single string from archives file, i think that is the same which will be used to decode. 

Anyway, at this moment logs send from sonicwall don't generate anything, if i go on "discover" section i can't see any logs, and i don't understand why if the logs are sent to wazuh server.

Where i am wrong?

Thanks

[Nicolas Pasquarè]

This is my decoder file sonicwall, that is the default.

I have see that i remove "\" in time parameter it's work, but you tell me that works anywhere.

Thanks

[Jonathan Martín Valera]

Hi Nicolas Pasquarè,

Yes, the log you sent me was possibly from the archives.json file (hence that format, although you can also use the archives.log).

What I was referring to is that if you want to test a specific log in the ossec-logtest tool, you have to enter the log that is being registered in the agent. In the archives file, wazuh introduces a series of additional headers to this log, so you cannot enter that string with that headers. In your case, the registered log corresponded to the full_log field.

I imagine that the original log would be the following:

id=firewall sn=xxxxxxxx time="2020-04-13 10:56:34" fw=x.x.x.x pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" src=x.x.x.x:51053:X2 srcZone=Encrypted dst=x.x.x.x:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0

That is, without \ characters (maybe introduced by the json format of the archives.json).

I've also seen that you've hidden some values and replaced with "x". If we try the log with some fake values, we have the following:

Log

id=firewall sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"

Output

[root@centos]# /var/ossec/bin/ossec-logtest
2020/04/15 13:50:43 ossec-testrule: INFO: Started (pid: 26869).
ossec-testrule: Type one log per line.

id=firewall sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"


**Phase 1: Completed pre-decoding.
       full event: 'id=firewall sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"'
       timestamp: '(null)'
       hostname: 'ip-172-20-1-99'
       program_name: '(null)'
       log: 'id=firewall sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"'

**Phase 2: Completed decoding.
       decoder: 'sonicwall'

       status: '6'
       action: 'Connection Closed'

**Phase 3: Completed filtering (rules).

       Rule id: '4806'
       Level: '0'
       Description: 'SonicWall informational message.'

As you can see, it is decoding the status and action fields of the log, and generating a level 0 alert that reports that you have obtained a message from SonicWall.

The reason why you don't see anything in the discover section, is that since the alert is level 0, then this alert is not stored or displayed. By default, only those with level 3 or higher are stored and displayed (see https://documentation.wazuh.com/3.12/user-manual/reference/ossec-conf/alerts.html#log-alert-level)

From this point on, you can do several things depending on your use case:

 - Decrease <log_alert_field> to level 0 (not recommended).

-  Create a child rule that increases the level of the alert, so that it is stored and can be displayed. To do this, add the following in /var/ossec/etc/rules/local_rules.xml:

<rule id="100050" level="3">
 <if_sid>4806</if_sid>
 <description>SonicWall informational message.</description>
</rule>

- In case you want to generate custom alerts based on the content of the log, then you will have to create custom decoders to be able to decode the fields, and then create custom alerts using those decoders. You can start by taking a look at the related sections (https://documentation.wazuh.com/3.12/user-manual/ruleset/custom.html)

I hope this information is helpful to you, and don't hesitate to ask :)

Best regards.

[Nicolas Pasquarè]

Ok, thanks so much for spend time to explain me how it's work.

Now, i see that the decoder match. I will to understand better how to setup alerts.

Thanks again.

[Nicolas Pasquarè]

Sorry Jonathan,

just last thing.

In Sonicwall Rules xml i have this attribute 

<rule id="4810" level="3">

    <if_sid>4806</if_sid>

    <id>^236$</id>  

    <description>SonicWall: Firewall administrator login.</description>

    <group>authentication_success,pci_dss_10.2.5,gpg13_3.6,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>

  </rule>

But, where this "id" is take? In decoder file i don't find any relative to it attributes.

And the logtest effetive stop here

    *Rule 4800 matched.

       *Trying child rules.

    Trying rule: 4805 - SonicWall notice message.

    Trying rule: 4806 - SonicWall informational message.

       *Rule 4806 matched.

       *Trying child rules.

    Trying rule: 4810 - SonicWall: Firewall administrator login.

**Phase 3: Completed filtering (rules).

       Rule id: '4806'

       Level: '0'

       Description: 'SonicWall informational message.'

I need to match the rule above.

Thanks

[Jonathan Martín Valera]

Hi Nicolas Pasquarè,

If we go to the documentation https://documentation.wazuh.com/3.12/user-manual/ruleset/ruleset-xml-syntax/rules.html#overview, we can see that the id field in the rule does the following:

"It will look for a match with the field decoded as ID"

Therefore, in order to activate this rule, the decoder must decode the log id field. With the log example you shared with me, only the status and action fields have been decoded.

For example, if we use this example log

id=firewall sn=00301E0526B1 time="2004-04-01 10:39:35" fw=67.32.44.2 pri=5 c=64 m=36 msg="TCP connection dropped" n=2686 src=67.101.200.27:4507:WAN dst=67.32.44.2:445:LAN rule=0

We have the following result:

**Phase 1: Completed pre-decoding.
       full event: 'id=firewall sn=00301E0526B1 time="2004-04-01 10:39:35" fw=67.32.44.2 pri=5 c=64 m=36 msg="TCP connection dropped" n=2686 src=67.101.200.27:4507:WAN dst=67.32.44.2:445:LAN rule=0'
       timestamp: '(null)'
       hostname: '6a0538befc4c'
       program_name: '(null)'
       log: 'id=firewall sn=00301E0526B1 time="2004-04-01 10:39:35" fw=67.32.44.2 pri=5 c=64 m=36 msg="TCP connection dropped" n=2686 src=67.101.200.27:4507:WAN dst=67.32.44.2:445:LAN rule=0'

**Phase 2: Completed decoding.
       decoder: 'sonicwall'

       status: '5'
       action: 'TCP connection dropped'
       srcip: '67.101.200.27'
       srcport: '4507'
       dstip: '67.32.44.2'
       dstport: '445'

**Phase 3: Completed filtering (rules).

       Rule id: '4805'
       Level: '0'
       Description: 'SonicWall notice message.'

As you can see, in this case more fields have been decoded.

In order to help you with your use case, I need you to share one or more logs with which you want to generate an alert, specifying the condition for which it should be generated. For instance:

"I want to generate an alert here because the msg field contains 'connection dropped' and these are some example logs <your logs>..."

From this information, I will create a custom decoder (if necessary) and one or more rules for your use case.

I wait your answer :)

Best regards.

[Nicolas Pasquarè]

Hi Jonathan,

yes, it's my mission.

The "id" field that actaully isnot decode, i have insert in my decoder file as below:

<decoder name="sonicwall-fields">

  <parent>sonicwall</parent>

  <regex offset="after_regex">m=(\S+)</regex>

  <order>id</order>

</decoder>

We have firmware version 6.5.4.4 of sonicwall.

Actually the parameter "m" in log identify the "event id" so a type of message.

And i have for example:

 <rule id="4811" level="9">

    <if_sid>4801</if_sid>

    <id>^30$|^32$</id>

    <description>SonicWall: Firewall authentication failure.</description>

    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_3.6,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>

  </rule>

This rule, i aspect that it will be matched if the first rule 4801 is matched and then if the log contains the id 30 or 32 , isn't it?

And if yes, so then i could insert how many child rules as i desider? 

Thanks

[Jonathan Martín Valera]

Hi Nicolas Pasquarè,

Yes, that rule will be activated if the first rule 4801 (which is the child of 4800) is matched and then if the log contains the id 30 or 32.

To create new custom rules, we have to carry out the following steps:

- Check if our log generates matches with some default rule. To do this, we use the tool /var/ossec/bin/ossec-logtest.

- If it is matched with an alert and we want to modify it, then we will have to create a child rule, otherwise, then we create a new custom rule (it is not the child of any other).

I am going to show and example to create child rules. In the event that we wanted to generate a custom alert child of rule 4100, then we could do the following:

<rule id="100050" level="7">
  <if_sid>4100</if_sid>
  <description>SonicWall: This is my custom message</description>
</rule>

Note that in this child rule, we have changed the alert level from 0 to 7, and we have written a new description message.

To test it, we can do the following:

- Add a new decoder in /var/ossec/etc/decoders/local_decoder.xml for the necessary field: id

<decoder name="sonicwall_custom">
  <parent>sonicwall</parent>
  <regex>m=(\S+)</regex>
  <order>id</order>
</decoder>

- Create the child rule mentioned above in /var/ossec/etc/rules/local_rules.xml

<rule id="100050" level="7">
  <if_sid>4100</if_sid>
  <description>SonicWall: This is my custom message</description>
</rule>

- We create a test log for this case and test it in the tool /var/ossec/bin/ossec-logtest.

Custom log (m=30)

id=236 sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=1 c=1024 gcat=6 m=30 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"

Output

**Phase 1: Completed pre-decoding.
       full event: 'id=236 sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=1 c=1024 gcat=6 m=30 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"'
       timestamp: '(null)'
       hostname: 'centos7-2'
       program_name: '(null)'
         log: 'id=236 sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=1 c=1024 gcat=6 m=30 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"'

**Phase 2: Completed decoding.
       decoder: 'sonicwall'

       id: '30'
       status: '1'

**Phase 3: Completed filtering (rules).

       Rule id: '100051'
       Level: '7'
       Description: 'SonicWall: This is my custom message'
**Alert to be generated.

I hope this information helps you.

Best regards.

[Nicolas Pasquarè]

Hi Jonathan,
OK, i understand this. But, why i cant use the same decoder and rule file?
The default files.
0295-sonicwall_decoders.xml and 0080-sonkcwall_rulea.xml?

Thanks

[Nicolas Pasquarè]

Hi,

another thing, works all if i use the decoder inside /var/ossec/ruleset/decoders/0295-sonicwall_decoders.xml , if i modified "local_decoders.xml" as you told me it didn't match never.

Instead, it reads correctly the "local_rules.xml", but for this i had to enter "overwrite="yes" " in therule

<group name="sonicwall_admin_logon_error">

 <rule id="4811" level="9" overwrite="yes">

    <if_sid>4801</if_sid>

    <id>^30$|^32$</id>

    <description>Custom MSG -- SonicWall: Firewall authentication failure.</description>

    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_3.6,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>

 </rule>

 </group>

Instead, this:

decoder name="sonicwall_custom">
  <parent>sonicwall</parent>
  <regex>m=(\S+)</regex>
  <order>id</order>
</decoder>

Doesn't work...

Thanks

[Jonathan Martín Valera]

Hi Nicolas Pasquarè,

Answering the question in the first message, it is recommended not to modify the decoders and rules in their source files because the changes in any decoder file in the /var/ossec/ruleset/decoders folder will be lost in the update process and the same thing happens with the rules (see warnings in https://documentation.wazuh.com/3.12/user-manual/ruleset/custom.html)

Regarding the second message:

- You can overwrite a rule, or you can make a child of that rule. I shared with you a child rule, and it must work both ways.

- The local decoder should work. Maybe you have some syntax error or typo.

Next I am going to show you what is necessary to create a rule like the id 4811.

- First I add the following decoders to decode the id and status fields:

<decoder name="sonicwall_custom">
  <parent>sonicwall</parent>
  <regex>m=(\S+)</regex>
  <order>id</order>
</decoder>

<decoder name="sonicwall_custom">
  <parent>sonicwall</parent>

  <regex>pri=(\S+)</regex>
  <order>status</order>
</decoder>

- I enter the log in the ossec-logtest tool and see which rule is triggered:

Custom log (m=30 pri=1)

id=236 sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=1 c=1024 gcat=6 m=30 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"

**Phase 1: Completed pre-decoding.
       full event: 'id=236 sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=1 c=1024 gcat=6 m=30 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"'
       timestamp: '(null)'
       hostname: 'centos7-2'
       program_name: '(null)'
       log: 'id=236 sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=1 c=1024 gcat=6 m=30 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"'

**Phase 2: Completed decoding.
       decoder: 'sonicwall'
       id: '30'
       status: '1'

**Phase 3: Completed filtering (rules).

       Rule id: '4100'
       Level: '0'
       Description: 'Firewall rules grouped.'

- As you can see, rule 4100 has been triggered with level 0. I'm going to create a child rule that will be triggered when the id is 30 or 32, and the state starts with 1, just like rule 4811 does.

<rule id="100051" level="7">
   <if_sid>4100</if_sid>    
   <id>^30$|^32$</id>
   <status>^1</status>

  <description>SonicWall: This is my custom message</description>
</rule>

- I finally check the changes, by re-entering the log in the tool ossec-logtest

**Phase 1: Completed pre-decoding.
       full event: 'id=236 sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=1 c=1024 gcat=6 m=30 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"'
       timestamp: '(null)'
       hostname: 'centos7-2'
       program_name: '(null)'
       log: 'id=236 sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=1 c=1024 gcat=6 m=30 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"'

**Phase 2: Completed decoding.
       decoder: 'sonicwall'
       id: '30'
       status: '1'

**Phase 3: Completed filtering (rules).
       Rule id: '100051'
       Level: '7'
       Description: 'SonicWall: This is my custom message'
**Alert to be generated.

Try these changes. To clear any doubt, I have attached the used files /var/ossec/etc/decoders/local_decoder.xml and /var/ossec/etc/rules/local_rules.xml

Best regards.

[Nicolas Pasquarè]

Hi Jonathan,

the rule that i added in local_rules.xml works very well, the problem is in local_decoders.xml that not be matched, and for example attribute "id" isn't decode.

I don't understand why.

Also in your debug i see that the decode name is "sonicwall" and not "sonicwall_custom".

Thanks

[Jonathan Martín Valera]

Hi Nicolas Pasquarè,

Note that the decoder file is local_decoder.xml not local_decoders.xml, maybe this could be the problem.

Yes, you are right, in the debug it says that it is using the sonicwall decoder, but it's really using the custom decoder sonicwall_custom, because otherwise it would decode the fields id and status. I have also discussed this case with my core-team mates and they have told me that for now it is showing the first decoder they match (in this case the father sonicwall)

In fact, if for example I remove the decoder that decodes the field status, and I try again, I check that yes the custom decoder is being used even though it shows that name in the debug message.

**Phase 1: Completed pre-decoding.
       full event: 'id=236 sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=1 c=1024 gcat=6 m=30 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"'
       timestamp: '(null)'
       hostname: 'centos7-2'
       program_name: '(null)'
       log: 'id=236 sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=1 c=1024 gcat=6 m=30 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"'

**Phase 2: Completed decoding.
       decoder: 'sonicwall'
       id: '30'

**Phase 3: Completed filtering (rules).
       Rule id: '100051'
       Level: '7'
       Description: 'SonicWall: This is my custom message'
**Alert to be generated.

To start debugging your case, I would first start by using the files that I attached to you in the previous message, from there make modifications until you check what the problem is.

As I mentioned, maybe it can be a typo in the file name.

Best regards.

[Nicolas Pasquarè]

Hi Jonathan,

no, it was an error of writing. I'm using your file, but the decoder doesn't work. 

root@wazuhserver:/var/ossec/etc/decoders# /var/ossec/bin/ossec-logtest

2020/04/22 14:54:16 ossec-testrule: INFO: Started (pid: 4320).

ossec-testrule: Type one log per line.

id=236 sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=1 c=1024 gcat=6 m=30 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"

**Phase 1: Completed pre-decoding.

       full event: 'id=236 sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=1 c=1024 gcat=6 m=30 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"'

       timestamp: '(null)'

       hostname: 'wazuhserver'

       program_name: '(null)'

       log: 'id=236 sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=1 c=1024 gcat=6 m=30 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"'

**Phase 2: Completed decoding.

       decoder: 'sonicwall'

       status: '1'

       action: 'Connection Closed'

**Phase 3: Completed filtering (rules).

       Rule id: '4801'

       Level: '8'

       Description: 'SonicWall critical message.'

**Alert to be generated.

Thanks

[Jonathan Martín Valera]

Hi Nicolas Pasquarè,

I just tried the log you passed me and it does work for me.

"'

       Rule id: '100051'
       Level: '7'
       Description: 'SonicWall: This is my custom message'
**Alert to be generated.

Mm, have you modified any decoder or rule in any file other than the local_decoder.xml or local_rules.xml? In this case, make a backup of the files you have modified, return them to their original state (you can use this repository https://github.com/wazuh/wazuh-ruleset to copy the default rules and decoders) or you can also try updating the ruleset, see https://documentation.wazuh.com/3.9/user-manual/ruleset/update.html

/var/ossec/bin/update_ruleset

and then try again with the rules and decoders that I have shared you.

In case it still doesn't work, can you share (zip) the directory /var/ossec/ruleset/. You were using version 3.9.1 right?

[Nicolas Pasquarè]

Hi Jonathan,

i have the last release, because i've just update all to 3.12.2.

But problem persist.

The "id" isnot decode.

Thanks

[Jonathan Martín Valera]

Hi Nicolas Pasquarè,

Okay, it may be that the default sonicwall decoder file is causing conflicts. An easy way to solve this is to ignore that file and create a new one. Below I explain how to do it.

- In the <ruleset> section of your ossec.conf file add the following to ignore the default sonicwall decoder:

<decoder_exclude>ruleset/decoders/0295-sonicwall_decoders.xml</decoder_exclude>

- Create the following decoder file /var/ossec/etc/decoders/0295-sonicwall_decoders.xml with the following content:

<decoder name="sonicwall">
  <prematch>id=\.*sn=\.*time=\.*fw\.*pri=\.*c=\.*</prematch>

</decoder>

<decoder name="sonicwall_custom">
  <parent>sonicwall</parent>
  <regex>m=(\S+)</regex>
  <order>id</order>
</decoder>

<decoder name="sonicwall_custom">
  <parent>sonicwall</parent>
  <regex>pri=(\S+)</regex>
  <order>status</order>
</decoder>

- Try the following log in the ossec-logtest tool

id=236 sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=1 c=1024 gcat=6 m=30 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"

You will see an output like the following:

**Phase 1: Completed pre-decoding.
       full event: 'id=236 sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=1 c=1024 gcat=6 m=30 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"'
       timestamp: '(null)'

       hostname: 'centos7'

       program_name: '(null)'
       log: 'id=236 sn=12345678 time="2020-04-13 10:56:34" fw=172.16.1.1 pri=1 c=1024 gcat=6 m=30 msg="Connection Closed" src=172.16.1.1:51053:X2 srcZone=Encrypted dst=172.16.1.1:8443:X0 dstZone=Trusted proto=tcp/8443 sent=1644 rcvd=28917 spkt=19 rpkt=28 cdur=1483 rule="70 (VPN->LAN)" vpnpolicy="TOI have runt" app=49178 appName='General HTTPS MGMT' n=408226 fw_action="NA" dpi=0"'

**Phase 2: Completed decoding.
       decoder: 'sonicwall'
       id: '30'
       status: '1'

**Phase 3: Completed filtering (rules).

       Rule id: '4811'
       Level: '9'
       Description: 'SonicWall: Firewall authentication failure.'

From here you can do several things:

- In case you need to decode more fields, you can add more decoders to a file /var/ossec/etc/decoders/0295-sonicwall_decoders.xml. Most regex could be like below:

<decoder name="sonicwall_custom">
  <parent>sonicwall</parent>

  <regex>LOG_FIELD=(\S+)</regex>
  <order>YOUR_FIELD_NAME</order>
</decoder>

- To create custom rules you can create child rules (default file /var/ossec/ruleset/rules/0080-sonicwall_rules.xml)

- You can also perform the same process followed with the decoders, that is, ignore the default rules file and create a new one.

I hope this information is helpful to you. Try it and tell me the results :)

Best regards