Huawei Firewall Logs Rules and Decoders

[Abdul Samad]

Dear Team

I have integrated the huawei firewall with wazuh, Logs are coming and can be view using tcpdump. See Picture below

But the logs are not showing on GUI/Web Wazuh.

I have created Decoders and rule for the below mentioned log sample.

kindly help me ASAP.

Decoders

<decoder name="huawei-custom">
  <prematch>^Msg:\s\w\w\w\s\d\d\s\d\d\d\d \d\d:\d\d:\d\d SITFW6390DCP01FWEDGE </prematch>
</decoder>
<decoder name="huawei-custom1">
  <parent>huawei-custom</parent>
  <regex>source-ip="(\S+)"|source-ip=(\S+)</regex>
  <order>srcip</order>
</decoder>
<decoder name="huawei-custom1">
  <parent>huawei-custom</parent>
  <regex offset="after_parent">source-port="(\S+)"|source-port=(\S+)</regex>
  <order>srcport</order>
</decoder>
<decoder name="huawei-custom1">
  <parent>huawei-custom</parent>
  <regex offset="after_parent">destination-ip="(\S+)"|destination-ip=(\S+)</regex>
  <order>dstip</order>
</decoder>
<decoder name="huawei-custom1">
  <parent>huawei-custom</parent>
  <regex offset="after_parent">destination-port="(\S+)"|destination-port=(\S+)</regex>
  <order>dstport</order>
</decoder>
<decoder name="huawei-custom1">
  <parent>huawei-custom</parent>
  <regex offset="after_parent">destination-zone="(\S+)"|destination-zone=(\S+)</regex>
  <order>dst-zone</order>
</decoder>
<decoder name="huawei-custom1">
  <parent>huawei-custom</parent>
  <regex offset="after_parent">source-zone="(\S+)"|source-zone=(\S+)</regex>
  <order>src-zone</order>
</decoder>
<decoder name="huawei-custom1">
  <parent>huawei-custom</parent>
  <regex offset="after_parent">rule-name="(\S+)"|rule-name=(\S+)</regex>
  <order>FW-RuleName</order>
</decoder>
<decoder name="huawei-custom1">
  <parent>huawei-custom</parent>
  <regex offset="after_parent">application-name="(\S+)"|application-name=(\S+)</regex>
  <order>Application Name</order>
</decoder>
<decoder name="huawei-custom1">
  <parent>huawei-custom</parent>
  <regex offset="after_parent">vsys="(\S+)"|vsys=(\S+)</regex>
  <order>VSYS</order>
</decoder>
<decoder name="huawei-custom1">
  <parent>huawei-custom</parent>
  <regex offset="after_parent">SITFW"(\S+)"|SITFW(\S+)</regex>
  <order>devid</order>
</decoder>

Rules:

<group name="network_security,pci_dss,gdpr,hipaa,nist_800_53,tsc_CC7.3">
  <rule id="100003" level="7">
    <decoded_as>huawei-custom</decoded_as>
    <description>Huawei Rules.</description>
  </rule>
</group>
<group name="network_security,pci_dss,gdpr,hipaa,nist_800_53,tsc_CC7.3">
    <rule id="100004" level="7">
    <decoded_as>huawei-custom</decoded_as>
    <field name="application-name=">SMB</field>
    <description>Huawei Rule Triggered</description>
    </rule>
</group>

Sample Log

Msg: Jun 21 2023 13:57:52 SITFW6390DCP01FWEDGE %%01POLICY/6/POLICYPERMIT(l):vsys=public, protocol=6, source-ip=10.150.21.21, source-port=54172, destination-ip=191.233.241.31, destination-port=443, time=2023/6/21 10:57:52, source-zone=trust, destination-zone=untrust, application-name=HTTPS, rule-name=P_Fx_UNTRUST.\0x00

Note: Looking forward to your reply ASAP..

----------------------------------------------------------------------------------

Regards

Abdul Samad - Cyber Security Analyst

Email: samad1...@gmail.com

[Nicolas Stefani]

Hi Abdul,

Sorry for the late reply.

I was testing your rules and decoders with the sample that you provided and the matching process is working ok.

root@wazuh:/var/ossec# bin/wazuh-logtest
Starting wazuh-logtest v4.4.1
Type one log per line

Msg: Jun 21 2023 13:57:52 SITFW6390DCP01FWEDGE %%01POLICY/6/POLICYPERMIT(l):vsys=public, protocol=6, source-ip=10.150.21.21, source-port=54172, destination-ip=191.233.241.31, destination-port=443, time=2023/6/21 10:57:52, source-zone=trust, destination-zone=untrust, application-name=HTTPS, rule-name=P_Fx_UNTRUST.\0x00

**Phase 1: Completed pre-decoding.
        full event: 'Msg: Jun 21 2023 13:57:52 SITFW6390DCP01FWEDGE %%01POLICY/6/POLICYPERMIT(l):vsys=public, protocol=6, source-ip=10.150.21.21, source-port=54172, destination-ip=191.233.241.31, destination-port=443, time=2023/6/21 10:57:52, source-zone=trust, destination-zone=untrust, application-name=HTTPS, rule-name=P_Fx_UNTRUST.\0x00'

**Phase 2: Completed decoding.
        name: 'huawei-custom'
        Application: 'HTTPS,'
        FW-RuleName: 'P_Fx_UNTRUST.\0x00'
        VSYS: 'public,'
        dst-zone: 'untrust,'
        dstip: '191.233.241.31,'
        dstport: '443,'
        src-zone: 'trust,'
        srcip: '10.150.21.21,'
        srcport: '54172,'

**Phase 3: Completed filtering (rules).
        id: '100003'
        level: '7'
        description: 'Huawei Rules.'
        groups: '['network_security', 'pci_dss', 'gdpr', 'hipaa', 'nist_800_53']'
        firedtimes: '1'
        mail: 'False'
        tsc: '['CC7.3']'
**Alert to be generated.

In your ossec.conf what is the value of <log_alert_level>? Also, can you see the processed events in  thelogs/alerts/alerts.log file?

Best regards,

[Abdul Samad]

Dear Nicolas,

I didn't see any process logs in alerts.log file. see the attached POC below.

Also Log alert level is set to "3"

Kindly reply ASAP.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/37c9b173-ed85-451c-9639-9199225c833en%40googlegroups.com.

[Nicolas Stefani]

How are you forwarding the logs to Wazuh? How is the configuration in your ossec.conf?

--

Nicolás Stefani Software Engineer

[Abdul Samad]

It's forwarding through SYSLOG

and 

Also wazuh syslog configured

[Nicolas Stefani]

Ok, if you test your log sample with /var/ossec/bin/wazuh-logtest you got the matching, right?

[Abdul Samad]

Yes, it works! 

[Nicolas Stefani]

Hi Abdul,

Could you share more about your configuration? The ossec.conf would be ok.

Do you have an agent receiving the logs from the firewall? Have you followed this guide?

What do you mean by?

> Also wazuh syslog configured