Sophos Firewall Logs into Wazuh
1,096 views
Skip to first unread message
threat intel
Oct 24, 2022, 7:13:23 AM10/24/22
to Wazuh mailing list
Hello wazuh,
Kindly assist me on how to integrate sophos firewall logs into wazuh.
Also can firewall logs be manually push into the wazuh siem for analysis and if possible how can that also be done ?
Thank you.
Regards,
Derrick.
Christian Borla
Oct 24, 2022, 8:30:10 AM10/24/22
to Wazuh mailing list
Hi Derrick.
I hope you are doing fine!
Wazuh alredy support a group of sophos logs, decoders are 0300-sophos_decoders.xml and 0510-sophos_fw_decoders.xml , and rules are 0415-sophos_rules.xml and 0705-sophos_fw_rules.xml.
But looks like some sophos firewal events are not supported, I found this example in the community chat, it's not working.
root@wazuh-master:/# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.8
Type one log per line
device=\"SFW\" date=2022-09-23 time=11:33:03 timezone=\"+03\" device_name=\"SFVUNL\" device_id=C01001GF2GVW9A4 log_id=062009617502 log_type=\"Event\" log_component=\"GUI\" log_subtype=\"Admin\" status=\"Successful\" priority=Information user_name=\"admin\" src_ip=x.x.x.x IP_HOST_NAME='Rint' message=\"IP Host 'Rint' settings were changed by 'admin' from 'x.x.x.x' using 'GUI'\"
**Phase 1: Completed pre-decoding.
full event: 'device=\"SFW\" date=2022-09-23 time=11:33:03 timezone=\"+03\" device_name=\"SFVUNL\" device_id=C01001GF2GVW9A4 log_id=062009617502 log_type=\"Event\" log_component=\"GUI\" log_subtype=\"Admin\" status=\"Successful\" priority=Information user_name=\"admin\" src_ip=x.x.x.x IP_HOST_NAME='Rint' message=\"IP Host 'Rint' settings were changed by 'admin' from 'x.x.x.x' using 'GUI'\"'
**Phase 2: Completed decoding.
No decoder matched.
Could you share any example log to test it?
The common way to collect events from sophos, is forwarding sophos logs by syslog
This is an example syslog configuration, if you want collecte events from the manager set it on ossec.conf manager side, if you want collecte events from the agent set it on ossec.conf agent side. Also configure your sophos to forward events to manager/agent ip and port 514.
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips> your cylance ip </allowed-ips>
</remote>
Always restar the agent or manager when ossec.conf file change.
To process old events, I create a fake file to collect events from it.
Into agent side, define a fake.txt file in Agent, and set following config into ossec.conf agent side.
<localfile>
<location>C:\Users\MyUser\fake.txt</location>
<log_format>syslog</log_format>
</localfile>
Restart the agent, and then paste the events that to want to process.
Let me know if this information is useful.
Regards.
I hope you are doing fine!
Wazuh alredy support a group of sophos logs, decoders are 0300-sophos_decoders.xml and 0510-sophos_fw_decoders.xml , and rules are 0415-sophos_rules.xml and 0705-sophos_fw_rules.xml.
But looks like some sophos firewal events are not supported, I found this example in the community chat, it's not working.
root@wazuh-master:/# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.8
Type one log per line
device=\"SFW\" date=2022-09-23 time=11:33:03 timezone=\"+03\" device_name=\"SFVUNL\" device_id=C01001GF2GVW9A4 log_id=062009617502 log_type=\"Event\" log_component=\"GUI\" log_subtype=\"Admin\" status=\"Successful\" priority=Information user_name=\"admin\" src_ip=x.x.x.x IP_HOST_NAME='Rint' message=\"IP Host 'Rint' settings were changed by 'admin' from 'x.x.x.x' using 'GUI'\"
full event: 'device=\"SFW\" date=2022-09-23 time=11:33:03 timezone=\"+03\" device_name=\"SFVUNL\" device_id=C01001GF2GVW9A4 log_id=062009617502 log_type=\"Event\" log_component=\"GUI\" log_subtype=\"Admin\" status=\"Successful\" priority=Information user_name=\"admin\" src_ip=x.x.x.x IP_HOST_NAME='Rint' message=\"IP Host 'Rint' settings were changed by 'admin' from 'x.x.x.x' using 'GUI'\"'
**Phase 2: Completed decoding.
No decoder matched.
Could you share any example log to test it?
The common way to collect events from sophos, is forwarding sophos logs by syslog
This is an example syslog configuration, if you want collecte events from the manager set it on ossec.conf manager side, if you want collecte events from the agent set it on ossec.conf agent side. Also configure your sophos to forward events to manager/agent ip and port 514.
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips> your cylance ip </allowed-ips>
</remote>
Always restar the agent or manager when ossec.conf file change.
To process old events, I create a fake file to collect events from it.
Into agent side, define a fake.txt file in Agent, and set following config into ossec.conf agent side.
<localfile>
<location>C:\Users\MyUser\fake.txt</location>
<log_format>syslog</log_format>
</localfile>
Restart the agent, and then paste the events that to want to process.
Let me know if this information is useful.
Regards.
threat intel
Nov 17, 2022, 11:57:35 AM11/17/22
to Wazuh mailing list
Hello Wazuh, i processed the below old event but i cant find it in Archives.json
device="SFW" date=2018-02-27 time=18:13:29 timezone="IST" device_name="XG125w"
device_id=S1601E1F9FCB7EE log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="
Denied" priority=Information fw_rule_id=1 user_name="" user_gp="" application_filter_policy=8 category="Mobile Applications"
application_name="Gtalk Android" application_risk=4 application_technology="Client Server" application_category="Mobile
Applications" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol="TCP" src_port=49128
dst_port=5228 sent_bytes=0 recv_bytes=0 status="Deny" message="" appresolvedby="Signature"
device_id=S1601E1F9FCB7EE log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="
Denied" priority=Information fw_rule_id=1 user_name="" user_gp="" application_filter_policy=8 category="Mobile Applications"
application_name="Gtalk Android" application_risk=4 application_technology="Client Server" application_category="Mobile
Applications" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol="TCP" src_port=49128
dst_port=5228 sent_bytes=0 recv_bytes=0 status="Deny" message="" appresolvedby="Signature"
please can you help me,
Christian Borla
Nov 22, 2022, 2:53:09 PM11/22/22
to Wazuh mailing list
Hi Derrick.
I hope you are doing fine!
The system interprets the event per line, your example log has more than one line.I hope you are doing fine!
What do you means with "I processed"? How do you did?
Did you following these steps?
To process old events, I create a fake file to collect events from it.
Into agent side, define a fake.txt file in Agent, and set following config into ossec.conf agent side.
<localfile>
<location>C:\Users\MyUser\fake.txt</location>
<log_format>syslog</log_format>
</localfile>
If it's possible check in real time the Archives.json file, also some times it's necessary paste the example and enter before save the file.
Example as wazuh-logtest process the log:
Type one log per line
device="SFW" date=2018-02-27 time=18:13:29 timezone="IST" device_name="XG125w"device_id=S1601E1F9FCB7EE log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" priority=Information fw_rule_id=1 user_name="" user_gp="" application_filter_policy=8 category="Mobile Applications"application_name="Gtalk Android" application_risk=4 application_technology="Client Server" application_category="MobileApplications" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol="TCP" src_port=49128dst_port=5228 sent_bytes=0 recv_bytes=0 status="Deny" message="" appresolvedby="Signature"**Phase 1: Completed pre-decoding.
full event: 'device="SFW" date=2018-02-27 time=18:13:29 timezone="IST" device_name="XG125w"device_id=S1601E1F9FCB7EE log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" priority=Information fw_rule_id=1 user_name="" user_gp="" application_filter_policy=8 category="Mobile Applications"application_name="Gtalk Android" application_risk=4 application_technology="Client Server" application_category="MobileApplications" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol="TCP" src_port=49128dst_port=5228 sent_bytes=0 recv_bytes=0 status="Deny" message="" appresolvedby="Signature"'
**Phase 2: Completed decoding.
name: 'sophos-fw'
application_category: 'MobileApplications'
application_risk: '4'
application_technology: 'Client Server'
appresolvedby: 'Signature'
date: '2018-02-27'
device: 'SFW'
device_id: 'S1601E1F9FCB7EE'
device_name: 'XG125w"device_id=S1601E1F9FCB7EE log_id=054402617051 log_type="Content Filtering'
dst_country_code: 'USA'
dst_ip: '74.125.130.188'
dst_port: '5228'
fw_rule_id: '1'
log_component: 'Application'
log_id: '054402617051'
log_subtype: 'Denied'
log_type: 'Content Filtering'
name: 'XG125w"device_id=S1601E1F9FCB7EE log_id=054402617051 log_type="Content Filtering'
priority: 'Information'
protocol: 'TCP'
recv_bytes: '0'
sent_bytes: '0'
sophos_fw_status_msg: 'Deny'
src_country_code: 'DEU'
src_ip: '5.5.5.15'
src_port: '49128dst_port=5228'
time: '18:13:29'
timezone: 'IST'
**Phase 3: Completed filtering (rules).
id: '70021'
level: '5'
description: 'Traffic Denied: from 5.5.5.15 to 74.125.130.188'
groups: '['sophos-fw']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Let me know if that helps.
Regards.
Reply all
Reply to author
Forward
0 new messages