Decoder problem FWSM
54 views
Skip to first unread message
Andres Muñoz
Oct 25, 2022, 2:44:58 PM10/25/22
to Wazuh mailing list
Hellooo!
I,m trying to modify the ASA decoder for decode FWSM Cisco, i modified the decoder and match but it doesn't parse the fields that i put:
<decoder name="fwsm">
<prematch>%FWSM-|\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %FWSM-</prematch>
</decoder>
<prematch>%FWSM-|\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %FWSM-</prematch>
</decoder>
<decoder name="fwsm-fw3">
<parent>fwsm</parent>
<prematch offset="after_parent">4-106023</prematch>
<regex offset="after_parent">(\S+): (\w+) (\w+) src \w+:</regex>
<regex>(\S+)/(\S+) dst \w+:(\S+)/(\S+)</regex>
<order>id, action, protocol, srcip, srcport, dstip, dstport</order>
</decoder>
<parent>fwsm</parent>
<prematch offset="after_parent">4-106023</prematch>
<regex offset="after_parent">(\S+): (\w+) (\w+) src \w+:</regex>
<regex>(\S+)/(\S+) dst \w+:(\S+)/(\S+)</regex>
<order>id, action, protocol, srcip, srcport, dstip, dstport</order>
</decoder>
and made a rule, it match with parent and the rule, but don't decode the order fields.
Apr 21 2020 20:07:29: %FWSM-4-106023: Deny udp src outside:172.16.151.218/64569 dst cgsi_piso3_172.30.2.:172.30.2.70/161 by access-group "ACCESS_IN_outside" [0x0, 0x0]
Regards !
I
Andres Muñoz
Oct 25, 2022, 2:53:14 PM10/25/22
to Wazuh mailing list
root@elk:/var/ossec/ruleset/decoders# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.9
Type one log per line
Starting wazuh-logtest v4.3.9
Type one log per line
Apr 21 2020 20:07:29: %FWSM-4-106023: Deny udp src outside:172.16.151.218/64569 dst cgsi_piso3_172.30.2.:172.30.2.70/161 by access-group "ACCESS_IN_outside" [0x0, 0x0]
**Phase 1: Completed pre-decoding.
full event: 'Apr 21 2020 20:07:29: %FWSM-4-106023: Deny udp src outside:172.16.151.218/64569 dst cgsi_piso3_172.30.2.:172.30.2.70/161 by access-group "ACCESS_IN_outside" [0x0, 0x0]'
**Phase 2: Completed decoding.
name: 'cisco-asa'
parent: 'cisco-asa'
**Phase 3: Completed filtering (rules).
id: '64000'
level: '0'
description: 'Grouping of cisco-ASA rules'
groups: '['syslog', 'cisco', 'cisco-asa']'
firedtimes: '1'
mail: 'False'
Andrés Muñoz Rodríguez
full event: 'Apr 21 2020 20:07:29: %FWSM-4-106023: Deny udp src outside:172.16.151.218/64569 dst cgsi_piso3_172.30.2.:172.30.2.70/161 by access-group "ACCESS_IN_outside" [0x0, 0x0]'
**Phase 2: Completed decoding.
name: 'cisco-asa'
parent: 'cisco-asa'
**Phase 3: Completed filtering (rules).
id: '64000'
level: '0'
description: 'Grouping of cisco-ASA rules'
groups: '['syslog', 'cisco', 'cisco-asa']'
firedtimes: '1'
mail: 'False'
Saludos,
Andrés Muñoz Rodríguez
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/GauE_dRwouc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e8814740-0b81-4dd7-b860-fc79e8368a3fn%40googlegroups.com.
Andres Muñoz
Oct 25, 2022, 2:54:06 PM10/25/22
to Wazuh mailing list
root@elk:/var/ossec/ruleset/decoders# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.9
Type one log per line
Apr 21 2020 20:07:29: %FWSM-4-106023: Deny udp src outside:172.16.151.218/64569 dst cgsi_piso3_172.30.2.:172.30.2.70/161 by access-group "ACCESS_IN_outside" [0x0, 0x0]
**Phase 1: Completed pre-decoding.
full event: 'Apr 21 2020 20:07:29: %FWSM-4-106023: Deny udp src outside:172.16.151.218/64569 dst cgsi_piso3_172.30.2.:172.30.2.70/161 by access-group "ACCESS_IN_outside" [0x0, 0x0]'
**Phase 2: Completed decoding.
name: 'cisco-asa'
parent: 'cisco-asa'
**Phase 3: Completed filtering (rules).
id: '64000'
level: '0'
description: 'Grouping of cisco-ASA rules'
groups: '['syslog', 'cisco', 'cisco-asa']'
firedtimes: '1'
mail: 'False'
Andrés Muñoz Rodríguez
Starting wazuh-logtest v4.3.9
Type one log per line
Apr 21 2020 20:07:29: %FWSM-4-106023: Deny udp src outside:172.16.151.218/64569 dst cgsi_piso3_172.30.2.:172.30.2.70/161 by access-group "ACCESS_IN_outside" [0x0, 0x0]
**Phase 1: Completed pre-decoding.
full event: 'Apr 21 2020 20:07:29: %FWSM-4-106023: Deny udp src outside:172.16.151.218/64569 dst cgsi_piso3_172.30.2.:172.30.2.70/161 by access-group "ACCESS_IN_outside" [0x0, 0x0]'
**Phase 2: Completed decoding.
name: 'cisco-asa'
parent: 'cisco-asa'
**Phase 3: Completed filtering (rules).
id: '64000'
level: '0'
description: 'Grouping of cisco-ASA rules'
groups: '['syslog', 'cisco', 'cisco-asa']'
firedtimes: '1'
mail: 'False'
Saludos,
Andrés Muñoz Rodríguez
Julian Bustamante Narvaez
Oct 26, 2022, 12:40:18 PM10/26/22
to Wazuh mailing list
Hi , I hope you are well, I will be working on your query, as soon as I have the decoder ready, I will answer you.
Regards
Regards
Julian Bustamante Narvaez
Oct 26, 2022, 3:13:25 PM10/26/22
to Wazuh mailing list
Hi, I hope you are well.
I made some decoders for you.
you should put it at the top inside the /var/ossec/ruleset/decoders/0065-cisco-ios decoders.xml file
remember that if you update the manager, the default files will be overridden
<rule id="100210" level="5">
<decoded_as>fwsma</decoded_as>
<description>fwsm event</description>
<group>fwsmia</group>
</rule>
Type one log per line
Apr 21 2020 20:07:29: %FWSM-4-106023: Deny udp src outside:172.16.151.218/64569 dst cgsi_piso3_172.30.2.:172.30.2.70/161 by access-group "ACCESS_IN_outside" [0x0, 0x0]
**Phase 1: Completed pre-decoding.
full event: 'Apr 21 2020 20:07:29: %FWSM-4-106023: Deny udp src outside:172.16.151.218/64569 dst cgsi_piso3_172.30.2.:172.30.2.70/161 by access-group "ACCESS_IN_outside" [0x0, 0x0]'
**Phase 2: Completed decoding.
**Phase 3: Completed filtering (rules).
I made some decoders for you.
you should put it at the top inside the /var/ossec/ruleset/decoders/0065-cisco-ios decoders.xml file
remember that if you update the manager, the default files will be overridden
<decoder name="fwsma">
<prematch>\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %FWSM-\S+:</prematch>
</decoder>
<decoder name="fwsma-fw3">
<parent>fwsma</parent>
<regex type="pcre2">(\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d): %FWSM-(\S+):</regex>
<order>datetime,fwsm_rule</order>
</decoder>
<decoder name="fwsma-fw3">
<parent>fwsma</parent>
<regex type="pcre2">src outside:((?:\d{1,3}\.){3}\d{1,3})(?:\/(\d+))?</regex>
<order>srcip,srcport</order>
</decoder>
<decoder name="fwsma-fw3">
<parent>fwsma</parent>
<regex type="pcre2">dst.*?:((?:\d{1,3}\.){3}\d{1,3})(?:\/(\d+))?</regex>
<order>dstip,dstport</order>
</decoder>
<decoder name="fwsma-fw3">
<parent>fwsma</parent>
<regex type="pcre2">by access-group\s(\S+)\s(\[0[xX][0-9a-fA-F]+,\s0[xX][0-9a-fA-F]+\])</regex>
<order>accessgroup,value</order>
</decoder>
<prematch>\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %FWSM-\S+:</prematch>
</decoder>
<decoder name="fwsma-fw3">
<parent>fwsma</parent>
<regex type="pcre2">(\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d): %FWSM-(\S+):</regex>
<order>datetime,fwsm_rule</order>
</decoder>
<decoder name="fwsma-fw3">
<parent>fwsma</parent>
<regex type="pcre2">src outside:((?:\d{1,3}\.){3}\d{1,3})(?:\/(\d+))?</regex>
<order>srcip,srcport</order>
</decoder>
<decoder name="fwsma-fw3">
<parent>fwsma</parent>
<regex type="pcre2">dst.*?:((?:\d{1,3}\.){3}\d{1,3})(?:\/(\d+))?</regex>
<order>dstip,dstport</order>
</decoder>
<decoder name="fwsma-fw3">
<parent>fwsma</parent>
<regex type="pcre2">by access-group\s(\S+)\s(\[0[xX][0-9a-fA-F]+,\s0[xX][0-9a-fA-F]+\])</regex>
<order>accessgroup,value</order>
</decoder>
put the rule here /var/ossec/etc/rules/local_rules.xml
<rule id="100210" level="5">
<decoded_as>fwsma</decoded_as>
<description>fwsm event</description>
<group>fwsmia</group>
</rule>
you can test with /var/ossec/bin/wazuh-logtest and paste the full log :
Apr 21 2020 20:07:29: %FWSM-4-106023: Deny udp src outside:172.16.151.218/64569 dst cgsi_piso3_172.30.2.:172.30.2.70/161 by access-group "ACCESS_IN_outside" [0x0, 0x0]
output:
Starting wazuh-logtest v4.5.0
Type one log per line
Apr 21 2020 20:07:29: %FWSM-4-106023: Deny udp src outside:172.16.151.218/64569 dst cgsi_piso3_172.30.2.:172.30.2.70/161 by access-group "ACCESS_IN_outside" [0x0, 0x0]
**Phase 1: Completed pre-decoding.
full event: 'Apr 21 2020 20:07:29: %FWSM-4-106023: Deny udp src outside:172.16.151.218/64569 dst cgsi_piso3_172.30.2.:172.30.2.70/161 by access-group "ACCESS_IN_outside" [0x0, 0x0]'
**Phase 2: Completed decoding.
name: 'fwsma'
accessgroup: '"ACCESS_IN_outside"'
datetime: 'Apr 21 2020 20:07:29'
dstip: '172.30.2.70'
dstport: '161'
fwsm_rule: '4-106023'
srcip: '172.16.151.218'
srcport: '64569'
value: '[0x0, 0x0]'
accessgroup: '"ACCESS_IN_outside"'
datetime: 'Apr 21 2020 20:07:29'
dstip: '172.30.2.70'
dstport: '161'
fwsm_rule: '4-106023'
srcip: '172.16.151.218'
srcport: '64569'
value: '[0x0, 0x0]'
**Phase 3: Completed filtering (rules).
id: '100210'
level: '5'
description: 'fwsm event'
groups: '['yara', 'fwsmia']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
level: '5'
description: 'fwsm event'
groups: '['yara', 'fwsmia']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
you can use https://regex101.com/ for test your regex.
Regards
Andres Muñoz
Oct 26, 2022, 10:36:23 PM10/26/22
to Julian Bustamante Narvaez, Wazuh mailing list
Thanks Julian for your help !
Andrés Muñoz Rodríguez
Saludos,
Andrés Muñoz Rodríguez
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/78ca847b-dd17-490e-82df-9c9fe6f7e528n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages