Expanding the Fortigate Decoder
30 views
Skip to first unread message
Tom Powers
Jun 6, 2023, 12:04:30 PM6/6/23
to Wazuh mailing list
Hello,
I'm curious as to how one would expand the decoder on the Fortigate messages.
We are pulling DLP event messages and the Fortigate-Firewall-V5 decoder is grabbing the message...up to the action field.
How can I expand this to include the fields such as sender and recipient?
A sample event (with names changed) is below:
date=2023-06-06 time=09:33:05 devname="FW-1234-100E" devid="FG100E4Q1234" eventtime=1686061984337400814 tz="-0500" logid="0954024577" type="utm" subtype="dlp" eventtype="dlp" level="notice" vd="root" filteridx=10 filtername="US-SSN" dlpextra="\b(?!666|000|9\d{2})\d{3}-(?!00)\d{2}-(?!0{4})\d{4}\b" filtertype="regexp" filtercat="message" severity="high" policyid=273 poluuid="9104b370-0743-51eb-ba70-badbe9396d8f" policytype="policy" sessionid=44743935 epoch=1859783710 eventid=1 srcip=192.168.11.1 srcport=23496 srccountry="Reserved" srcintf="vsw.port15" srcintfrole="lan" srcuuid="77316d8a-0743-51eb-31bf-69c8b65f3cbd" dstip=173.10.1.1 dstport=25 dstcountry="Canada" dstintf="wan1" dstintfrole="wan" dstuuid="66644fec-0741-51eb-ac11-a4c35a9211c0" proto=6 service="SMTPS" filetype="N/A" direction="outgoing" action="log-only" from="jsm...@senderdomain.com" to="tjo...@recipientdomain.com" sender=" jsm...@senderdomain.com " recipient=" tjo...@recipientdomain.com " subject="RE: Email DLP Test" attachment="no" profile="SMTP-DLP"
All insight is appreciated
We are pulling DLP event messages and the Fortigate-Firewall-V5 decoder is grabbing the message...up to the action field.
How can I expand this to include the fields such as sender and recipient?
A sample event (with names changed) is below:
date=2023-06-06 time=09:33:05 devname="FW-1234-100E" devid="FG100E4Q1234" eventtime=1686061984337400814 tz="-0500" logid="0954024577" type="utm" subtype="dlp" eventtype="dlp" level="notice" vd="root" filteridx=10 filtername="US-SSN" dlpextra="\b(?!666|000|9\d{2})\d{3}-(?!00)\d{2}-(?!0{4})\d{4}\b" filtertype="regexp" filtercat="message" severity="high" policyid=273 poluuid="9104b370-0743-51eb-ba70-badbe9396d8f" policytype="policy" sessionid=44743935 epoch=1859783710 eventid=1 srcip=192.168.11.1 srcport=23496 srccountry="Reserved" srcintf="vsw.port15" srcintfrole="lan" srcuuid="77316d8a-0743-51eb-31bf-69c8b65f3cbd" dstip=173.10.1.1 dstport=25 dstcountry="Canada" dstintf="wan1" dstintfrole="wan" dstuuid="66644fec-0741-51eb-ac11-a4c35a9211c0" proto=6 service="SMTPS" filetype="N/A" direction="outgoing" action="log-only" from="jsm...@senderdomain.com" to="tjo...@recipientdomain.com" sender=" jsm...@senderdomain.com " recipient=" tjo...@recipientdomain.com " subject="RE: Email DLP Test" attachment="no" profile="SMTP-DLP"
All insight is appreciated
Julian Bustamante Narvaez
Jun 6, 2023, 11:24:40 PM6/6/23
to Wazuh mailing list
hi, you can add the following decoder to /var/ossec/etc/local_decode.xml, save and test with logtest (restart if you want to test without logtest)
<decoder name="fortigate-firewall-v5">
<parent>fortigate-firewall-v5</parent>
<regex>sender="(\.*)"|sender=(\.*)\s|sender=(\.*)$</regex>
<order>sender</order>
</decoder>
<decoder name="fortigate-firewall-v5">
<parent>fortigate-firewall-v5</parent>
<regex>recipient="(\.*)"|recipient=(\.*)\s|recipient=(\.*)$</regex>
<order>recipient</order>
</decoder>
<parent>fortigate-firewall-v5</parent>
<regex>sender="(\.*)"|sender=(\.*)\s|sender=(\.*)$</regex>
<order>sender</order>
</decoder>
<decoder name="fortigate-firewall-v5">
<parent>fortigate-firewall-v5</parent>
<regex>recipient="(\.*)"|recipient=(\.*)\s|recipient=(\.*)$</regex>
<order>recipient</order>
</decoder>
Regards
Reply all
Reply to author
Forward
0 new messages