Sangfor decoders and ruleset
393 views
Skip to first unread message
Fawwas Hamdi
Apr 3, 2022, 11:05:10 PM4/3/22
to Wazuh mailing list
Hello guys I'm hoping someone can help me with making decoders for sangfor firewall as I have the basis of the decoder from alienvault ossim as you can see below. As regex is a new thing to me I have no idea how to incorporate this to wazuh.
# Oct 5 19:50:00 <dvc> fwlog: Log type: user authentication, user:<username>, IP:x.x.x.x, target:Log out, time logged in:2016-10-05 08:45:21, online duration:39878, time logged out:19:49:59
[0001 - Sangfor NGFW - Login events]
event_type=event
precheck="user authentication"
regexp="(?P<date>\w+\s*\d+\s*\d+:\d+:\d+)\s*(?P<device>\S+)\s*\S+\s*Log type:\s*(?P<log_type>[^,]*),\s*(?:user:\s*(?P<username>[^,]*),\s*)?IP:\s*(?P<src_ip>[^,]*),\s*target:(?P<target>[^,]*),\s*time logged in:(?P<time_logged>[^,]*),\s*[^,]*,\s*time logged out:\s*(?P<time_out>[^,]*)"
date={normalize_date($date)}
plugin_sid={translate($target)}
device={$device}
src_ip={$src_ip}
username={$username}
userdata1={$time_logged}
userdata2={$time_out}
[0002 - Sangfor NGFW - traffic audit]
event_type=event
precheck="traffic audit"
regexp="(?P<date>\w+\s*\d+\s*\d+:\d+:\d+)\s*(?P<device>\S+)\s*\S+\s*Log Type:\s+traffic audit,\s+App Category:(?P<category>[^,]*),\s+Username\/Host:(?P<user>[^,]*),\sOutbound\(KB\):(?P<out>\d+),\s*Inbound\(KB\):(?P<in>\d+),\s*Bidirectional\(KB\):(?P<bidirect>\d+)"
date={normalize_date($date)}
plugin_sid=10
device={$device}
src_ip={$device}
username={$user}
userdata1={$out}
userdata2={$in}
userdata3={$bidirect}
userdata4={$category}
[0003 - Sangfor NGFW - User login ]
event_type=event
precheck="User login"
regexp="(?P<date>\w+\s*\d+\s*\d+:\d+:\d+)\s*(?P<device>\S+)\s*\S+\s*Log type:\s*(?P<log_type>[^,]*),\s*(?:user:\s*(?P<username>[^,]*),\s*)?IP:\s*(?P<src_ip>[^,]*),\s*target:(?P<target>[^,]*),\s*action:(?P<action>[^,]*),\sdescription:.*?(?P<sid>Password is incorrect|log in successfully)"
date={normalize_date($date)}
plugin_sid={translate($sid)}
device={$device}
src_ip={$src_ip}
username={$username}
userdata1={$target}
userdata2={$action}
[0004 - Sangfor NGFW - Policy events]
event_type=event
precheck="policy name"
regexp="(?P<date>\w+\s*\d+\s*\d+:\d+:\d+)\s*(?P<device>\S+)\s*\S+\s*Log\stype:\s*(?P<log_type>[^,]*),\spolicy\sname:(?P<policy_name>[^,]*),\s*user:\s*(?P<username>[^,]*),\s*Src\sIP:\s*(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),\s*(?:Src\sport:\s*(?P<src_port>[^,]*),\s*)?Dst\sIP:\s*(?P<dst_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),\s*(?:Dst\sport:\s*(?P<dst_port>[^,]*),\s*)?(?:App\scategory:\s*(?P<app_cat>[^,]*),\s*)?application:\s*(?P<app>[^,]*),\s*action:\s*(?P<action>[^,]*)(?:,\s*URL:(?P<url>.*))?"
date={normalize_date($date)}
plugin_sid={translate($policy_name)}
device={$device}
src_ip={$src_ip}
dst_ip={$dst_ip}
src_port={$src_port}
dst_port={$dst_port}
username={$username}
userdata1={$log_type}
userdata2={$app_cat}
userdata3={$app}
userdata4={$action}
userdata6={$url}
# Oct 5 19:52:35 <dvc> fwlog: Log type: WAF, Src IP:x.x.x.x, Src port:49560, Dst IP:x.x.x.x, Dst port:80, attack type:HTTP error page filter, threat level:Medium, action:Logged, URL:<url>
[0010 - Sangfor NGFW - Firewall events]
event_type=event
#precheck=""
regexp="(?P<date>\w+\s*\d+\s*\d+:\d+:\d+)\s*(?P<device>\S+)\s*\S+\s*Log type:\s*(?P<log_type>[^,]*),\s*(?:type:\s*(?P<nat_type>[^,]*),\s*)?(?:user:\s*(?P<username>[^,]*),\s*)?Src IP:\s*(?:(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|(?P<sipv6>[^,]*)),\s*(?:Src port:\s*(?P<src_port>[^,]*),\s*)?Dst IP:\s*(?:(?P<dst_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|(?P<dipv6>[^,]*)),\s*(?:Dst port:\s*(?P<dst_port>[^,]*),\s*)?(?:App category:\s*(?P<app_cat>[^,]*),?\s*|application:\s*(?P<app>[^,]*),?\s*|protocol:\s*(?P<protocol>[^,]*),?\s*|action:\s*(?P<action>[^,]*),?\s*|translated-to IP:\s*(?P<ip_translation>[^,]*),?\s*|translated-to port:\s*(?P<translated_port>[^,]*),?\s*|URL:\s*(?P<url>(?:https?://)?[^/]*)\s*|attack type:\s*(?P<attack_type>[^,]*),?\s*|threat level:\s*(?P<threat_level>[^,]*),?\s*)*"
date={normalize_date($date)}
plugin_sid={:sangforSID($log_type,$action)}
device={$device}
src_ip={$src_ip}
dst_ip={$dst_ip}
src_port={$src_port}
dst_port={$dst_port}
protocol={$protocol}
username={$username}
userdata1={$sipv6}
userdata2={$dipv6}
userdata3={$app_cat}
userdata4={$nat_type}
userdata6={$action}
userdata7={$threat_level}
userdata8={$url}
userdata9={$attack_type}
[9999 - Sangfor NGFW - Generic ]
event_type=event
regexp="(?P<date>\w+\s*\d+\s*\d+:\d+:\d+)\s*(?P<device>\S+)\s(?P<desc>.*)"
date={normalize_date($date)}
plugin_sid=20000000
device={$device}
src_ip={$device}
[0001 - Sangfor NGFW - Login events]
event_type=event
precheck="user authentication"
regexp="(?P<date>\w+\s*\d+\s*\d+:\d+:\d+)\s*(?P<device>\S+)\s*\S+\s*Log type:\s*(?P<log_type>[^,]*),\s*(?:user:\s*(?P<username>[^,]*),\s*)?IP:\s*(?P<src_ip>[^,]*),\s*target:(?P<target>[^,]*),\s*time logged in:(?P<time_logged>[^,]*),\s*[^,]*,\s*time logged out:\s*(?P<time_out>[^,]*)"
date={normalize_date($date)}
plugin_sid={translate($target)}
device={$device}
src_ip={$src_ip}
username={$username}
userdata1={$time_logged}
userdata2={$time_out}
[0002 - Sangfor NGFW - traffic audit]
event_type=event
precheck="traffic audit"
regexp="(?P<date>\w+\s*\d+\s*\d+:\d+:\d+)\s*(?P<device>\S+)\s*\S+\s*Log Type:\s+traffic audit,\s+App Category:(?P<category>[^,]*),\s+Username\/Host:(?P<user>[^,]*),\sOutbound\(KB\):(?P<out>\d+),\s*Inbound\(KB\):(?P<in>\d+),\s*Bidirectional\(KB\):(?P<bidirect>\d+)"
date={normalize_date($date)}
plugin_sid=10
device={$device}
src_ip={$device}
username={$user}
userdata1={$out}
userdata2={$in}
userdata3={$bidirect}
userdata4={$category}
[0003 - Sangfor NGFW - User login ]
event_type=event
precheck="User login"
regexp="(?P<date>\w+\s*\d+\s*\d+:\d+:\d+)\s*(?P<device>\S+)\s*\S+\s*Log type:\s*(?P<log_type>[^,]*),\s*(?:user:\s*(?P<username>[^,]*),\s*)?IP:\s*(?P<src_ip>[^,]*),\s*target:(?P<target>[^,]*),\s*action:(?P<action>[^,]*),\sdescription:.*?(?P<sid>Password is incorrect|log in successfully)"
date={normalize_date($date)}
plugin_sid={translate($sid)}
device={$device}
src_ip={$src_ip}
username={$username}
userdata1={$target}
userdata2={$action}
[0004 - Sangfor NGFW - Policy events]
event_type=event
precheck="policy name"
regexp="(?P<date>\w+\s*\d+\s*\d+:\d+:\d+)\s*(?P<device>\S+)\s*\S+\s*Log\stype:\s*(?P<log_type>[^,]*),\spolicy\sname:(?P<policy_name>[^,]*),\s*user:\s*(?P<username>[^,]*),\s*Src\sIP:\s*(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),\s*(?:Src\sport:\s*(?P<src_port>[^,]*),\s*)?Dst\sIP:\s*(?P<dst_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),\s*(?:Dst\sport:\s*(?P<dst_port>[^,]*),\s*)?(?:App\scategory:\s*(?P<app_cat>[^,]*),\s*)?application:\s*(?P<app>[^,]*),\s*action:\s*(?P<action>[^,]*)(?:,\s*URL:(?P<url>.*))?"
date={normalize_date($date)}
plugin_sid={translate($policy_name)}
device={$device}
src_ip={$src_ip}
dst_ip={$dst_ip}
src_port={$src_port}
dst_port={$dst_port}
username={$username}
userdata1={$log_type}
userdata2={$app_cat}
userdata3={$app}
userdata4={$action}
userdata6={$url}
# Oct 5 19:52:35 <dvc> fwlog: Log type: WAF, Src IP:x.x.x.x, Src port:49560, Dst IP:x.x.x.x, Dst port:80, attack type:HTTP error page filter, threat level:Medium, action:Logged, URL:<url>
[0010 - Sangfor NGFW - Firewall events]
event_type=event
#precheck=""
regexp="(?P<date>\w+\s*\d+\s*\d+:\d+:\d+)\s*(?P<device>\S+)\s*\S+\s*Log type:\s*(?P<log_type>[^,]*),\s*(?:type:\s*(?P<nat_type>[^,]*),\s*)?(?:user:\s*(?P<username>[^,]*),\s*)?Src IP:\s*(?:(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|(?P<sipv6>[^,]*)),\s*(?:Src port:\s*(?P<src_port>[^,]*),\s*)?Dst IP:\s*(?:(?P<dst_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|(?P<dipv6>[^,]*)),\s*(?:Dst port:\s*(?P<dst_port>[^,]*),\s*)?(?:App category:\s*(?P<app_cat>[^,]*),?\s*|application:\s*(?P<app>[^,]*),?\s*|protocol:\s*(?P<protocol>[^,]*),?\s*|action:\s*(?P<action>[^,]*),?\s*|translated-to IP:\s*(?P<ip_translation>[^,]*),?\s*|translated-to port:\s*(?P<translated_port>[^,]*),?\s*|URL:\s*(?P<url>(?:https?://)?[^/]*)\s*|attack type:\s*(?P<attack_type>[^,]*),?\s*|threat level:\s*(?P<threat_level>[^,]*),?\s*)*"
date={normalize_date($date)}
plugin_sid={:sangforSID($log_type,$action)}
device={$device}
src_ip={$src_ip}
dst_ip={$dst_ip}
src_port={$src_port}
dst_port={$dst_port}
protocol={$protocol}
username={$username}
userdata1={$sipv6}
userdata2={$dipv6}
userdata3={$app_cat}
userdata4={$nat_type}
userdata6={$action}
userdata7={$threat_level}
userdata8={$url}
userdata9={$attack_type}
[9999 - Sangfor NGFW - Generic ]
event_type=event
regexp="(?P<date>\w+\s*\d+\s*\d+:\d+:\d+)\s*(?P<device>\S+)\s(?P<desc>.*)"
date={normalize_date($date)}
plugin_sid=20000000
device={$device}
src_ip={$device}
Jonathan Martín Valera
Apr 4, 2022, 5:14:46 AM4/4/22
to Wazuh mailing list
Hi,
First of all, I am going to share with you some interesting links with helpful information to create custom decoders and rules:
- Creating decoders and rules from scratch: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
- Sibling decoders: flexible extraction of information: https://wazuh.com/blog/sibling-decoders-flexible-extraction-of-information/
- Custom rules and decoders: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
- Testing decoders and rules: https://documentation.wazuh.com/current/user-manual/ruleset/testing.html
You can add custom decoders and rules that fit your use case.
I will give you an example using the log you have shared.
First of all, I am going to see if there is any decoder or rule that matches. For this, I am going to use the /var/ossec/bin/wazuh-logtest tool.
After inserting the following log:
Oct 5 19:50:00 <dvc> fwlog: Log type: user authentication, user:<username>, IP:x.x.x.x, target:Log out, time logged in:2016-10-05 08:45:21, online duration:39878, time logged out:19:49:59
It shows the following result:
**Phase 1: Completed pre-decoding.
full event: 'Oct 5 19:50:00 <dvc> fwlog: Log type: user authentication, user:<username>, IP:x.x.x.x, target:Log out, time logged in:2016-10-05 08:45:21, online duration:39878, time logged out:19:49:59'
timestamp: 'Oct 5 19:50:00'
hostname: '<dvc>'
**Phase 2: Completed decoding.
No decoder matched.
As we can see, it has not been decoded and therefore cannot be used by any rule. Therefore we are going to create a custom decoder to decode this log.
I add the following decoders to the file /var/ossec/etc/decoders/local_decoder.xml.
<decoder name="sangfor-ngfw-generic">
<prematch>\p\S+\p fwlog: \.*</prematch>
</decoder>
<decoder name="sangfor-ngfw">
<parent>sangfor-ngfw-generic</parent>
<regex offset="after_parent">Log type:\s+(\.*), user:\s*(\.*), IP:\s*(\.*), target:\s*(\.*), time logged in:\s*(\.*), online duration:\s*(\.*), time logged out:\s*(\.*)</regex>
<order>log_type, user, ip, target, time_logged_in, online_duration, timme_logged_out</order>
</decoder>
Note: This is an example regex, edit it if necessary to generalize it if needed.
To use these decoders in a rule, I will use the example of wanting to generate an alert when the IP 192.168.1.15 disconnects from the session.
To do this, I add the following custom rule to the file /var/ossec/etc/rules/local_rules.xml.
<rule id="100050" level="3">
<decoded_as>sangfor-ngfw-generic</decoded_as>
<field name="log_type">user authentication</field>
<field name="ip">192.168.1.15</field>
<field name="target">Log out</field>
<description>Custom rule: $(ip) has logged out</description>
</rule>
I then test the following example log that should match those decoders and rule:
Oct 5 19:50:00 <dvc> fwlog: Log type: user authentication, user:test_user, IP:192.168.1.15, target:Log out, time logged in:2016-10-05 08:45:21, online duration:39878, time logged out:19:49:59
**Phase 1: Completed pre-decoding.
full event: 'Oct 5 19:50:00 <dvc> fwlog: Log type: user authentication, user:test_user, IP:192.168.1.15, target:Log out, time logged in:2016-10-05 08:45:21, online duration:39878, time logged out:19:49:59'
timestamp: 'Oct 5 19:50:00'
hostname: '<dvc>'
**Phase 2: Completed decoding.
name: 'sangfor-ngfw-generic'
dstuser: 'test_user'
ip: '192.168.1.15'
log_type: 'user authentication'
online_duration: '39878'
target: 'Log out'
time_logged_in: '2016-10-05 08:45:21'
timme_logged_out: '19:49:59'
**Phase 3: Completed filtering (rules).
id: '100050'
level: '3'
description: 'Custom rule: 192.168.1.15 has logged out'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Now we observe how the log has been correctly coded, and the alert has been generated for the mentioned use case.
Once tested, restart the wazuh-manager to apply the changes to the rules and decoders.
systemctl restart wazuh-manager
I hope this information is helpful.
Best regards.
Reply all
Reply to author
Forward
0 new messages