Ruleset or decoder for Cisco FMC and FTD

929 views
Skip to first unread message

Vijay Dig

unread,
Feb 9, 2021, 6:07:02 AM2/9/21
to Wazuh mailing list
Hello,

I was having trouble with cisco FMC and FTD devices and there is no decoder and ruleset for the same, can you help by providing the same, i just got one decoder from the link ("https://github.com/wazuh/wazuh-ruleset/pull/727/commits/22e8a140c5e0894b884141d71ea2f86077f73063") for cisco FMC and FTD but it doesn't have rule set.

It would be good if you can help me.

Juan Ricci

unread,
Feb 9, 2021, 8:42:25 AM2/9/21
to Wazuh mailing list
Hello,
As decoders and rules for Cisco FMC/FTD are not included in the current ruleset, you can create an issue in Wazuh Github repository in order for us to work on and add them to the official ruleset. If you can reply this conversation with some example logs I can create the issue for you and we can move forward with these new decoders and rules as soon as possible.
Another option is creating custom rules and decoders for these devices. If you are using Wazuh v4, you can use some Cisco example logs and the ossec-logtest tool (located in /var/ossec/bin) for checking if these logs are being decoded and then moving forward with the development of custom rules.
I have found the following documentation about  FTD Syslog Messages that could be useful for reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide.pdf
Also, you can refer the Wazuh documentation for creation custom rules and decoders and testing with ossec-logtest: https://documentation.wazuh.com/4.0/user-manual/ruleset/custom.html
As I mentioned before, you can share here (if possible) some example logs for helping you with both creating the issue in the Wazuh repository and creating some custom decoders and rules. 

Juan Ricci

unread,
Feb 11, 2021, 7:34:31 AM2/11/21
to Wazuh mailing list
Hello,

Thanks for creating the issue for adding Cisco FMC/FTD rules and decoders to the official ruleset. I forgot to mention that wazuh/wazuh-ruleset repository was deprecated. Currently, issues related to the ruleset must be opened in the main Wazuh repository. Please, close the issue you have created in wazuh-ruleset and create it again in wazuh/wazuh. We will take care of it as soon as possible.

My apologies for the inconveniences.

Best regards.

Juan


Reply all
Reply to author
Forward
0 new messages