Pfsense syslog

[Galymzhan Duisebekov]

Hi all!
Logs come from PfSense via syslog and everything is shown normally in wazuh.
The problem is that unsuccessful ssh login from PfSense does not come to telegram.
The rest of the alerts from the agent come to Telegram.
How to solve?
All data is included in the attachment
Debian 12 + Wazuh 4.5.2

[Abdullah Al Rafi Fahim]

Hello Galymzhan,

Thank you for using Wazuh!

I have reviewed all the attachments you provided here. As far I can understand your issue, you are getting telegram notifications for all other alerts but not for the rule ID 2501 alerts which is triggering for unsuccessful SSH attempts at PfSense. This alerts is triggered in Wazuh end but not generating a telegram notification. 

However, as far I can see, you configured the integration to trigger alert for rule level 3 and above. In that case, the rule ID 2501 (rule level 5) should also trigger the integration just like any other level 3 or above alerts if there is no restriction in the integration script or the external app (telegram bot) side. Moreover, if you have a multi-node cluster of Wazuh Manager, you need to configure the integration in every node separately to ensure receiving notification for alerts generated in all the nodes. I would like to know the following info from your end to troubleshoot this further:

• Is your wazuh-manager architecture a multi-node cluster or a single-node? If this is a multi-node cluster, did you configure the telegram integration in all your nodes or in the master node only?
• Can you check if there is any section in your custom-telegram script which may allow or block any specific alert even after the configuration level filtering? Also please check if there is any limit for messages sent to your telegram channel which may restrict sending all the alerts.

I will wait for your response here to understand the issue and help you to troubleshoot this further.

[Galymzhan Duisebekov]

Good afternoon
Thanks for the help!
Wazuh-manager only one node.
Telegram script in attachment
Please look again at the pfsense_full_log.rtf file
In phase 2 it says "No decoder matched"
maybe this is because of this?

понедельник, 9 октября 2023 г. в 11:52:15 UTC+6, Abdullah Al Rafi Fahim:

[Abdullah Al Rafi Fahim]

Hello Galymzhan,

I have reviewed your integration script and other details. I found no specific restriction that may block this specific alert from there. 

However, as you are suspecting this to be related to no decoder matched for this log, I have created a custom decoder and rule for this specific log sample.

Decoder:

<decoder name="pfsense-custom">
   <prematch>pfSense</prematch>
</decoder>

<decoder name="pfsense-custom-child">
   <parent>pfsense-custom</parent>
   <prematch offset="after_parent">sshd</prematch>
   <regex offset="after_prematch">Authentication error for (\S+) from (\d+.\d+.\d+.\d+)</regex>
   <order>user, srcip</order>
</decoder>

Rule:

<group name="authentication_failed,syslog,access_control,">

  <rule id="220001" level="5">
    <if_sid>2501</if_sid>
    <decoded_as>pfsense-custom</decoded_as>
    <match>Authentication error</match>
    <description>SSH Authentication failed at pfSense.</description>
  </rule>

</group>

Here is the logtest result after adding this custom decoder and rule:

You can use this decoder and rule and then test with some ssh failed attempts to trigger alert to check if the notifications are received at telegram end or not. If you want to make any changes in the custom decoder and rule, you can follow these official documents for that:

• Creating decoders and rules from scratch | Wazuh | The Open Source Security Platform
• Custom rules and decoders - Ruleset · Wazuh documentation
• Decoders Syntax - Ruleset XML syntax · Wazuh documentation
• Rules Syntax - Ruleset XML syntax · Wazuh documentation
• Regular Expression Syntax - Ruleset XML syntax · Wazuh documentation

I hope it helps. Please let us know how it goes.