create decor and rule firewall sophos
211 views
Skip to first unread message
Elliot Alderson
Feb 11, 2023, 2:20:57 AM2/11/23
to Wazuh mailing list
Good morning.
Install a wazuh in my organization. Could you help me to create the decoders and rules to be able to see the failed login events of my sophos firewall
2023-02-11 01:38:07Adminmessageid="17507" log_type="Event" log_component="GUI" log_subtype="Admin" status="Failed" user="root" src_ip="192.168.2.19" additional_information="" message="User root failed to login to Web Admin Console because of wrong credentials"
Thank you very much in advance
Install a wazuh in my organization. Could you help me to create the decoders and rules to be able to see the failed login events of my sophos firewall
2023-02-11 01:38:07Adminmessageid="17507" log_type="Event" log_component="GUI" log_subtype="Admin" status="Failed" user="root" src_ip="192.168.2.19" additional_information="" message="User root failed to login to Web Admin Console because of wrong credentials"
Thank you very much in advance
Juan Carlos Tello
Feb 11, 2023, 3:55:56 AM2/11/23
to Elliot Alderson, Wazuh mailing list
Good morning Elliot,
I'll be more than happy to help you on this. I see that Wazuh already has rules and decoders for some Sophos firewall messages but they are specifically looking for messages that begin with the string "device=" which is not the case of your log.
In the case of your log I notice that there is no space between the timestamp and the first field which seems odd so I ask you to review if this is always the case in the log source since this will affect how the log source is interpreted.
Since the fields follow the [label]="[value]" we can benefit from using sibling decoders, for example:
<decoder name="sophos-firewall">
<prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\dAdminmessageid</prematch>
</decoder>
<decoder name="sophos-firewall">
<parent>sophos-firewall</parent>
<regex>Adminmessageid="(\d+)"</regex>
<order>Adminmessageid</order>
</decoder>
<decoder name="sophos-firewall">
<parent>sophos-firewall</parent>
<regex>status="(\w+)"</regex>
<order>status</order>
</decoder>
<decoder name="sophos-firewall">
<parent>sophos-firewall</parent>
<regex>user="(\w+)"</regex>
<order>user</order>
</decoder>
<decoder name="sophos-firewall">
<parent>sophos-firewall</parent>
<regex>src_ip="(\.+)"</regex>
<order>srcip</order>
</decoder>
<prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\dAdminmessageid</prematch>
</decoder>
<decoder name="sophos-firewall">
<parent>sophos-firewall</parent>
<regex>Adminmessageid="(\d+)"</regex>
<order>Adminmessageid</order>
</decoder>
<decoder name="sophos-firewall">
<parent>sophos-firewall</parent>
<regex>status="(\w+)"</regex>
<order>status</order>
</decoder>
<decoder name="sophos-firewall">
<parent>sophos-firewall</parent>
<regex>user="(\w+)"</regex>
<order>user</order>
</decoder>
<decoder name="sophos-firewall">
<parent>sophos-firewall</parent>
<regex>src_ip="(\.+)"</regex>
<order>srcip</order>
</decoder>
Then for the rules you may use the following as a starting point:
<group name="sophos-firewall,">
<rule id="100020" level="0">
<decoded_as>sophos-firewall</decoded_as>
<description>Rule to match all events decoded as sophos-firewall</description>
</rule>
<rule id="100021" level="5">
<if_sid>100020</if_sid>
<match>failed to login</match>
<description>Sophos-firewall login failure</description>
<group>authentication_failed,</group>
</rule>
</group>
<rule id="100020" level="0">
<decoded_as>sophos-firewall</decoded_as>
<description>Rule to match all events decoded as sophos-firewall</description>
</rule>
<rule id="100021" level="5">
<if_sid>100020</if_sid>
<match>failed to login</match>
<description>Sophos-firewall login failure</description>
<group>authentication_failed,</group>
</rule>
</group>
I hope you find this helpful, don't hesitate to let us know if you have any more questions.
Best regards,
Juan C. Tello
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/58707bc7-3e36-4a51-9383-c37f45394dd3n%40googlegroups.com.
Elliot Alderson
Feb 13, 2023, 12:26:21 PM2/13/23
to Wazuh mailing list
Hello Juan Carlos,
Add the decoders and rules that you shared with me, I can now see the failed login events in the wazuh, thank you very much for the help.
Now, I would like to know how to create more decoder and rules to be able to see the events of IPS, ATP, Malware, web protection, application protection, etc.
I thank you in advance for your kind help.
Advanced threat protection
2023-02-13 12:09:10 Advanced threat protection messageid="18010" log_type="ATP" log_component="IPS" log_subtype="Drop" user="" protocol="UDP" src_port="53" dst_port="49076" src_ip="8.8.8.8" dst_ip="161.132.18.162" url="www.webintsoure.xyz" threat="C2/Generic-A" event_id="1FCB8B24-3082-4AA2-BE71-C1E2D592EB61" type="Standard" host_login_user="" host_process_user="" endpoint_id="" execution_path=""
Application filter
2023-02-13 12:11:00 Application filter messageid="17051" log_type="Content Filtering" log_component="Application" log_subtype="Denied" fw_rule_id="31" user="" user_group="" appfilter_policy_id="8" category="P2P" app_name="Torrent Clients P2P" app_risk="5" app_technology="P2P" app_category="P2P" src_ip="104.244.79.56" src_country="LUX" dst_ip="161.132.19.175" dst_country="PER" protocol="UDP" src_port="38290" dst_port="6881" bytes_sent="0" bytes_received="0" status="" message="" appresolvedby="Signature"
Web filter
2023-02-13 12:11:35 Web filter messageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" fw_rule_id="55" user="" user_group="" web_policy_id="0" web_policy="" category="" category_type="Acceptable" url="" content_type="" override_token="" response_code="" src_ip="161.132.7.7" dst_ip="161.132.19.231" protocol="TCP" src_port="34377" dst_port="80" bytes_sent="0" bytes_received="0" domain="" exception="" activity_name="" reason="Unsupported HTTP version encountered." user_agent="" status_code="505" transaction_id="f2e32c9f-3501-484b-bd92-be33b41e9c17" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="1835111104" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"
Malware
2023-02-13 08:21:23 Malware messageid="08001" message="Malware 'CXweb/JSDl-CB5' was detected and blocked in a download from nietolem.com" log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" fw_rule_id="25" user="" web_policy_id="0" policy_name="" virus="CXweb/JSDl-CB5" url="http://nietolem.com/wp-includes/js/jquery/jquery.min.js" domain="nietolem.com" src_ip="104.131.138.121" src_country="USA" dst_ip="161.132.18.133" dst_country="PER" protocol="TCP" src_port="36817" dst_port="80" bytes_sent="214" bytes_received="92023" user_agent="Googlebot/2.X (http://www.googlebot.com/bot.html)" status_code="403"
Zero-day protection
2023-02-13 09:05:03 Zero-day protection messageid="18041" log_type="Sandbox" log_component="Web" log_subtype="Allowed" user="" src_ip="190.119.114.41" file_name="ENERO- JLO-2023.rar" file_type="application/x-rar-compressed" file_size="4861909" sha1sum="924134321988df3488cd1366f51e0e302d343b492123878fd44e0806e91caddb" host="aerogas.com.pe" reason="cached likely clean" domain="" subject=""
SYSTEM
2023-02-13 06:22:11 SYSTEM messageid="17819" log_type="Event" log_component="Anti-Virus" log_subtype="System" status="Successful" additional_information="oldversion=1.0.420975 newversion=1.0.420977 " message="Avira AV definitions upgraded from 1.0.420975 to 1.0.420977."
Firewall
2023-02-13 12:16:24 Firewall messageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="54" nat_rule_id="0" policy_type="1" user="" user_group="" web_policy_id="0" ips_policy_id="14" appfilter_policy_id="8" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="" in_display_interface="" out_interface="" out_display_interface="" src_mac="" dst_mac="" src_ip="190.81.164.100" src_country="PER" dst_ip="161.132.19.54" dst_country="PER" protocol="TCP" src_port="56709" dst_port="443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="Invalid TCP state." appresolvedby="Signature" app_is_cloud="0"
Add the decoders and rules that you shared with me, I can now see the failed login events in the wazuh, thank you very much for the help.
Now, I would like to know how to create more decoder and rules to be able to see the events of IPS, ATP, Malware, web protection, application protection, etc.
I thank you in advance for your kind help.
Advanced threat protection
2023-02-13 12:09:10 Advanced threat protection messageid="18010" log_type="ATP" log_component="IPS" log_subtype="Drop" user="" protocol="UDP" src_port="53" dst_port="49076" src_ip="8.8.8.8" dst_ip="161.132.18.162" url="www.webintsoure.xyz" threat="C2/Generic-A" event_id="1FCB8B24-3082-4AA2-BE71-C1E2D592EB61" type="Standard" host_login_user="" host_process_user="" endpoint_id="" execution_path=""
Application filter
2023-02-13 12:11:00 Application filter messageid="17051" log_type="Content Filtering" log_component="Application" log_subtype="Denied" fw_rule_id="31" user="" user_group="" appfilter_policy_id="8" category="P2P" app_name="Torrent Clients P2P" app_risk="5" app_technology="P2P" app_category="P2P" src_ip="104.244.79.56" src_country="LUX" dst_ip="161.132.19.175" dst_country="PER" protocol="UDP" src_port="38290" dst_port="6881" bytes_sent="0" bytes_received="0" status="" message="" appresolvedby="Signature"
Web filter
2023-02-13 12:11:35 Web filter messageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" fw_rule_id="55" user="" user_group="" web_policy_id="0" web_policy="" category="" category_type="Acceptable" url="" content_type="" override_token="" response_code="" src_ip="161.132.7.7" dst_ip="161.132.19.231" protocol="TCP" src_port="34377" dst_port="80" bytes_sent="0" bytes_received="0" domain="" exception="" activity_name="" reason="Unsupported HTTP version encountered." user_agent="" status_code="505" transaction_id="f2e32c9f-3501-484b-bd92-be33b41e9c17" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="1835111104" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"
Malware
2023-02-13 08:21:23 Malware messageid="08001" message="Malware 'CXweb/JSDl-CB5' was detected and blocked in a download from nietolem.com" log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" fw_rule_id="25" user="" web_policy_id="0" policy_name="" virus="CXweb/JSDl-CB5" url="http://nietolem.com/wp-includes/js/jquery/jquery.min.js" domain="nietolem.com" src_ip="104.131.138.121" src_country="USA" dst_ip="161.132.18.133" dst_country="PER" protocol="TCP" src_port="36817" dst_port="80" bytes_sent="214" bytes_received="92023" user_agent="Googlebot/2.X (http://www.googlebot.com/bot.html)" status_code="403"
Zero-day protection
2023-02-13 09:05:03 Zero-day protection messageid="18041" log_type="Sandbox" log_component="Web" log_subtype="Allowed" user="" src_ip="190.119.114.41" file_name="ENERO- JLO-2023.rar" file_type="application/x-rar-compressed" file_size="4861909" sha1sum="924134321988df3488cd1366f51e0e302d343b492123878fd44e0806e91caddb" host="aerogas.com.pe" reason="cached likely clean" domain="" subject=""
SYSTEM
2023-02-13 06:22:11 SYSTEM messageid="17819" log_type="Event" log_component="Anti-Virus" log_subtype="System" status="Successful" additional_information="oldversion=1.0.420975 newversion=1.0.420977 " message="Avira AV definitions upgraded from 1.0.420975 to 1.0.420977."
Firewall
2023-02-13 12:16:24 Firewall messageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="54" nat_rule_id="0" policy_type="1" user="" user_group="" web_policy_id="0" ips_policy_id="14" appfilter_policy_id="8" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="" in_display_interface="" out_interface="" out_display_interface="" src_mac="" dst_mac="" src_ip="190.81.164.100" src_country="PER" dst_ip="161.132.19.54" dst_country="PER" protocol="TCP" src_port="56709" dst_port="443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="Invalid TCP state." appresolvedby="Signature" app_is_cloud="0"
Juan Carlos Tello
Feb 15, 2023, 9:39:25 AM2/15/23
to Elliot Alderson, Wazuh mailing list
Hi Elliot,
I notice from these logs that most of them do have a space between the timestamp and the type of message after which they're invariably followed by the messageid field.
Given that there are 95 different types of fields in the 8 logs you've provided so far, I've adapted the script I've created for CEF and LEEF logs to automatically create the sibling decoders for this. Find the script attached.
Note that there is an overreaching decoder in the Wazuh Stock Ruleset that incorrectly identifies these type of logs as "windows-time-format" logs, so we can have our decoders load before by using a lower number at the beginning of the filename, which is why I've named this file 0370-sophosfw_decoders.xml .
Once we have decoders you may easily add rules that either match a specific decoded field or just a string within the message, for example:
<rule id="100022" level="5">
<if_sid>100020</if_sid>
<match>Advanced threat protection</match>
<description>Sophos-firewall threat protection message</description>
</rule>
<rule id="100023" level="5">
<if_sid>100020</if_sid>
<match>Application filter</match>
<description>Sophos-firewall application filter message</description>
</rule>
<if_sid>100020</if_sid>
<match>Advanced threat protection</match>
<description>Sophos-firewall threat protection message</description>
</rule>
<rule id="100023" level="5">
<if_sid>100020</if_sid>
<match>Application filter</match>
<description>Sophos-firewall application filter message</description>
</rule>
<rule id="100024" level="3">
<if_sid>100020</if_sid>
<field name="log_component">Anti-Virus</match>
<description>Sophos-firewall Antivirus message</description>
</rule>
<if_sid>100020</if_sid>
<field name="log_component">Anti-Virus</match>
<description>Sophos-firewall Antivirus message</description>
</rule>
Let me know if you have any more questions,
Best Regards,
Juan C. Tello
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a12e5272-29c3-40bc-a032-cce8bea674f0n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages