Sonicwall logs.. again..

302 views
Skip to first unread message

Giorgio Biondi

unread,
Mar 19, 2019, 11:00:01 AM3/19/19
to Wazuh mailing list
Hi at all,

tired of having to decode everything that comes from Sonicwall .. is it possible to make sure that everything that comes from the Sonicwall syslog is registered as a full_log in the database?
At least I don't lose information ...

Juan Carlos

unread,
Mar 20, 2019, 4:33:37 AM3/20/19
to Wazuh mailing list
Ciao Giorgio,

A simple way to catch all messages from sonicwall is to add the rule:
<group name="syslog,sonicwall,">
 <rule id="4800" level="3">
  <decoded_as>sonicwall</decoded_as>
  <description>SonicWall messages grouped.</description>
 </rule>
</group>

And exclude the default rule file by adding this to the <ruleset> section of the manager's ossec.conf file:
<rule_exclude>0080-sonicwall_rules.xml</rule_exclude>

I'm sorry this has proven to be so much work, I look forward to including the decoders we've been working on with you to the default ruleset.
Best Regards,
Juan Carlos Tello

Giorgio Biondi

unread,
Mar 21, 2019, 6:42:29 AM3/21/19
to Wazuh mailing list
Hi Juan,

thanks. Go to try...

All the best.

Giorgio Biondi

unread,
Mar 21, 2019, 6:57:04 AM3/21/19
to Wazuh mailing list
Ehm.. sorry for my mind..

where put the this rule? 

<group name="syslog,sonicwall,">
 <rule id="4800" level="3">
  <decoded_as>sonicwall</decoded_as>
  <description>SonicWall messages grouped.</description>
 </rule>
</group>


In 0295-sonicwall_decoders.xml ? 

Juan Carlos

unread,
Mar 21, 2019, 6:59:47 AM3/21/19
to Wazuh mailing list
Hello Giorgio,
/var/ossec/etc/rules/local_rules.xml is a good place.

Just don't forget to add the exclusion to the ossec.conf file or there will be a conflict.

Best Regards,
Juan Carlos Tello

Giorgio Biondi

unread,
Mar 21, 2019, 7:16:26 AM3/21/19
to Wazuh mailing list
Hi Juan,
I understand.. and.. since you answer me then you get stressed: :-)
Let's make a bit of clarity: the log of the sonicwall machines, IMHO will seem to be simple to decode .. if we look at the log it seems to be a field that contains a variable separated from the sign "=" and after the value of the variable itself. Shouldn't it be easy to decode? And since I don't know how many fields I keep on deducing until I reach the end of the string

id=NSA2650GG sn=18B169D79980 time="2019-03-21 10:58:39 UTC" fw=83.211.91.146 pri=3 c=4 m=14 msg="Web site access denied" app=9335 n=952652 src=192.168.0.94:52186:X0:pc005.interconsult.it dst=2.20.80.49:443:X1:a2-20-80-49.deploy.static.akamaitechnologies.com srcMac=74:27:ea:b8:7b:5c dstMac=1a:b1:69:d7:99:80 proto=tcp/https dstname=itunes.apple.com arg=/ code=49 Category="Freeware/Software Downloads"

I do it too simple ???
:-)

All the best

Juan Carlos

unread,
Apr 29, 2019, 6:12:58 AM4/29/19
to Wazuh mailing list
Hello Giorgio,

Sorry for the late response.

Yes, you may extract the fields and indeed it is simple to decode messages separated by spaces and whose field names are specified before an "=" character.

However since Sonicwall messages don't always have the same fields it is necessary to configure the decoders to account for the different possible cases.

This can be done by adding a decoder for each of the possible message patterns or by using sibling decoders.

From the different Sonicwall messages I have seen there are 25 fields present:
app, appName, arg, c, Category, check, code, dst, dstMac, dstV6, dstname, fw, id, m, msg, n, note, pri, proto, rule, sn, src, srcMac, srcV6, time

Where the fields src and dst can have different formats depending on whether it has port and network information. And some of the fields may have spaces in them and their value is enclosed in quotes.

So for example a way of decoding all of these would be by using this custom decoder file:

<decoder name="sonicwall">
   <prematch>^id=\w+\s+sn=\w+\s+time="\.+"\s+fw=\S+ </prematch>
   <plugin_decoder>SonicWall_Decoder</plugin_decoder>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>app=(\S+)</regex>
  <order>app</order>
</decoder>


<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>appName="(\.+)"</regex>
  <order>appName</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>arg=(\S+)</regex>
  <order>arg</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>c=(\S+)</regex>
  <order>c</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>Category="(\.+)"</regex>
  <order>Category</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>check=(\S+)</regex>
  <order>check</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>code=(\S+)</regex>
  <order>code</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>dstMac=(\S+)</regex>
  <order>dstMac</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>dstV6=(\S+)</regex>
  <order>dstV6</order>
</decoder>


<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>dstname=(\S+)</regex>
  <order>dstname</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>fw=(\S+)</regex>
  <order>fw</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>id=(\S+)</regex>
  <order>id</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>m=(\S+)</regex>
  <order>m</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>msg="(\.+)"</regex>
  <order>msg</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>n=(\S+)</regex>
  <order>n</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>note="(\.+)"</regex>
  <order>note</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>proto=(\S+)</regex>
  <order>proto</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>rule="(\.+)"</regex>
  <order>rule</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>sn=(\S+)</regex>
  <order>sn</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>srcMac=(\S+)</regex>
  <order>srcMac</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>srcV6=(\S+)</regex>
  <order>srcV6</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>time="(\.+)"</regex>
  <order>time</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>pri=(\S+)</regex>
  <order>status</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex> msg="(\.+)"</regex>
  <order>action</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>dst=(\d+.\d+.\d+.\d+)</regex>
  <order>dstip</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>src=(\d+.\d+.\d+.\d+)</regex>
  <order>srcip</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>dst=\d+.\d+.\d+.\d+:(\d+)</regex>
  <order>dstport</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex>src=\d+.\d+.\d+.\d+:(\d+)</regex>
  <order>srcport</order>
</decoder>

More fields may be added as necessary.
Also don't forget to exclude the default rule file by adding this to the <ruleset> section of the manager's ossec.conf file:
<decoder_exclude>ruleset/decoders/0295-sonicwall_decoders.xml</decoder_exclude>

Let me know if this helps, we will be soon posting a more detailed explanation of sibling decoders on our blog.

Best Regards,
Juan Carlos Tello

Reply all
Reply to author
Forward
0 new messages