Rules for Sophos XGS 126

45 views
Skip to first unread message

Papa Yank

unread,
Oct 14, 2025, 2:00:34 AM (7 days ago) Oct 14
to Wazuh | Mailing List
Hello all, 

Can someone help me with rules for Sophos XGS 126? I currently have a rule which puts everything under one firewall event. I would like something that does more. Here's my current rule:

Rule:
<group name="sophos-fw-xgs126,">
  <rule id="111100" level="0">
    <decoded_as>sophos-fw-xgs126</decoded_as>
    <description>Sophos XG210 Firewall event</description>
  </rule>
</group>

I would like something that does the following but I can't get the syntax right for XGS 126. 



<group name="sophos_xgs,firewall,">
<!-- Base: anything parsed by sophos-fw-xgs -->
<rule id="960100" level="2">
<if_decoder_name>sophos-fw-xgs</if_decoder_name>
<description>Sophos XGS event observed</description>
<options>no_full_log</options>
</rule>
<!-- VPN login success -->
<rule id="960190" level="3">
<if_decoder_name>sophos-fw-xgs</if_decoder_name>
<field name="log_type">VPN</field>
<field name="log_subtype">Allowed</field>
<description>Sophos XGS: VPN login success for user ${srcuser} from ${srcip}</description>
<group>vpn,authentication,</group>
</rule>
<!-- VPN login failed -->
<rule id="960191" level="6">
<if_decoder_name>sophos-fw-xgs</if_decoder_name>
<field name="log_type">VPN</field>
<field name="log_subtype">Denied</field>
<description>Sophos XGS: VPN login failed for user ${srcuser} from ${srcip}</description>
<group>vpn,authentication,threat,</group>
<mitre>
<id>T1110</id>
<!-- Brute Force -->
</mitre>
</rule>
<!-- Repeated VPN failures from same source -->
<rule id="960192" level="9" frequency="5" timeframe="300" same_field="srcip">
<if_matched_sid>960191</if_matched_sid>
<description>Sophos XGS: Multiple VPN login failures from ${srcip} (≥5 in 5m)</description>
<group>vpn,bruteforce,authentication,threat,</group>
<mitre>
<id>T1110</id>
</mitre>
</rule>
<!-- Allowed (low level; for visibility/dashboards) -->
<rule id="960110" level="2">
<if_matched_sid>960100</if_matched_sid>
<field name="log_type">Firewall</field>
<field name="log_subtype">Allowed</field>
<description>Sophos XGS: Allowed ${srcip} → ${dstip}:${dstport} ${protocol}</description>
<options>no_full_log</options>
<group>allow,noise_reduced,</group>
</rule>
<!-- Denied -->
<rule id="960120" level="6">
<if_matched_sid>960100</if_matched_sid>
<field name="log_type">Firewall</field>
<field name="log_subtype">Denied</field>
<description>Sophos XGS: Denied ${srcip} → ${dstip}:${dstport} ${protocol}</description>
<group>deny,network,threat,</group>
<mitre>
<id>T1046</id>
</mitre>
</rule>
<!-- Denied burst from same src -->
<rule id="960121" level="9" frequency="10" timeframe="300" same_field="srcip">
<if_matched_sid>960120</if_matched_sid>
<description>Sophos XGS: Multiple denied connections from ${srcip} (≥10 in 5m)</description>
<group>deny,bruteforce,threat,</group>
<mitre>
<id>T1110</id>
</mitre>
</rule>
<!-- Invalid Traffic: "Could not associate packet to any connection." -->
<rule id="960130" level="5">
<if_matched_sid>960100</if_matched_sid>
<field name="log_component">Invalid Traffic</field>
<match>Could not associate packet to any connection</match>
<description>Sophos XGS: Invalid traffic ${srcip} → ${dstip}:${dstport} (no session match)</description>
<group>invalid_traffic,network,</group>
</rule>
<!-- Spike of Invalid Traffic -->
<rule id="960131" level="8" frequency="20" timeframe="300" same_field="srcip">
<if_matched_sid>960130</if_matched_sid>
<description>Sophos XGS: Surge of invalid traffic from ${srcip} (≥20 in 5m)</description>
<group>invalid_traffic,threat,</group>
</rule>
<!-- ICMP error messages -->
<rule id="960140" level="3">
<if_matched_sid>960100</if_matched_sid>
<field name="log_component">ICMP ERROR MESSAGE</field>
<description>Sophos XGS: ICMP error ${srcip} → ${dstip}</description>
<group>icmp,network,</group>
</rule>
<!-- User and App visibility (keep low-level for dashboards) -->
<rule id="960150" level="2">
<if_matched_sid>960100</if_matched_sid>
<field name="srcuser">.+</field>
<description>Sophos XGS: User ${srcuser} ${srcip} → ${dstip}:${dstport} (${protocol})</description>
<options>no_full_log</options>
<group>user_activity,visibility,</group>
</rule>
<rule id="960151" level="2">
<if_matched_sid>960100</if_matched_sid>
<field name="app">.+</field>
<description>Sophos XGS: App ${app} ${srcip} → ${dstip}:${dstport}</description>
<options>no_full_log</options>
<group>app_activity,visibility,</group>
</rule>
<!-- Elevate on denied to sensitive ports -->
<rule id="960160" level="8">
<if_matched_sid>960120</if_matched_sid>
<regex field="dstport">^(22|23|25|53|80|110|143|389|443|445|465|587|993|995|1433|1521|2049|2375|2376|3306|3389|5432|5900|5985|5986|6379|8080|9200|9300|11211)$</regex>
<description>Sophos XGS: Denied to sensitive service ${dstport} from ${srcip}</description>
<group>deny,sensitive,threat,</group>
</rule>
<!-- Denied concentration on one target -->
<rule id="960170" level="7" frequency="30" timeframe="300" same_field="dstip">
<if_matched_sid>960120</if_matched_sid>
<description>Sophos XGS: Multiple denied hits targeting ${dstip} (≥30 in 5m)</description>
<group>deny,threat,dos,</group>
</rule>
<!-- Denied with explicit message text -->
<rule id="960180" level="6">
<if_matched_sid>960120</if_matched_sid>
<field name="message">.+</field>
<description>Sophos XGS: Denied "${message}" (${srcip} → ${dstip}:${dstport})</description>
<group>deny,context,</group>
</rule>
</group>


Thank you.

Md. Nazmur Sakib

unread,
Oct 14, 2025, 4:01:54 AM (7 days ago) Oct 14
to Wazuh | Mailing List

Hello Juli,

There are multiple syntax errors in your rules.

<if_decoder_name>sophos-fw-xgs</if_decoder_name>  is not a correct syntax, it should be decoded_as
<decoded_as>sophos-fw-xgs126</decoded_as>

If_sid is used for referring to a parent rule.
If_matched_sid is used for referring to a parent rule with frequency and timeframe.

Inside <rule> rule, you cannot use same_srcip
 Inside description, you can use the following syntax: $(field_name) to add a field to the description.

Also, there are some other regex errors inside the rules. I will suggest not to use tools like LLM and AI for writing rules. You can use them for getting ideas, but review them using Wazuh documents.

Check this document to review and write your rules with correct syntax and regex

Rules Syntax

Regular Expression Syntax

I have reviewed your rules using this log sample.
device_name="SFW" timestamp="2025-10-06T09:12:09+0000" device_model="XGS126" device_serial_id="X123008X39D6G70" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" fw_rule_name="VLAN 1 TO WAN - Level 3b" fw_rule_section="Local rule" nat_rule_id="0" fw_rule_type="BUSINESS" web_policy_id=2 ips_policy_id=5 app_filter_policy_id=10 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="3c:1e:04:00:0e:28" src_ip="192.168.2.19" src_country="R1" dst_ip="154.160.48.9" dst_country="GHA" protocol="TCP" src_port=55580 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" log_occurrence="1"'


I have uploaded the updated rules in this link:
https://github.com/sakib789/Wazuh-magic/blob/main/sophos-fw-xgs126.xml
 rule12.png
You can do further modifications to the rules following the above documents.

Let me know if you need any further information.

Julian Awotwi

unread,
Oct 14, 2025, 11:23:55 AM (7 days ago) Oct 14
to Md. Nazmur Sakib, Wazuh | Mailing List
Hello Nazmur, thank you so much for reviewing my code.It was actually a rule I found left behind by my previous admin so was wondering why it was not working. Can you also review this decoder for me? 
Thank you.

<decoders>
  <!-- Sophos XGS key-value logs (SFOS v20 MR-1) -->
  <decoder name="sophos-fw-xgs">
    <!-- generic KV prematch so we don't overfit to device model -->
    <prematch>^device_name=</prematch>
  </decoder>

  <!-- Core metadata -->
  <decoder name="sophos-fw-xgs">
    <parent>sophos-fw-xgs</parent>
    <regex>timestamp="([^"]+)"</regex>
    <order>timestampp</order>
  </decoder>

  <decoder name="sophos-fw-xgs">
    <parent>sophos-fw-xgs</parent>
    <regex>device_model="([^"]+)"</regex>
    <order>device_model</order>
  </decoder>

  <decoder name="sophos-fw-xgs">
    <parent>sophos-fw-xgs</parent>
    <regex>device_serial_id="([^"]+)"</regex>
    <order>device_serial_id</order>
  </decoder>

  <decoder name="sophos-fw-xgs">
    <parent>sophos-fw-xgs</parent>
    <regex>log_id="([^"]+)"</regex>
    <order>log_id</order>
  </decoder>

  <decoder name="sophos-fw-xgs">
    <parent>sophos-fw-xgs</parent>
    <regex>log_type="([^"]+)"</regex>
    <order>log_type</order>
  </decoder>

  <decoder name="sophos-fw-xgs">
    <parent>sophos-fw-xgs</parent>
    <regex>log_component="([^"]+)"</regex>
    <order>log_component</order>
  </decoder>

  <decoder name="sophos-fw-xgs">
    <parent>sophos-fw-xgs</parent>
    <regex>log_subtype="([^"]+)"</regex>
    <order>log_subtype</order>
  </decoder>

  <decoder name="sophos-fw-xgs">
    <parent>sophos-fw-xgs</parent>
    <regex>severity="([^"]+)"</regex>
    <order>severity</order>
  </decoder>

  <decoder name="sophos-fw-xgs">
    <parent>sophos-fw-xgs</parent>
    <regex>log_version=([0-9]+)</regex>
    <order>log_version</order>
  </decoder>

  <!-- Normalize action/status from subtype for firewall decisions -->
  <decoder name="sophos-fw-xgs">
    <parent>sophos-fw-xgs</parent>
    <regex>log_subtype="(Allowed|Denied)"</regex>
    <order>action</order>
  </decoder>

  <!-- Network tuple -->
  <decoder name="sophos-fw-xgs">
    <parent>sophos-fw-xgs</parent>
    <regex>src_ip="([^"]+)"</regex>
    <order>srcip</order>
  </decoder>

  <decoder name="sophos-fw-xgs">
    <parent>sophos-fw-xgs</parent>
    <regex>dst_ip="([^"]+)"</regex>
    <order>dstip</order>
  </decoder>

  <decoder name="sophos-fw-xgs">
    <parent>sophos-fw-xgs</parent>
    <regex>src_port=([0-9]+)</regex>
    <order>srcport</order>
  </decoder>

  <decoder name="sophos-fw-xgs">
    <parent>sophos-fw-xgs</parent>
    <regex>dst_port=([0-9]+)</regex>
    <order>dstport</order>
  </decoder>

  <decoder name="sophos-fw-xgs">
    <parent>sophos-fw-xgs</parent>
    <regex>protocol="([^"]+)"</regex>
    <order>protocol</order>
  </decoder>

  <!-- User / App -->
  <decoder name="sophos-fw-xgs">
    <parent>sophos-fw-xgs</parent>
    <regex>user_name="([^"]+)"</regex>
    <order>srcuser</order>
  </decoder>

  <decoder name="sophos-fw-xgs">
    <parent>sophos-fw-xgs</parent>
    <regex>app_name="([^"]+)"</regex>
    <order>app</order>
  </decoder>

  <!-- Rule identifiers (store in extra_data to keep tuple clean) -->
  <decoder name="sophos-fw-xgs">
    <parent>sophos-fw-xgs</parent>
    <regex>fw_rule_id="([^"]+)"</regex>
    <order>extra_data</order>
  </decoder>

  <!-- Free text message (e.g., Invalid Traffic: Could not associate ...) -->
  <decoder name="sophos-fw-xgs">
    <parent>sophos-fw-xgs</parent>
    <regex>message="([^"]+)"</regex>
    <order>message</order>
  </decoder>
</decoders>

Md. Nazmur Sakib

unread,
Oct 15, 2025, 1:58:52 AM (6 days ago) Oct 15
to Wazuh | Mailing List

There are multiple regex errors in the decoders.

This is not a correct format of regex value="([^"]+)"

I have written some decoders following this log format.



device_name="SFW" timestamp="2025-10-06T09:12:09+0000" device_model="XGS126" device_serial_id="X123008X39D6G70" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="12" fw_rule_name="VLAN 1 TO WAN - Level 3b" fw_rule_section="Local rule" nat_rule_id="0" fw_rule_type="BUSINESS" web_policy_id=2 ips_policy_id=5 app_filter_policy_id=10 ether_type="IPv4 (0x0800)" in_interface="Port1" src_mac="3c:1e:04:00:0e:28" src_ip="192.168.2.19" src_country="R1" dst_ip="154.160.48.9" dst_country="GHA" protocol="TCP" src_port=55580 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" log_occurrence="1"'



You can update your custom decoders using these decoders in the custom decoder file under /var/ossec/etc/decoders/

<decoder name="sophos-fw-xgs126">

  <prematch>^device_name="\w*"\stimestamp="\d+-\d+-\d+T\d+:\d+:\d++\d+"\sdevice_model="XGS126"</prematch>

</decoder>


<decoder name="sophos-fw-xgs126">

  <parent>sophos-fw-xgs126</parent>

  <regex>timestamp="(\d+-\d+-\d+T\d+:\d+:\d++\d+)"</regex>

  <order>timestampp</order>

</decoder>


<decoder name="sophos-fw-xgs126">

  <parent>sophos-fw-xgs126</parent>

  <regex>device_model="(\S+)"</regex>

  <order>device_model</order>

</decoder>


<decoder name="sophos-fw-xgs126">

  <parent>sophos-fw-xgs126</parent>

  <regex>device_serial_id="(\S+)"</regex>

  <order>device_serial_id</order>

</decoder>


<decoder name="sophos-fw-xgs126">

  <parent>sophos-fw-xgs126</parent>

  <regex>log_id="(\d+)"</regex>

  <order>log_id</order>

</decoder>


<decoder name="sophos-fw-xgs126">

  <parent>sophos-fw-xgs126</parent>

  <regex>log_type="(\S+)"</regex>

  <order>log_type</order>

</decoder>


<decoder name="sophos-fw-xgs126">

  <parent>sophos-fw-xgs126</parent>

  <regex>log_component="(\S+)"</regex>

  <order>log_component</order>

</decoder>


<decoder name="sophos-fw-xgs126">

  <parent>sophos-fw-xgs126</parent>

  <regex>log_subtype="(\S+)"</regex>

  <order>log_subtype</order>

</decoder>


<decoder name="sophos-fw-xgs126">

  <parent>sophos-fw-xgs126</parent>

  <regex>status="(\S+)"</regex>

  <order>status</order>

</decoder>


<decoder name="sophos-fw-xgs126">

  <parent>sophos-fw-xgs126</parent>

  <regex>severity="(\S+)"</regex>

  <order>severity</order>

</decoder>


<decoder name="sophos-fw-xgs126">

  <parent>sophos-fw-xgs126</parent>

  <regex>log_version=(\d+)</regex>

  <order>log_version</order>

</decoder>


<decoder name="sophos-fw-xgs126">

  <parent>sophos-fw-xgs126</parent>

  <regex>user_name="(\S+)"</regex>

  <order>user_name</order>

</decoder>


<decoder name="sophos-fw-xgs126">

  <parent>sophos-fw-xgs126</parent>

  <regex>src_ip="(\d+.\d+.\d+.\d+)"</regex>

  <order>srcip</order>

</decoder>


<decoder name="sophos-fw-xgs126">

  <parent>sophos-fw-xgs126</parent>

  <regex>src_country="(\.+)"</regex>

  <order>src_country</order>

</decoder>


<decoder name="sophos-fw-xgs126">

  <parent>sophos-fw-xgs126</parent>

  <regex>dst_ip="(\d+.\d+.\d+.\d+)"</regex>

  <order>dstip</order>

</decoder>


src_country="R1" dst_ip="154.160.48.9" dst_country="GHA" protocol="TCP" src_port=55580 dst_port=443


<decoder name="sophos-fw-xgs126">

  <parent>sophos-fw-xgs126</parent>

  <regex>dst_country="(\.+)"</regex>

  <order>dst_country</order>

</decoder>



<decoder name="sophos-fw-xgs126">

  <parent>sophos-fw-xgs126</parent>

  <regex>protocol="(\S+)"</regex>

  <order>protocol</order>

</decoder>


<decoder name="sophos-fw-xgs126">

  <parent>sophos-fw-xgs126</parent>

  <regex>src_port="(\d+)"</regex>

  <order>srcport</order>

</decoder>


<decoder name="sophos-fw-xgs126">

  <parent>sophos-fw-xgs126</parent>

  <regex>dst_port="(\d+)"</regex>

  <order>dstport</order>

</decoder>


<decoder name="sophos-fw-xgs126">

  <parent>sophos-fw-xgs126</parent>

  <regex>message="(\.*)"$</regex>

  <order>message</order>

</decoder>


 Decoders.png
You can add further decoders or make changes to the existing decoders following this document.

Decoders Syntax
Regular Expression Syntax
Custom decoders



Let me know if you need any further assistance.
Reply all
Reply to author
Forward
0 new messages