Decoder for Fortiweb WAF
316 views
Skip to first unread message
Raony Jose
Jul 27, 2023, 4:09:06 PM7/27/23
to Wazuh mailing list
Hi guys!
I need to create a decoder to extract the fields in CEF from the fortiweb logs, as I still don't understand much about decoder, I would like your help in extracting these fields, thanks in advance!
I need to create a decoder to extract the fields in CEF from the fortiweb logs, as I still don't understand much about decoder, I would like your help in extracting these fields, thanks in advance!
logs are going through logstash and then to wazuh
{"tags":["waf"],"@timestamp":"2023-07-25T19:33:38.428976621Z","@version":"1","host":{"ip":"10.100.0.200"},"message":"CEF:0|Fortinet|FortiWeb|7.04|20000008|attack|alert|cat=Signature Detection act=Alert deviceExternalId=FkkM0200001231479 deviceProcessName=teste_teste_Waf sourceServiceName=Notificar proto=tcp app=https/tls1.2 src=999.999.999.194 spt=6043 dst=10.200.0.3 dpt=443 requestMethod=post request=/testee/Simulacao.asmx requestClientApplication=none dhost=teste.teste.com.br msg=HTTP Body triggered signature ID 000000011 of Signatures policy teste_WAF cn1=22398840 cn1Label=message ID cs1=root cs1Label=ADOM name cs2=Medium cs2Label=severity level cs3=Unknown cs3Label=source country cs4=Information Disclosure cs4Label=signature main class name cs5=Application Availability/Errors and Logs cs5Label=signature subclass name cs6=080080011 cs6Label=signature ID deviceCustomDate1=2023-07-25-16:33:38","event":{"original":"CEF:0|Fortinet|FortiWeb|7.04|20000008|attack|alert|cat=Signature Detection act=Alert deviceExternalId=FVVM020000112479 deviceProcessName=teste_teste_Waf sourceServiceName=Notificar proto=tcp app=https/tls1.2 src=999.999.999.194 spt=6099 dst=10.200.0.3 dpt=443 requestMethod=post request=/teste/teste.asmx requestClientApplication=none dhost=teste.teste.com.br msg=HTTP Body triggered signature ID 080880011 of Signatures policy teste_WAF cn1=00098840 cn1Label=message ID cs1=root cs1Label=ADOM name cs2=Medium cs2Label=severity level cs3=Unknown cs3Label=source country cs4=Information Disclosure cs4Label=signature main class name cs5=Application Availability/Errors and Logs cs5Label=signature subclass name cs6=080080011 cs6Label=signature ID deviceCustomDate1=2023-07-25-16:33:38"}}
below is an example of a fortiweb log:
{"tags":["waf"],"@timestamp":"2023-07-25T19:33:38.428976621Z","@version":"1","host":{"ip":"10.100.0.200"},"message":"CEF:0|Fortinet|FortiWeb|7.04|20000008|attack|alert|cat=Signature Detection act=Alert deviceExternalId=FkkM0200001231479 deviceProcessName=teste_teste_Waf sourceServiceName=Notificar proto=tcp app=https/tls1.2 src=999.999.999.194 spt=6043 dst=10.200.0.3 dpt=443 requestMethod=post request=/testee/Simulacao.asmx requestClientApplication=none dhost=teste.teste.com.br msg=HTTP Body triggered signature ID 000000011 of Signatures policy teste_WAF cn1=22398840 cn1Label=message ID cs1=root cs1Label=ADOM name cs2=Medium cs2Label=severity level cs3=Unknown cs3Label=source country cs4=Information Disclosure cs4Label=signature main class name cs5=Application Availability/Errors and Logs cs5Label=signature subclass name cs6=080080011 cs6Label=signature ID deviceCustomDate1=2023-07-25-16:33:38","event":{"original":"CEF:0|Fortinet|FortiWeb|7.04|20000008|attack|alert|cat=Signature Detection act=Alert deviceExternalId=FVVM020000112479 deviceProcessName=teste_teste_Waf sourceServiceName=Notificar proto=tcp app=https/tls1.2 src=999.999.999.194 spt=6099 dst=10.200.0.3 dpt=443 requestMethod=post request=/teste/teste.asmx requestClientApplication=none dhost=teste.teste.com.br msg=HTTP Body triggered signature ID 080880011 of Signatures policy teste_WAF cn1=00098840 cn1Label=message ID cs1=root cs1Label=ADOM name cs2=Medium cs2Label=severity level cs3=Unknown cs3Label=source country cs4=Information Disclosure cs4Label=signature main class name cs5=Application Availability/Errors and Logs cs5Label=signature subclass name cs6=080080011 cs6Label=signature ID deviceCustomDate1=2023-07-25-16:33:38"}}
Franco Giovanolli
Jul 28, 2023, 6:46:38 AM7/28/23
to Wazuh mailing list
Hi Raony!
Thank you for your interest in Wazuh!
By default, wazuh has the following Forti decoders built in:
https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0100-fortigate_decoders.xml
https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0101-fortiddos_decoders.xml
https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0102-fortimail_decoders.xml
https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0103-fortiauth_decoders.xml
You can use them for inspiration to create whatever you need. In the following links, you will be able to find documentation and step-by-step guides, so that you can create the decoders that fit your needs.
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/sibling-decoders.html
https://socfortress.medium.com/understanding-wazuh-decoders-4093e8fc242c
I hope this information enables you to create the decoder you want.
Regards,
Franco.
Thank you for your interest in Wazuh!
By default, wazuh has the following Forti decoders built in:
https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0100-fortigate_decoders.xml
https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0101-fortiddos_decoders.xml
https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0102-fortimail_decoders.xml
https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0103-fortiauth_decoders.xml
You can use them for inspiration to create whatever you need. In the following links, you will be able to find documentation and step-by-step guides, so that you can create the decoders that fit your needs.
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/sibling-decoders.html
https://socfortress.medium.com/understanding-wazuh-decoders-4093e8fc242c
I hope this information enables you to create the decoder you want.
Regards,
Franco.
Reply all
Reply to author
Forward
0 new messages