Adding Juniper Device on Wazuh

[Patrick Po]

Hi, 

I am trying to add our SRX device in wazuh with the below configuration but it seems that it is not working, the agent total is not incrementing, and can't see any logs. Tcpdump was able to verify that there is traffic from the srx device to the wazuh server

Wazuh Server ossec.conf:

  <remote>

    <connection>syslog</connection>

    <port>5514</port>

    <protocol>udp</protocol>

    <allowed-ips>172.X.X.44</allowed-ips>

  </remote>

SRX Device:

set system syslog host 172.X.X.101 any any

set system syslog host 172.X.X.101 port 5514

set system syslog host 172.X.X.101 structured-data

Am I missing any configuration or srx is not supported by wazuh? 

Thanks! 

[Mauricio Ruben Santillan]

Hello Patrick,

Most probable reason is that you need to create decoders and rules for these events.

You can check that you're actually receiving events into the Wazuh Manager by just setting <logall_json> to yes in the Wazuh Manager's /var/ossec/etc/ossec.conf file, then restart the Wazuh Manager service (systemctl restart wazuh-manager). Once done, events should start populating the archive log in Wazuh Manager's /var/ossec/logs/archives/archives.json file.

You can find information about the creation of decoders and rules here: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Please let us know if you need further help! We'll be glad to assist you!

[Patrick Po]

Thanks Mauricio,

I verified that logs are going thru archives.json. 

Is it possible to create one line/block of decoder (XML) just like in the example below? All in one regex line.

<decoder name="srx-rt-flow-session-close">

    <parent>srx-rt-flow</parent>

    <prematch>RT_FLOW_SESSION_CLOSE</prematch>

    <regex offset="after_parent">(.+) (\S+) (\S+) (\S+) - (\S+) (\S+) reason="(.+)" source-address="(\S+)" source-port="(\S+)" destination-address="(\S+)" destination-port="(\S+)" service-name="(\S+)" nat-source-address="(\S+)" nat-source-port="(\S+)" nat-destination-address="(\S+)" nat-destination-port="(\S+)" src-nat-rule-name="(\S+)" dst-nat-rule-name="(\S+)" protocol-id="(\S+)" policy-name="(\S+)" source-zone-name="(\S+)" destination-zone-name="(\S+)" session-id-32="(\S+)" packets-from-client="(\S+)" bytes-from-client="(\S+)" packets-from-server="(\S+)" bytes-from-server="(\S+)" elapsed-time="(\S+)" application="(\S+)" nested-application="(\S+)" username="(\S+)" roles="(\S+)" packet-incoming-interface="(\S+)" encrypted="(\S+)"].(.+): (\S+)->(\S+) None (\S+) \S(\S+).\S+.\S+.(\S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) \S+ (\S+) \S+</regex>

    <order></order>

</decoder>

Thanks!

[Mauricio Ruben Santillan]

Hello Patrick,

You could create the decoder in a single line just like you asked, but you need to have a parent decoder with the prematch section first. Then the additional decoder/s won't need (can't have) a prematch section. Also I would personally recommend you to create multiple decoders, each one of them decoding a specific field. I found this way to be more "error-proof" and efficient. Also, you are missing the fields in the <order> section. Every piece of text between parentheses will be added to each field in the order section in the same order. For instance:

<!-- PARENT DECODER -->

<decoder name="srx-rt-flow-session-close">

    <prematch>RT_FLOW_SESSION_CLOSE</prematch>

 </decoder>

<!-- This decoder will "read" all events that actually present "RT_FLOW_SESSION_CLOSE" in them. -->

  

<!-- CHILD DECODERS -->

<decoder name="srx-rt-flow-session-close-child">

    <parent>srx-rt-flow-session-close</parent>

    <regex>reason="(\.+)"</regex>

    <order>reason</order>

</decoder>

<!-- This decoder will "read" the reason field only -->  

<decoder name="srx-rt-flow-session-close-child">

    <parent>srx-rt-flow-session-close</parent>

    <regex>source-address="(\S+)"</regex>

    <order>srcip</order>

</decoder>

<!-- This decoder will "read" the source-address field only -->    

Have in mind you can test the decoders without restarting the Wazuh Manager service by executing the command /var/ossec/bin/ossec-logtest. Once executed if all decoders and rules are Ok, you'll be able to paste an event sample and it will show you all decoded fields (if any decoder works for it) along with the rule ID that triggered (if any rule matches).

I would recommend you to check next documents for decoders and rules customization:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/index.html

Please let us know if this information was helpful!

--

Mauricio Santillan
IT Security Engineer

The Open Source Security Platform

[Patrick Po]

Hi Mauricio,

Thanks for the idea, I just copied the junos.xml format with the details pertaining to the log structure of our SRX device. PCRE2 was the flavor I've used in the regex101.com and referenced to this manual https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

Below was the sample code that I made:

<!--
Apr 13 14:30:07  Firewall-Name RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed idle Timeout: 127.0.0.1/63044->198.0.0.1/161 None 127.0.0.1/63044->198.0.0.1/161 None None 17 Router-to-Zabbix VPN_TUNNEL untrust 54878 1(134) 1(148) 60 SNMP SNMP-VERSION-2C N/A(N/A) st0.10 UNKNOWN
-->

<decoder name="srx-rt-flow-session-close">
    <parent>srx-rt-flow</parent>
    <prematch>RT_FLOW_SESSION_CLOSE</prematch>

    <regex offset="after_parent">(\S+ \d+ \d+\D\d+\D\d+)  (\S+) (\S+) (\S+) (\S+ \S+) (\S+ \S+) </regex>
    <order>timestamp,firewall_name,category,sub-category,sub-cat,reason</order>
</decoder>

<decoder name="srx-rt-flow-session-close">
    <parent>srx-rt-flow</parent>

    <regex offset="after_parent">(\d+\D\d+\D\d+\D\d+)\D</regex>
    <order>srcip</order>
</decoder>

<decoder name="srx-rt-flow-session-close">
    <parent>srx-rt-flow</parent>

    <regex offset="after_parent">(\d+)\D+</regex>
    <order>srcport</order>
</decoder>

<decoder name="srx-rt-flow-session-close">
    <parent>srx-rt-flow</parent>

    <regex offset="after_parent">(\d+\D\d+\D\d+\D\d+)\D</regex>
    <order>dstip</order>
</decoder>

<decoder name="srx-rt-flow-session-close">
    <parent>srx-rt-flow</parent>

    <regex offset="after_parent">(\d+) </regex>
    <order>dstport</order>
</decoder>

<decoder name="srx-rt-flow-session-close">
    <parent>srx-rt-flow</parent>

    <regex offset="after_parent">(\S+) </regex>
    <order>service_name</order>
</decoder>

<decoder name="srx-rt-flow-session-close">
    <parent>srx-rt-flow</parent>

    <regex offset="after_parent">(\d+\D\d+\D\d+\D\d+)\D(\d+)\D+(\d+\D\d+\D\d+\D\d+)\D(\d+) (\S+) (\S+) (\d+) (\S+) (\S+) (\S+) (\d+) (\S+) (\S+) (\d+.) (\S+) (\S+) (\S+) (\S+) (\S+)</regex>
    <order>nat_srcip,nat_srcport,nat_dstip,nat_dstport,src_nat_rule_name,dst_nat_rule_name,protocol_id,policy_name,source_zone,destination_zone,session_id_32,packet_bytes_from_client,packet_bytes_from_server,application,nested_application,user_and_roles,packet_incoming_interface,encrypted</order>
</decoder>


Does this look good? Any suggestion/recommendation to improve the code will be much appreciated. 

Thanks! 

[Patrick Po]

Additional question, how do I test this decoder ? Thanks!