Decoder and rule set for Huawei USG 9560

[Vivek Kumar]

Hi Team

please help in a decoder and rule for Huawei USG Firewall .

Log file :

....Q......<190>2023-10-11 20:38:20 USG-01 %%01SECLOG/6/SESSION_TEARDOWN(l):IPVer=4,Protocol=udp,SourceIP=x.x.x.x,DestinationIP=x.x.x.x,SourcePort=59819,DestinationPort=53,SourceNatIP=x.x.x.x,SourceNatPort=18066,BeginTime=1697056661,EndTime=1697056700,SendPkts=1,SendBytes=70,RcvPkts=1,RcvBytes=538,SourceVpnID=3,DestinationVpnID=3,SourceZone=trust,DestinationZone=untrust,PolicyName=Internet Acces,CloseReason=aged-out.
22:49:31.048430 IP 1.1.1.1.nimrod-agent > siem-mgr01.fujitsu-dtcns: UDP, length 403
......L.[.......E.........*nccc.

Regards

Vivek

[Diego Ariel Balbuena]

Hi Vivek Kumar!

Thank you for sharing with the community

There is a current decoder file for Huawei USG logs: https://github.com/wazuh/wazuh/blob/4.5/ruleset/decoders/0377-huawei-usg_decoders.xml

Please can you confirm how are you collecting the events?

You can validate if the events are arriving at the Wazuh manager by enabling the logall_json file: https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html

Reference: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall-json

If you find the events in the /var/ossec/logs/archives/archives.json, then you can copy the full_log field and test it with the Wazuh logtest tool: https://documentation.wazuh.com/current/user-manual/ruleset/testing.html

I hope it helps!

Diego

[Vivek Kumar]

Hi Diego

Thanks for the reply.

I can see the Decoder for Huawei USG in the Wazuh decoder list and it's the same as suggested by you in link https://github.com/wazuh/wazuh/blob/4.5/ruleset/decoders/0377-huawei-usg_decoders.xml

But still, the logs and alerts are not being shown in the Dashboard.

I tested the log from Wazuh log test and it is treating it as a Windows log for no reason, please check below:

Starting wazuh-logtest v4.5.2
Type one log per line

2023-10-11 20:38:19 CF_USG-01 %%01SECLOG/6/SESSION_TEARDOWN(l):IPVer=4,Protocol=udp,SourceIP=x.x.x.x,DestinationIP= x.x.x.x  ,SourcePort=33229,DestinationPort=123,SourceNatIP= x.x.x.x  ,SourceNatPort=35026,BeginTime=1697056575,EndTime=1697056700,SendPkts=1,SendBytes=76,RcvPkts=1,RcvBytes=76,SourceVpnID=3,DestinationVpnID=3,SourceZone=trust,DestinationZone=untrust,PolicyName=Internet Acces,CloseReason=aged-out.
22:49:31.329797 IP 1.1.1.1.nimrod-agent > siem-mgr01.fujitsu-dtcns: UDP, length 458
**Phase 1: Completed pre-decoding.
        full event: '2023-10-11 20:38:19 CF_USG-01 %%01SECLOG/6/SESSION_TEARDOWN(l):IPVer=4,Protocol=udp,SourceIP= x.x.x.x  ,DestinationIP= x.x.x.x  ,SourcePort=33229,DestinationPort=123,SourceNatIP= x.x.x.x  ,SourceNatPort=35026,BeginTime=1697056575,EndTime=1697056700,SendPkts=1,SendBytes=76,RcvPkts=1,RcvBytes=76,SourceVpnID=3,DestinationVpnID=3,SourceZone=trust,DestinationZone=untrust,PolicyName=Internet Acces,CloseReason=aged-out.'

**Phase 2: Completed decoding.
        name: 'windows-date-format'

Logs are receiving on Wazuh manager I can see the syslog arriving on Wazuh manager by command where it showed me the Firewall IP address.

tcpdump -i any port 1514 -AA

[Diego Ariel Balbuena]

Hi Vivek,

Please check the Wazuh log test tool requires Type one log per line

Did you take the sample event from the full_log field in the archives.json file?

Running a tcpdump and filtering by port 1514 will not evidence syslog communications. The port 1514 is used by Wazuh agents to send events.

If you want to enable the syslog server in the Wazuh manager you should configure it: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html

I hope it helps!

Diego