OPNSense Suricata Decoder not found
518 views
Skip to first unread message
M Umar Farooq
Sep 8, 2021, 2:41:41 AM9/8/21
to Wazuh mailing list
Hi, I am using the OPNsense firewall and sending the logs to Wazuh using remote Syslog, it's working fine but I enabled IPS, also sent the Suricata logs using Rsyslog but Wazuh can't seem to decode it. So I wanted to ask is there any decoder available? or do I have to write my own ( in this case can someone guide me a bit on how can I write a decoder for Suricata logs I am a newbie in all this stuff and just doing experiments on my personal lab)
Jose Antonio Izquierdo
Sep 8, 2021, 2:56:02 AM9/8/21
to Wazuh mailing list
Hi,
Current Suricata rules are based on eve output in JSON format. your syslog logs will take different format so you may need to create your own decoder/rules.
We can help you to do that job, just drop here some logs as they are stored in wazuh-manager after transmission from your OPNSense is done (use the log-all option)
Anyway, if you want to build and have a better understanding on how to build decoders/rules, here you have some links
Anyway, if you want to build and have a better understanding on how to build decoders/rules, here you have some links
Hope it helps,
Thanks
M Umar Farooq
Sep 8, 2021, 3:26:49 AM9/8/21
to Wazuh mailing list
Thanks for replying I am attaching my log below from Suricata
Sep 8 12:18:54 OPNsense.localdomain suricata[24318]: {"timestamp": "2021-09-08T12:18:54.020589+0500", "flow_id": 1122993889453034, "in_iface": "em0", "event_type": "alert", "src_ip": "172.67.207.32", "src_port": 80, "dest_ip": "192.168.1.100", "dest_port": 35608, "proto": "TCP", "tx_id": 0, "alert": {"action": "allowed", "gid": 1, "signature_id": 2015051, "rev": 4, "signature": "ET WEB_CLIENT c3284d Malware Network Compromised Redirect (comments 1)", "category": "A Network Trojan was Detected", "severity": 1, "metadata": {"updated_at": ["2012_07_12"], "created_at": ["2012_07_12"]}}, "http": {"hostname": "testmyids.ca", "url": "/", "http_user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "http_content_type": "text/html", "http_method": "GET", "protocol": "HTTP/1.1", "status": 200, "length": 291}, "app_proto": "http", "flow": {"pkts_toserver": 6, "pkts_toclient": 5, "bytes_toserver": 1018, "bytes_toclient": 1309, "start": "2021-09-08T12:18:53.041962+0500"}}
Jose Antonio Izquierdo
Sep 8, 2021, 5:05:07 AM9/8/21
to Wazuh mailing list
Hi,
Try this, it will extract JSON alert and parse as standard JSON, suricate rules should work
Add this decoder to your local_decoder.xml file and restart your wazuh-manager.
<decoder name="suricata-syslog-to-JSON">
<type>syslog</type>
<program_name>suricata</program_name>
<plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>
Please let me know if this works for you.
Thanks
Jose Antonio Izquierdo
Sep 9, 2021, 2:19:44 AM9/9/21
to Wazuh mailing list
Hi, did it work?
M Umar Farooq
Sep 13, 2021, 3:46:33 AM9/13/21
to Wazuh mailing list
Hi, first of all, I am really sorry for not answering on time I was away from my PC secondly I am really thankful, this decoder is working perfectly
Seclerus
Jan 8, 2022, 11:18:02 AM1/8/22
to Wazuh mailing list
Hi all,
2022 Jan 01 19:52:29 OPNsense.lan->10.0.10.1 Jan 1 19:52:29 OPNsense.lan suricata[85017]: {"timestamp":"2022-01-01T19:52:29.647006+0100","flow_id":192765160717351,"in_iface":"igb2","event_type":"alert","vlan":[10],"src_ip":"10.0.10.11","src_port":47280,"dest_ip":"XX.XXX.88.152","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2013504,"rev":6,"signature":"ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management","category":"Not Suspicious Traffic","severity":3,"metadata":{"created_at":["2011_08_31"],"former_category":["POLICY"],"updated_at":["2020_04_22"]}},"http":{"hostname":"security.ubuntu.com","url":"/ubuntu/dists/focal-security/InRelease","http_user_agent":"Debian APT-HTTP/1.3 (2.0.6) non-interactive","http_method":"GET","protocol":"HTTP/1.1","status":304,"length":0},"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":519,"bytes_toclient":444,"start":"2022-01-01T19:52:29.588839+0100
sorry for bringing this up again but iam trying to achieve the exact same thing (Suricata logs send via Remotesyslog from OPNsense) and i added the suggested decoder but it did not work. Do you have an idea what i could try to debug this?
Below you can see how the message arrives in Wazuh this is an extract from : /var/ossec/logs/archives/archives.log2022 Jan 01 19:52:29 OPNsense.lan->10.0.10.1 Jan 1 19:52:29 OPNsense.lan suricata[85017]: {"timestamp":"2022-01-01T19:52:29.647006+0100","flow_id":192765160717351,"in_iface":"igb2","event_type":"alert","vlan":[10],"src_ip":"10.0.10.11","src_port":47280,"dest_ip":"XX.XXX.88.152","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2013504,"rev":6,"signature":"ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management","category":"Not Suspicious Traffic","severity":3,"metadata":{"created_at":["2011_08_31"],"former_category":["POLICY"],"updated_at":["2020_04_22"]}},"http":{"hostname":"security.ubuntu.com","url":"/ubuntu/dists/focal-security/InRelease","http_user_agent":"Debian APT-HTTP/1.3 (2.0.6) non-interactive","http_method":"GET","protocol":"HTTP/1.1","status":304,"length":0},"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":519,"bytes_toclient":444,"start":"2022-01-01T19:52:29.588839+0100
When i post the JSON only part in the logtester its picked up so my assumtion is transformation to JSON does not work correctly. Sorry iam new to this custom decoders.
Regards
Seclerus
Seclerus
Reply all
Reply to author
Forward
0 new messages