Wazuh Rule Not Triggering Correctly for Internal LAN-to-LAN Traffic in 5-Minute Window
205 views
Skip to first unread message
Mithun Haridas
Jan 6, 2025, 10:03:53 AM1/6/25
to Wazuh | Mailing List
Hello team,
I am trying to create a rule that checks for 5 logs of internal LAN-to-LAN traffic within a 5-minute window. However, when reviewing the results, Wazuh only seems to be checking the 4th and 5th log, but not the previous logs (1st to 3rd logs) as expected.
Please provide a solution for this situation.
Regards,
Mithun
Pablo Ariel Gonzalez
Jan 6, 2025, 1:10:21 PM1/6/25
to Wazuh | Mailing List
Hi Mithun
I have not understood correctly what you have configured and what is the error obtained. Could you send me an example of the log you want to analyze and the rules you have created for this case?
Pablo Ariel Gonzalez
Jan 8, 2025, 6:57:09 AM1/8/25
to Wazuh | Mailing List
Hi Mithun,
Have you had a chance to see my previous comment?. If you have any doubts or questions please do not hesitate to write us again.
Mithun Haridas
Jan 9, 2025, 2:10:46 AM1/9/25
to Wazuh | Mailing List
Hi Pablo,
Sorry for the delay.
The rule I created:
<group name="firewall,fortianalyzer,syslog,">
<rule id="111700" level="4">
<decoded_as>fortianalyzer</decoded_as>
<description>Fortianalyzer: Messages grouped.</description>
</rule>
<rule id="111700" level="4">
<decoded_as>fortianalyzer</decoded_as>
<description>Fortianalyzer: Messages grouped.</description>
</rule>
<rule id="111710" level="3">
<if_sid>111700</if_sid>
<field name="event_category">^traffic$</field>
<description>Fortianalyzer: Traffic logs.</description>
</rule>
<if_sid>111700</if_sid>
<field name="event_category">^traffic$</field>
<description>Fortianalyzer: Traffic logs.</description>
</rule>
<rule id="111742" level="4">
<if_sid>111710</if_sid>
<list field="srcip" lookup="address_match_key">etc/lists/private-ip</list>
<list field="dstip" lookup="address_match_key">etc/lists/private-ip</list>
<description>Fortianalyzer: Internal traffic.</description>
</rule>
<if_sid>111710</if_sid>
<list field="srcip" lookup="address_match_key">etc/lists/private-ip</list>
<list field="dstip" lookup="address_match_key">etc/lists/private-ip</list>
<description>Fortianalyzer: Internal traffic.</description>
</rule>
<rule id="111745" level="14" frequency="5" timeframe="300">
<if_matched_sid>111742</if_matched_sid>
<same_srcip/>
<same_dstport/>
<different_dstip/>
<dstport negate="yes">^53$|^123$</dstport>
<description>Fortianalyzer: LAN2LAN horizontal scanning detected from a single host to multiple destinations.</description>
</rule>
<if_matched_sid>111742</if_matched_sid>
<same_srcip/>
<same_dstport/>
<different_dstip/>
<dstport negate="yes">^53$|^123$</dstport>
<description>Fortianalyzer: LAN2LAN horizontal scanning detected from a single host to multiple destinations.</description>
</rule>
In order to activate this rule, I need my wazuh to examine five internal traffic logs with the same srcip, dstport, and distinct dstip over a period of five minutes. However, Wazuh is not checking as I need it to when I write this rule. Was the rule written incorrectly?
Wazuh just compares the fourth and fifth logs with the conditions I specified in rule ID 111745; they do not check this condition for all of the prior logs as all 4 previous logs have same dstip.
Please provide a solution for this ASAP
Please provide a solution for this ASAP
Regards
Pablo Ariel Gonzalez
Jan 9, 2025, 9:02:21 AM1/9/25
to Wazuh | Mailing List
Hi Mithun,
The problem with the Wazuh rule seems to be related to the different_dstip condition and how the records are evaluated in sequence. Currently, Wazuh is evaluating only the fourth and fifth records and not all previous records as desired by the user.
The <different_dstip/> condition requires that the previous records meet different destination IPs, but the current rule only compares sequentially. Also, if the first 4 records have the same dstip, the condition will not be triggered correctly.
We could rewrite the rule with a more flexible condition that evaluates a wider set of records. could you try the following example and let us know the result?.
<dstport negate="yes">^53$|^123$</dstport>
<description>Fortianalyzer: LAN2LAN horizontal scanning detected from a single host to multiple destinations.</description>
</rule>
The problem with the Wazuh rule seems to be related to the different_dstip condition and how the records are evaluated in sequence. Currently, Wazuh is evaluating only the fourth and fifth records and not all previous records as desired by the user.
The <different_dstip/> condition requires that the previous records meet different destination IPs, but the current rule only compares sequentially. Also, if the first 4 records have the same dstip, the condition will not be triggered correctly.
We could rewrite the rule with a more flexible condition that evaluates a wider set of records. could you try the following example and let us know the result?.
<rule id="111745" level="14" frequency="5" timeframe="300">
<if_matched_sid>111742</if_matched_sid>
<same_srcip/>
<same_dstport/>
<if_matched_sid>111742</if_matched_sid>
<same_srcip/>
<same_dstport/>
<different_field field="dstip"/>
<dstport negate="yes">^53$|^123$</dstport>
<description>Fortianalyzer: LAN2LAN horizontal scanning detected from a single host to multiple destinations.</description>
</rule>
Mithun Haridas
Jan 13, 2025, 12:19:59 AM1/13/25
to Wazuh | Mailing List
Hi Pablo,
I tried the rule you shared, but still I am facing the same issue. Wazuh is not checking the condition different dstip in all 5 logs.
Please suggest any other method to sort this out.
Regards,
Pablo Ariel Gonzalez
Jan 13, 2025, 11:08:54 AM1/13/25
to Wazuh | Mailing List
Hi Mithun,
I will try to replicate your issue again to see why it is failing. For this I will need the following data:
- Specific version of Wazuh you are using.
- Example of 5 logs you send that should trigger the alert.
Mithun Haridas
Jan 14, 2025, 12:58:41 AM1/14/25
to Wazuh | Mailing List
Hi Pablo,
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.101 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.12.101 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.21.101 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.211 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.121 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
But now I'm getting that rule triggered even in this below condition,
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.101 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.101 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.101 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.121 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.211 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=aaaaaavvvvv alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Right now, I'm using Wazuh version 4.8.
Actually I need to trigger the rule if the log comes in this manner,
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.101 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.12.101 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.21.101 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.211 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.121 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
But now I'm getting that rule triggered even in this below condition,
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.101 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.101 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.101 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.121 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.211 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=aaaaaavvvvv alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Regards,
Mithun Haridas
Jan 15, 2025, 7:20:43 AM1/15/25
to Wazuh | Mailing List
Hi Pablo,
Did you look into this, is there any updates?
Pablo Ariel Gonzalez
Jan 15, 2025, 7:31:12 AM1/15/25
to Mithun Haridas, Wazuh | Mailing List
Hi Mithun,
I am preparing the environment to test and reproduce your error. As soon as I have additional information I will share it here.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/ZKqJSIRr5oc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/47daa022-8bfd-453b-b3ed-7ff933447077n%40googlegroups.com.
 |
|
pablo.g...@wazuh.com
wazuh.comPablo Ariel Gonzalez
Jan 15, 2025, 11:25:27 PM1/15/25
to Wazuh | Mailing List
Hi Mithun,
I continue to test to identify why the created rule behaves this way. As soon as I have additional information I will share it with you.
Pablo Ariel Gonzalez
Jan 16, 2025, 9:13:09 PM1/16/25
to Wazuh | Mailing List
Hi Mithun,
I have tried different configurations but I have not yet identified what specifically is the error why the rule is not working as desired. As soon as possible I will share with you a new alternative for this requirement.
I have tried different configurations but I have not yet identified what specifically is the error why the rule is not working as desired. As soon as possible I will share with you a new alternative for this requirement.
Mithun Haridas
Jan 17, 2025, 6:57:05 AM1/17/25
to Wazuh | Mailing List
Hi Pablo,
Waiting for your response with a perfect solution for this issue.
Mithun Haridas
Jan 20, 2025, 1:31:25 AM1/20/25
to Wazuh | Mailing List
Hi Pablo,
Is there any update on the issue?
Pablo Ariel Gonzalez
Jan 20, 2025, 8:11:10 AM1/20/25
to Mithun Haridas, Wazuh | Mailing List
Hi Mithun,
I hope we will have an answer for this inquiry today.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/12f151ca-28bd-4953-87dd-874fd3bfa99an%40googlegroups.com.
Mithun Haridas
Jan 21, 2025, 4:18:39 AM1/21/25
to Pablo Ariel Gonzalez, Wazuh | Mailing List
Hi Pablo,
Is there anything I can anticipate today? Have you found any solution?
Mithun Haridas
Jan 21, 2025, 7:54:41 AM1/21/25
to Wazuh | Mailing List
Hi Pablo,
What's the latest on this matter? I've been dealing with it for a number of days, so it would be much beneficial if you could offer a remedy.
Pablo Ariel Gonzalez
Jan 21, 2025, 3:47:16 PM1/21/25
to Mithun Haridas, Wazuh | Mailing List
Hi Mithun,
I am still trying to replicate your issue completely, but I continue to encounter the same error that you are experiencing. Would it be possible for you to indicate where you obtained the Fortianalyzer rule and decoder so that I can try to replicate your environment exactly?
Trying to replicate your rules in a custom rule fails because of this requirement.
<rule id="111700" level="4">
<decoded_as>fortianalyzer</decoded_as>
<description>Fortianalyzer: Messages grouped.</description>
</rule>
<rule id="111710" level="3">
<if_sid>111700</if_sid>
<field name="event_category">^traffic$</field>
<description>Fortianalyzer: Traffic logs.</description>
</rule>
<rule id="111742" level="4">
<if_sid>111710</if_sid>
<list field="srcip" lookup="address_match_key">etc/lists/private-ip</list>
<list field="dstip" lookup="address_match_key">etc/lists/private-ip</list>
<description>Fortianalyzer: Internal traffic.</description>
</rule>
<rule id="111745" level="14" frequency="5" timeframe="300">
<if_matched_sid>111742</if_matched_sid>
<same_srcip/>
<same_dstport/>
<different_field field="dstip"/>
<dstport negate="yes">^53$|^123$</dstport>
<description>Fortianalyzer: LAN2LAN horizontal scanning detected from a single host to multiple destinations.</description>
</rule>
<dstport negate="yes">^53$|^123$</dstport>
<description>Fortianalyzer: LAN2LAN horizontal scanning detected from a single host to multiple destinations.</description>
</rule>
</group>
To view this discussion visit https://groups.google.com/d/msgid/wazuh/8b8350fb-b6f6-479c-9396-f6b0f95218bfn%40googlegroups.com.
Pablo Ariel Gonzalez
Jan 27, 2025, 8:27:16 AM1/27/25
to Wazuh | Mailing List
Hi Mithun,
I understand that it is not possible to share the decoders with us and we will try to analyze an alternative for this inconvenience.
Mithun Haridas
Mar 10, 2025, 2:40:55 AM3/10/25
to Wazuh | Mailing List
Hi team,
I've been waiting a while for a response; could someone please help me to resolve this?
Regards,
Mithun
Mithun Haridas
Mar 13, 2025, 12:13:53 AM3/13/25
to Wazuh | Mailing List
Hi team,
Can any of you help me to resolve this.
Regards,
Reply all
Reply to author
Forward
0 new messages