Problem with sonicwall decoder
120 views
Skip to first unread message
gustavo rodriguez
Apr 28, 2023, 10:31:08 AM4/28/23
to Wazuh mailing list
I have problems decoding some fields in the sonicwall logs, although the decoder works fine, there are some fields that it doesn't separate as I want:
logs: id=firewall sn=C0EAE4E26EFC time="2023-04-28 14:23:13 UTC" fw=170.233.71.2 pri=1 c=32 gcat=3 m=608 src=17.253.10.204:8:X1 dst =172.17.8.61:555:X4 msg="IPS Detection Alert: INFO Oversize ICMP Packet, SID: 388, Priority: Low" msg="IPS Detection Alert: INFO Oversize ICMP Packet" sid=388 ipscat="INFO Oversize ICMP Packet " ipspri=3 n=87004 fw_action="NA"
I need to separate the "src" and "dst" fields to be able to filter them later in kibana. But when I run the test, I get this as a result:
**Phase 1: Completed pre-decoding.
full event: 'id=firewall sn=C0EAE4E26EFC time="2023-04-28 14:23:13 UTC" fw=170.233.71.2 pri=1 c=32 gcat=3 m=608 src=17.253.10.204:8: X1 dst=172.17.8.61:555:X4 msg="IPS Detection Alert: INFO Oversize ICMP Packet, SID: 388, Priority: Low" msg="IPS Detection Alert: INFO Oversize ICMP Packet" sid=388 ipscat="INFO Oversize ICMP Packet" ipspri=3 n=87004 fw_action="NA"'
**Phase 2: Completed decoding.
name: 'sonicwall'
action: 'IPS Detection Alert: INFO Oversize ICMP Packet, SID: 388, Priority: Low'
id: '608'
status: '1'
**Phase 3: Completed filtering (rules).
id: '4801'
level: '7'
description: 'SonicWall critical message.'
groups: '["syslog","sonicwall"]'
firedtimes: '1'
gdpr: '["IV_35.7.d"]'
gpg13: '["3.2"]'
mail: 'false'
**Alert to be generated.
The decoder is as follows:
<decoder name="sonicwall">
<plugin_decoder>SonicWall_Decoder</plugin_decoder>
<prematch>^\<\d+>\s*id=\w+\s+sn=\w+\s+time="\.+"\s+fw=\S+ |^\s*id=\w+\ s+sn=\w+\s+time="\.+"\s+fw=\S+ </prematch>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex offset="after_parent">pri=(\S+)</regex>
<order>status</order>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex offset="after_regex"> msg="(\.+)"</regex>
<order>action</order>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex offset="after_regex">src=(\d+.\d+.\d+.\d+):(\d+):\S*</regex>
<order>srcip, srcport</order>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex offset="after_regex">dst=(\d+.\d+.\d+.\d+):(\d+):\S*</regex>
<order>dstip, dstport</order>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex offset="after_regex">src=(\d+.\d+.\d+.\d+)::|src=(\d+.\d+.\d+.\d+)\s</regex>
<order>srcip</order>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex offset="after_regex">dst=(\d+.\d+.\d+.\d+)::|dst=(\d+.\d+.\d+.\d+)\s</regex>
<order>dstip</order>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex offset="after_regex">proto=(\S+)</regex>
<order>protocol</order>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex>app=(\S+)\s+appName="(\.+)"\.+dstname=(\S+)\.+Category="(\.+)"</regex>
<order>app, appName, dstname, Category</order>
</decoder>
<decoder name="sonicwall_custom">
<parent>sonicwall</parent>
<regex>m=(\S+)</regex>
<order>id</order>
</decoder>
<decoder name="sonicwall-software_downloads">
<parent>sonicwall</parent>
<regex>id=(\S+)\s+sn=(\S+)\s+time="(\d+-\d\d-\d\d \d\d:\d\d:\d\ d) (\S+)"\s+fw=(\S+)\s+pri=(\S+)\s+c=(\S+)\s+m=(\S+)\s+msg="( \.+)"\s+app=(\S+)\s+appName="(\.+)"\s+n=(\S+)\s+src=(\S+)\s+dst=( \S+)\s+srcMac=(\S+)\s+dstMac=(\S+)\s+proto=(\S+)\s+dstname=(\S+)\s+arg=(\S+)\s +code=(\S+)\s+Category="(\.+)"</regex>
<order>id,sn,time,timezone,fw,pri,c,m,msg,app,appName,n,src,dst,srcMac,dstMac,proto,dstname,arg,code,Category</order>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex offset="after_regex">proto=(\S+)</regex>
<order> protocol</order>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex offset="after_regex">src=(\S+)</regex>
<order>srcfull</order>
</decoder>
logs: id=firewall sn=C0EAE4E26EFC time="2023-04-28 14:23:13 UTC" fw=170.233.71.2 pri=1 c=32 gcat=3 m=608 src=17.253.10.204:8:X1 dst =172.17.8.61:555:X4 msg="IPS Detection Alert: INFO Oversize ICMP Packet, SID: 388, Priority: Low" msg="IPS Detection Alert: INFO Oversize ICMP Packet" sid=388 ipscat="INFO Oversize ICMP Packet " ipspri=3 n=87004 fw_action="NA"
I need to separate the "src" and "dst" fields to be able to filter them later in kibana. But when I run the test, I get this as a result:
**Phase 1: Completed pre-decoding.
full event: 'id=firewall sn=C0EAE4E26EFC time="2023-04-28 14:23:13 UTC" fw=170.233.71.2 pri=1 c=32 gcat=3 m=608 src=17.253.10.204:8: X1 dst=172.17.8.61:555:X4 msg="IPS Detection Alert: INFO Oversize ICMP Packet, SID: 388, Priority: Low" msg="IPS Detection Alert: INFO Oversize ICMP Packet" sid=388 ipscat="INFO Oversize ICMP Packet" ipspri=3 n=87004 fw_action="NA"'
**Phase 2: Completed decoding.
name: 'sonicwall'
action: 'IPS Detection Alert: INFO Oversize ICMP Packet, SID: 388, Priority: Low'
id: '608'
status: '1'
**Phase 3: Completed filtering (rules).
id: '4801'
level: '7'
description: 'SonicWall critical message.'
groups: '["syslog","sonicwall"]'
firedtimes: '1'
gdpr: '["IV_35.7.d"]'
gpg13: '["3.2"]'
mail: 'false'
**Alert to be generated.
The decoder is as follows:
<decoder name="sonicwall">
<plugin_decoder>SonicWall_Decoder</plugin_decoder>
<prematch>^\<\d+>\s*id=\w+\s+sn=\w+\s+time="\.+"\s+fw=\S+ |^\s*id=\w+\ s+sn=\w+\s+time="\.+"\s+fw=\S+ </prematch>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex offset="after_parent">pri=(\S+)</regex>
<order>status</order>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex offset="after_regex"> msg="(\.+)"</regex>
<order>action</order>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex offset="after_regex">src=(\d+.\d+.\d+.\d+):(\d+):\S*</regex>
<order>srcip, srcport</order>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex offset="after_regex">dst=(\d+.\d+.\d+.\d+):(\d+):\S*</regex>
<order>dstip, dstport</order>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex offset="after_regex">src=(\d+.\d+.\d+.\d+)::|src=(\d+.\d+.\d+.\d+)\s</regex>
<order>srcip</order>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex offset="after_regex">dst=(\d+.\d+.\d+.\d+)::|dst=(\d+.\d+.\d+.\d+)\s</regex>
<order>dstip</order>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex offset="after_regex">proto=(\S+)</regex>
<order>protocol</order>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex>app=(\S+)\s+appName="(\.+)"\.+dstname=(\S+)\.+Category="(\.+)"</regex>
<order>app, appName, dstname, Category</order>
</decoder>
<decoder name="sonicwall_custom">
<parent>sonicwall</parent>
<regex>m=(\S+)</regex>
<order>id</order>
</decoder>
<decoder name="sonicwall-software_downloads">
<parent>sonicwall</parent>
<regex>id=(\S+)\s+sn=(\S+)\s+time="(\d+-\d\d-\d\d \d\d:\d\d:\d\ d) (\S+)"\s+fw=(\S+)\s+pri=(\S+)\s+c=(\S+)\s+m=(\S+)\s+msg="( \.+)"\s+app=(\S+)\s+appName="(\.+)"\s+n=(\S+)\s+src=(\S+)\s+dst=( \S+)\s+srcMac=(\S+)\s+dstMac=(\S+)\s+proto=(\S+)\s+dstname=(\S+)\s+arg=(\S+)\s +code=(\S+)\s+Category="(\.+)"</regex>
<order>id,sn,time,timezone,fw,pri,c,m,msg,app,appName,n,src,dst,srcMac,dstMac,proto,dstname,arg,code,Category</order>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex offset="after_regex">proto=(\S+)</regex>
<order> protocol</order>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent>
<regex offset="after_regex">src=(\S+)</regex>
<order>srcfull</order>
</decoder>
Nicolas Curioni
Apr 28, 2023, 4:02:35 PM4/28/23
to Wazuh mailing list
Hello Gustavo,
<regex>src=(\d+.\d+.\d+.\d+):(\d+):(\S+)</regex>
<order>srcip, srcport, srcextra</order>
</decoder>
Thanks for sharing your doubt with the community.
In this case, it would be necessary to correct the child decoders which extracts srcip and dstip information.
Please try the following:
<decoder name="sonicwall-fields">
<parent>sonicwall</parent><order>srcip, srcport, srcextra</order>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall</parent> <regex>dst=(\d+.\d+.\d+.\d+):(\d+):(\S+)</regex>
<order>dstip, dstport, dstextra</order>
</decoder>
<order>dstip, dstport, dstextra</order>
</decoder>
Take into consideration that you can choose the names for these fields that you believe more suitable.
Let us know if this work for you.
Best regards,
Reply all
Reply to author
Forward
0 new messages