Firewall sophos log in wazuh

[Azhar Hj.Mohd Ghazali]

Hi team

Fyi i manage to see fortinet log in wazuh since it have own decoder but for sophos fw till now no luck at all.

Need help from experts.

Many thanks.

[eva....@wazuh.com]

Hello,

Unfortunately, we haven't got rules and decoders for Sophos Firewall on released versions, but we have this PR with a Sophos FW ruleset to merge.

You can copy PR files 0500-sophos_fw_decoders.xml and  rules/0690-sophos_fw_rules.xml in /var/ossec/etc/decoders/ and /var/ossec/etc/rules, and check if they work for you.

Additionally, you can create your custom rules and decoders following our documentation.

I hope it helps you.

Regards,
Eva

[Roberto Borges]

Hi @respectmy,

Did you manage to configure?

Thanks.

[Azhar Hj.Mohd Ghazali]

Hi ,

Finally i manage to get sophos log coming into WAZUH.

thanks all.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1f3431bf-e258-4992-ae47-f6288c21c1b9n%40googlegroups.com.

[Roberto Borges]

Hi Azhar,

Can you help me configure the Sophos with Wazuh?

Thanks.

[Azhar Hj.Mohd Ghazali]

Hi Roberto,

I just used syslog options and you can fwd the log traffic of sophos (fwall)to wazuh IP.

Thanks

[wesley staenle]

Good morning , In my case Wazuh is receiving the logs in /var/log/sophos-xg.log ( Rsyslog) :

root@wazuh:/var/ossec/ruleset/rules# tail -f /var/log/sophos-xg.log | grep wesley Dec 6 08:38:10 10.192.206.242 device="SFW" date=2021-12-06 time=08:38:10 timezone="-03" device_name="XG450" device_id=C4307BPTPBKHMB6 log_id=062009617507 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Information user_name="wesleystaenle" src_ip=10.206.104.43 N/A message="User wesleystaenle logged in successfully to Web Admin Console through Local authentication mechanism"

it even generates the events in alerts.jason :

root@wazuh:/var/ossec/ruleset/rules# tail -f /var/ossec/logs/alerts/alerts.json | grep wesley

{"timestamp":"2021-12-06T08:49:02.427-0300","rule":{"level":3,"description":"Traffic Allowed: from 10.206.104.43 to 142.251.129.234","id":"70022","firedtimes":1950109,"mail":false,"groups":["sophos-fw"]},"agent":{"id":"000","name":"wazuh"},"manager":{"name":"wazuh"},"id":"1638791342.7204340536","full_log":"Dec  6 08:49:00 10.192.206.248 device=\"SFW\" date=2021-12-06 time=08:49:00 timezone=\"-03\" device_name=\"XG310\" device_id=C32078XQ9FK92ED log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=3 nat_rule_id=0 policy_type=2 user_name=\"wesleystaenle\" user_gp=\"OU=Seguranca-TI,OU=ADM,OU=Usuarios,OU=ZL,DC=tmkt,DC=servicos,DC=mkt\" iap=12 ips_policy_id=2 appfilter_policy_id=9 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" vlan_id=\"\" ether_type=Unknown (0x0000) bridge_name=\"\" bridge_display_name=\"\" in_interface=\"LAG_LAN\" in_display_interface=\"LAG_LAN\" out_interface=\"\" out_display_interface=\"\" src_mac=00:1A:30:4C:BC:00 dst_mac=00:E0:20:AC:B5:05 src_ip=10.206.104.43 src_country_code=R1 dst_ip=142.251.129.234 dst_country_code=USA protocol=\"TCP\" src_port=54973 dst_port=443 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip=10.192.206.248 tran_dst_port=3128 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"2596541440\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0","predecoder":{"timestamp":"Dec  6 08:49:00","hostname":"10.192.206.248"},"decoder":{"name":"sophos-fw"},"data":{"protocol":"TCP","device":"SFW","date":"2021-12-06","time":"08:49:00","timezone":"-03","appfilter_policy_id":"9","application_risk":"0","appresolvedby":"Signature","connevent":"Start","connid":"2596541440","device_id":"C32078XQ9FK92ED","device_name":"XG310","dst_country_code":"USA","dst_ip":"142.251.129.234","dst_port":"443","dstzone":"WAN","dstzonetype":"WAN","duration":"0","fw_rule_id":"3","hb_health":"No Heartbeat","iap":"12","in_interface":"LAG_LAN","ips_policy_id":"2","log_component":"Firewall Rule","log_id":"010101600001","log_subtype":"Allowed","log_type":"Firewall","name":"XG310","policy_type":"2","priority":"Information","recv_bytes":"0","recv_pkts":"0","sent_bytes":"0","sent_pkts":"0","src_country_code":"R1","src_ip":"10.206.104.43","src_mac":"00:1A:30:4C:BC:00","src_port":"54973","srczone":"LAN","srczonetype":"LAN","sophos_fw_status_msg":"Allow","th":"No Heartbeat","tran_dst_ip":"10.192.206.248","tran_dst_port":"3128","tran_src_port":"0","user_gp":"OU=Seguranca-TI,OU=ADM,OU=Usuarios,OU=ZL,DC=tmkt,DC=servicos,DC=mkt","user_name":"wesleystaenle"},"location":"/var/log/sophos-xg.log"}

 the problem is that i only view Firewall events , how could i view admin events ? how do I customize a rule for admin events? 

[Captain Allen]

Hello All,

I have configured wazuh to logs from Sophos Firewall.
My Sophos and my wazuh are on a different network.
I add the below to my ossec.conf

  <remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>172.251.x.x/24</allowed-ips>
  </remote>

I added the rule in   nano /var/ossec/etc/decoders/local_decoder.xml

and the parse the the below log into wazuh using   /var/ossec/bin/wazuh-logtest

'"
device="SFW" date=2022-06-20 time=17:19:06 timezone="+08" device_name="XG210" device_id=AAAAAAAA1234567 log_id=010101010101 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=14 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3" out_interface="Port2" src_mac=11:22:aa:bb:22:11 src_ip=11.22.33.44 src_country_code= dst_ip=44.33.22.11 dst_country_code= protocol="TCP" src_port=52667 dst_port=10051 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature"th="No Heartbeat

"

And I got  the below feedback but it didn't show on the dashboard

**Phase 2: Completed decoding.
        name: 'sophos-fw'
        appfilter_policy_id: '0'
        application_risk: '0'
        appresolvedby: '"Signature"th="No'
        date: ' 2022-06-20 '
        device: 'SFW'
        device_id: 'AAAAAAAA1234567'
        device_name: 'XG210'
        dst_ip: '44.33.22.11'
        dst_port: '10051'
        duration: '0'
        fw_rule_id: '14'
        hb_health: 'No Heartbeat'
        iap: '2'
        in_interface: 'Port3'
        ips_policy_id: '0'
        log_component: 'Firewall Rule'
        log_id: '010101010101'
        log_subtype: 'Denied'
        log_type: 'Firewall'
        name: 'XG210'
        out_interface: 'Port2'
        policy_type: '1'
        priority: 'Information'
        protocol: 'TCP'
        recv_bytes: '0'
        recv_pkts: '0'
        sent_bytes: '0'
        sent_pkts: '0'
        sophos_fw_status_msg: 'Deny'
        src_ip: '11.22.33.44'
        src_mac: '11:22:aa:bb:22:11'
        src_port: '52667'
        th: 'No Heartbeat'
        time: '17:19:06'
        timezone: '+08'
        tran_dst_port: '0'
        tran_src_port: '0'

**Phase 3: Completed filtering (rules).
        id: '70021'
        level: '5'
        description: 'Traffic Denied: from 11.22.33.44 to 44.33.22.11'
        groups: '['sophos-fw']'
        firedtimes: '1'
        mail: 'False'
**Alert to be generated.

Kindly assist me to resolve this issue.
Thank you

[Syafeera Azeera Rahim]

Hi,

Can you share rule you use for wazuh?

Thanks