Custom rule for pflog not working

44 views
Skip to first unread message

Steffen

unread,
May 6, 2023, 11:05:32 AM5/6/23
to Wazuh mailing list

Hello,

I created a decoder for pflog entries, filtered using tcpdump. The decoder is working, but the rule is not triggered, i.e. I see no phase 3. What do I miss here?

This is the output of the decoder:

Starting wazuh-logtest v4.4.1

Type one log per line

2023-05-06 14:08:57.100571 rule 5/0(match): block in on em0: 43.128.232.139.60774 > 192.168.1.20.443: Flags [S], seq 2749576364, win 29200, options [mss 1424,[|tcp]>

**Phase 1: Completed pre-decoding.

full event: '2023-05-06 14:08:57.100571 rule 5/0(match): block in on em0: 43.128.232.139.60774 > 192.168.1.20.443: Flags [S], seq 2749576364, win 29200, options [mss 1424,[|tcp]>'

**Phase 2: Completed decoding.

name: 'pflog'

action: 'block'

direction: 'in'

dstip: '192.168.1.20'

dstport: '443'

interface: 'em0'

match: 'match'

protocol: '[S]'

rule0: '5'

rule1: '0'

size: '2749576364'

srcip: '43.128.232.139'

srcport: '60774'

timestamp: '2023-05-06 14:08:57.100571'


The rules in its own file in /var/ossec/ruleset/rules/1000-pflog.xml look like this:

<group name="pflog">

<rule id="110000" level="0">

<category>firewall</category>

<decoded_as>pflog</decoded_as>

<description>Grouping of pflog rules.</description>

</rule>

<rule id="110001" level="9">

<if_sid>110000</if_sid>

<action>block</action>

<description>pf blocked an malicious IP</description>

</rule>

</group>


Thanks!

Steffen

unread,
May 6, 2023, 4:35:28 PM5/6/23
to Wazuh mailing list
For the record, found the solution: I had to remove the category "firewall" from the rule definition.

Steffen

unread,
May 9, 2023, 5:46:07 AM5/9/23
to Wazuh mailing list
As I got some direct requests to share my solution I created a repo. If you have any further questions feel free to ask: https://github.com/steffenfritz/wazuh-pflog

BR,
Steffen

Reply all
Reply to author
Forward
0 new messages