wazuh rules for Fortigate

474 views
Skip to first unread message

Miki Alkalay

unread,
Feb 4, 2020, 9:08:37 AM2/4/20
to Wazuh mailing list
Hi,
trying to add rule that will compare srcip of our fortigate syslog with Wazuh CDB,
the syslog is alerted and seen under the Wazuh.

i have blacklisted ip's that part of Wazuh CDB (working good with windows firewall)

the rule that i'm trying to add:

<rule id="200102" level="12">
   <if_sid>81603</if_sid>
           <list field="srcip" lookup="address_match_key">etc/lists/blacklist-alienvault</list>
           <description>Fortigate IP in black list.: $(srcip)</description>
</rule>

please advise what i'm doing wrong

Miki

Daniel Melgarejo

unread,
Feb 5, 2020, 2:34:22 AM2/5/20
to Wazuh mailing list
Hi Miki,

I saw some recommendations in Wazuh documentation: https://documentation.wazuh.com/3.11/user-manual/ruleset/cdb-list.html

- Check the lists are on /var/ossec/etc/lists
- Since Wazuh v3.11.3, CDB lists are built and loaded automatically when the analysis engine is started. Therefore, when adding or modifying CDB lists, it is no longer needed to run ossec-makelists, just restart the manager.
  If you are not using v3.11.3, you will have to execute: /var/ossec/bin/ossec-makelists.
- Check if the list is added to ossec.conf:

<ossec_config> 
    <ruleset> 
        ....
        ....
        <list>etc/lists/blacklist-alienvault</list>
     </ruleset>

If not, add it to ossec.conf and the restart Wazuh.

I think the rule is well done.

I hope you find this information useful.

Regards,
              Daniel

Miki Alkalay

unread,
Feb 5, 2020, 2:56:08 AM2/5/20
to Daniel Melgarejo, Wazuh mailing list
Hi Daniel,
as i explained the CDB is working already with different rules that is related to windows firewall.
the rule that i mentioned is not working and i have error with trying to run the wazuh-manager service..
there is a syntax error that i can't figure from where it comes..
i'm working with ver 3.9.5 and not the latest one..

please advise
Miki


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9e4596d8-c3a4-4038-9d42-29d56448e61d%40googlegroups.com.


--

Best Regards

Miki Alkalay
Mobile: 972-54-6496293

Daniel Melgarejo

unread,
Feb 5, 2020, 5:03:20 AM2/5/20
to Wazuh mailing list
Hi Miki,

I'm sorry for the misunderstanding.

I have reproduced your case and I had no syntax error and an alert was generated:

** Alert 1580896726.54781: mail  - local,syslog,sshd,
2020 Feb 05 10:58:46 host->/var/ossec/logs/example.log
Rule: 200102 (level 12) -> 'Fortigate IP in black list.: 1.1.248.14'
Src IP: 1.1.248.14
Src Port: 0
Dst IP: 192.168.254.254
Dst Port: 0
Feb 20 12:31:11 date=2011-02-20 time=12: 31:09 devname=Name_of_Device device_id=FGXXXX1000000000 log_id=8888888888 type=traffic subtype=other pri=notice status=accept vd=root src=1.1.248.14 srcname=192.168.0.1 src_port=0 dst=192.168.254.254 dstname=192.168.254.254 dst_port=0 service=11/icmp proto=1 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 shaper_sent_name=N/A shaper_rcvd_name=N/A perip_name=N/A vpn=N/A src_int=root dst_int=N/A SN=123412341234 app=N/A app_cat=N/A user=N/A group=N/A carrier_ep=N/A


Can you copy to me the output of these commands?

# cat /var/ossec/logs/ossec.log | grep ERROR
# cat /var/ossec/logs/ossec.log | grep CRITICAL

Maybe these outputs can give us more information. 

Also, if you want, can you send to us your rules/local_rules.xml file?

Regards,
               Daniel 
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

Miki Alkalay

unread,
Feb 5, 2020, 5:19:11 AM2/5/20
to Daniel Melgarejo, Wazuh mailing list
Hi,
the rule that you add was like that:
<rule id="200102" level="12">
   <if_sid>81603</if_sid>
           <list field="srcip" lookup="address_match_key">etc/lists/blacklist-alienvault</list>
           <description>Fortigate IP in black list.: $(srcip)</description>
</rule>
there is not error now when i'm restarting the wazuh-manager
but still i'm not getting the rule alert while i'm doing the logtest:
[root@wazuh ~]# /var/ossec/bin/ossec-logtest
2020/02/05 12:18:06 ossec-testrule: INFO: Started (pid: 20053).
ossec-testrule: Type one log per line.


Feb 20 12:31:11 date=2011-02-20 time=12: 31:09 devname=Name_of_Device device_id=FGXXXX1000000000 log_id=8888888888 type=traffic subtype=other pri=notice status=accept vd=root src=1.1.248.14 srcname=192.168.0.1 src_port=0 dst=192.168.254.254 dstname=192.168.254.254 dst_port=0 service=11/icmp proto=1 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 shaper_sent_name=N/A shaper_rcvd_name=N/A perip_name=N/A vpn=N/A src_int=root dst_int=N/A SN=123412341234 app=N/A app_cat=N/A user=N/A group=N/A carrier_ep=N/A


**Phase 1: Completed pre-decoding.
       full event: 'Feb 20 12:31:11 date=2011-02-20 time=12: 31:09 devname=Name_of_Device device_id=FGXXXX1000000000 log_id=8888888888 type=traffic subtype=other pri=notice status=accept vd=root src=1.1.248.14 srcname=192.168.0.1 src_port=0 dst=192.168.254.254 dstname=192.168.254.254 dst_port=0 service=11/icmp proto=1 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 shaper_sent_name=N/A shaper_rcvd_name=N/A perip_name=N/A vpn=N/A src_int=root dst_int=N/A SN=123412341234 app=N/A app_cat=N/A user=N/A group=N/A carrier_ep=N/A'
       timestamp: 'Feb 20 12:31:11'
       hostname: 'wazuh'
       program_name: '(null)'
       log: 'date=2011-02-20 time=12: 31:09 devname=Name_of_Device device_id=FGXXXX1000000000 log_id=8888888888 type=traffic subtype=other pri=notice status=accept vd=root src=1.1.248.14 srcname=192.168.0.1 src_port=0 dst=192.168.254.254 dstname=192.168.254.254 dst_port=0 service=11/icmp proto=1 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 shaper_sent_name=N/A shaper_rcvd_name=N/A perip_name=N/A vpn=N/A src_int=root dst_int=N/A SN=123412341234 app=N/A app_cat=N/A user=N/A group=N/A carrier_ep=N/A'

**Phase 2: Completed decoding.
       decoder: 'fortigate-firewall-v4'
       action: 'accept'
       srcip: '1.1.248.14'
       srcport: '0'
       dstip: '192.168.254.254'
       dstport: '0'
       protocol: 'icmp'

**Phase 3: Completed filtering (rules).
       Rule id: '81603'
       Level: '0'
       Description: 'Fortigate messages grouped.'

attached my local_rule

Hi Miki,

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.


--

Best Regards

Miki Alkalay
Mobile: 972-54-6496293

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/898f196e-ad0b-4def-ba95-fef0b3bb0e4b%40googlegroups.com.
local_rules.xml

Daniel Melgarejo

unread,
Feb 5, 2020, 5:55:08 AM2/5/20
to Wazuh mailing list
Hi Mike,

I think I know what is the problem. I think the srcip value is not in your blacklist-alienvault file but in my blacklist-alienvault file.

Please, open blacklist-alienvault file:
# cat /var/ossec/etc/lists/blacklist-alienvault

Choose one IP address and copy it to the log:

Feb 20 12:31:11 date=2011-02-20 time=12: 31:09 devname=Name_of_Device device_id=FGXXXX1000000000 log_id=8888888888 type=traffic subtype=other pri=notice status=accept vd=root src=your.chosen.ip.adress srcname=192.168.0.1 src_port=0 dst=192.168.254.254 dstname=192.168.254.254 dst_port=0 service=11/icmp proto=1 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 shaper_sent_name=N/A shaper_rcvd_name=N/A perip_name=N/A vpn=N/A src_int=root dst_int=N/A SN=123412341234 app=N/A app_cat=N/A user=N/A group=N/A carrier_ep=N/A

Copy the log and paste it in /var/ossec/bin/ossec-logtest

I got your same ossec-logtest output when I used an IP address that is not in the blacklist-alienvault

Regards,
               Daniel
Hi Miki,

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.


--

Best Regards

Miki Alkalay
Mobile: 972-54-6496293

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

realnet.expert

unread,
Feb 5, 2020, 6:14:23 AM2/5/20
to Daniel Melgarejo, Wazuh mailing list
Hi.
I managed to solve the problem.
As u said I had some problem with the ip list.
The only thing now I need to alert only accept logs and not denied.
How can I do that?
Miki



Sent from my Samsung Galaxy smartphone.


-------- Original message --------
From: Daniel Melgarejo <daniel.m...@wazuh.com>
Date: 2/5/20 12:55 (GMT+02:00)
To: Wazuh mailing list <wa...@googlegroups.com>
Subject: Re: wazuh rules for Fortigate

Hi Mike,

I think I know what is the problem. I think the srcip value is not in your blacklist-alienvault file but in my blacklist-alienvault file.

Please, open blacklist-alienvault "#ff0000">your.chosen.ip.adress srcname=192.168.0.1 src_port=0 dst=192.168.254.254 dstname=192.168.254.254 dst_port=0 service=11/icmp proto=1 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 shaper_sent_name=N/A shaper_rcvd_name=N/A perip_name=N/A vpn=N/A src_int=root dst_int=N/A SN=123412341234 app=N/A app_cat=N/A user=N/A group=N/A carrier_ep=N/A
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/28d86b13-01a6-4685-a8f6-2096cd04cc2d%40googlegroups.com.

Daniel Melgarejo

unread,
Feb 5, 2020, 7:20:21 AM2/5/20
to Wazuh mailing list
Hi Miki,

Sorry, do you mean how to generate alerts when srcip is not in the blacklist-alienvault?

You can use a rule similar to this:
 
<rule id="200103" level="7">
   <if_sid>81603</if_sid>
           <list field="srcip" lookup="not_address_match_key">etc/lists/blacklist-alienvault</list>
           <description>Fortigate IP is not in black list.: $(srcip)</description>
</rule>

I do not know if that was your question.

Regards,
                Daniel.

Miki Alkalay

unread,
Feb 5, 2020, 7:24:36 AM2/5/20
to Daniel Melgarejo, Wazuh mailing list
Hi,
i already solve the problem'
the rule should be like that:
<rule id="200102" level="12">
  <if_sid>81603</if_sid>
  <action>accept</action>

           <list field="srcip" lookup="address_match_key">etc/lists/blacklist-alienvault</list>
           <description>Fortigate IP in black list.: $(srcip)</description>
  </rule>

means only on accept will get the alert,
please confirmed if this is the right rule

Miki




Hi Miki,

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.


--

Best Regards

Miki Alkalay
Mobile: 972-54-6496293

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.


--

Best Regards

Miki Alkalay
Mobile: 972-54-6496293

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e8341185-ef79-4199-932f-9315d5853acf%40googlegroups.com.

Daniel Melgarejo

unread,
Feb 5, 2020, 8:16:21 AM2/5/20
to Wazuh mailing list
Hi Mike,

Yes, it is right. The decoder obtains the action value from de log. The 'action' tag in the rule is like a filter. If the action value from the rule matches the action value from de log, an alert will be generated (if the rest of rule conditions are true).

Good job!

Please do not hesitate to contact us to share more questions.

Regards,
              Daniel
Hi Miki,

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.


--

Best Regards

Miki Alkalay
Mobile: 972-54-6496293

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.


--

Best Regards

Miki Alkalay
Mobile: 972-54-6496293

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages