Sophos XGS Decoder with optional fields
4 views
Skip to first unread message
Andrehens Chicfici
9:54 AM (3 hours ago) 9:54 AM
to Wazuh | Mailing List
Hey wazuh community,
I am trying my luck with a Decoder for Sophos XGS3100 devices.
I added this to my local_decoder.xml which works fine:
<decoder name="xg3100">
<prematch>XGS3100</prematch>
</decoder>
<decoder name="xgs3100child">
<parent>xg3100</parent>
<regex type="pcre2">device_name="(\w+)" timestamp="([^"]+)" device_model="([^"]+)" device_serial_id="([^"]+)" log_id="([0-9]{12})" log_type="([^"]+)" log_component="([^"]+)" log_subtype="([^"]+)" log_version=(\d) severity="([^"]+)"</regex>
<order>device_name,log_timestamp,device_model,device_serial_id,log_id,log_type,log_component,log_subtype,log_version,severity</order>
</decoder>
<prematch>XGS3100</prematch>
</decoder>
<decoder name="xgs3100child">
<parent>xg3100</parent>
<regex type="pcre2">device_name="(\w+)" timestamp="([^"]+)" device_model="([^"]+)" device_serial_id="([^"]+)" log_id="([0-9]{12})" log_type="([^"]+)" log_component="([^"]+)" log_subtype="([^"]+)" log_version=(\d) severity="([^"]+)"</regex>
<order>device_name,log_timestamp,device_model,device_serial_id,log_id,log_type,log_component,log_subtype,log_version,severity</order>
</decoder>
Now I run to the problem that the Sophos log vary after the severity field. Also some fields are N/A so I need special regexes.
How do I build my decoder to include optional fields like ips_policy_id, nat_rule_id, fw_rule_type and all the other ones from the following examples. Also How do I set my <order> tags?
device_name="SFW" timestamp="2023-08-29T13:51:06-0400" device_model="XGS3100" device_serial_id="X31000xxxxxxx0x" log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="6" fw_rule_name="Any" fw_rule_section="Local rule" web_policy_id=5 http_category="Information Technology" http_category_type="Acceptable" url="http://longassURL" content_type="application/octet-stream" src_ip="00.0.000.00" dst_ip="000.000.000.0" protocol="TCP" src_port=50639 dst_port=80 bytes_sent=421 bytes_received=997 domain="shortassURL" exceptions="av,https,validation,policy,zero-day protection" http_user_agent="Microsoft-Delivery-Optimization/10.0" http_status="206" download_file_name="anything.Appx" download_file_type="application/octet-stream" con_id=449594304 app_is_cloud="FALSE" used_quota="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" src_country="R1" dst_country="USA"
2026-02-02T10:54:05.238409+01:00 _gateway device_name="SFW" timestamp="2026-02-02T10:53:58+0100" device_model="XGS3100" device_serial_id="X31000xxxxxxx0x" log_id="010302602002" log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="N/A" nat_rule_id="0" fw_rule_type="NETWORK" gw_id_reply=2 gw_name_reply="I-NET XDSL TCOM" ether_type="IPv4 (0x0800)" in_interface="PortLAG.102" src_mac="33:22:8d:52:f8:a1" src_ip="22.132.54.72" src_country="USA" dst_ip="25.118.25.245" dst_country="USA" protocol="TCP" src_port=32946 dst_port=3233 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="I-NET XDSL TCOM" log_occurrence="1"
2026-02-02T00:01:37.642437+01:00 _gateway device_name="SFW" timestamp="2026-02-02T00:01:30+0100" device_model="XGS3100" device_serial_id="X31000xxxxxxx0x" log_id="020804407002" log_type="IDP" log_component="Signatures" log_subtype="Drop" log_version=1 severity="Warning" ips_policy_id=1 fw_rule_id="32" fw_rule_name="DNAT TestRule TestDevice 3000" fw_rule_section="Local rule" signature_id=2307918 message="SERVER-OTHER Delta Electronics InfraSuit Device Master Device-DataCollect CVE-2022-38142 Insecure Deserialization" classification="Misc Attack" rule_priority="Major" src_ip="87.152.58.74" src_country="USA" dst_ip="192.168.178.9" dst_country="R1" protocol="TCP" src_port=31828 dst_port=3050 os_name="Windows" category="server-other" victim="Server"
2026-02-02T10:54:05.238409+01:00 _gateway device_name="SFW" timestamp="2026-02-02T10:53:58+0100" device_model="XGS3100" device_serial_id="X31000xxxxxxx0x" log_id="010302602002" log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="N/A" nat_rule_id="0" fw_rule_type="NETWORK" gw_id_reply=2 gw_name_reply="I-NET XDSL TCOM" ether_type="IPv4 (0x0800)" in_interface="PortLAG.102" src_mac="33:22:8d:52:f8:a1" src_ip="22.132.54.72" src_country="USA" dst_ip="25.118.25.245" dst_country="USA" protocol="TCP" src_port=32946 dst_port=3233 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="I-NET XDSL TCOM" log_occurrence="1"
2026-02-02T00:01:37.642437+01:00 _gateway device_name="SFW" timestamp="2026-02-02T00:01:30+0100" device_model="XGS3100" device_serial_id="X31000xxxxxxx0x" log_id="020804407002" log_type="IDP" log_component="Signatures" log_subtype="Drop" log_version=1 severity="Warning" ips_policy_id=1 fw_rule_id="32" fw_rule_name="DNAT TestRule TestDevice 3000" fw_rule_section="Local rule" signature_id=2307918 message="SERVER-OTHER Delta Electronics InfraSuit Device Master Device-DataCollect CVE-2022-38142 Insecure Deserialization" classification="Misc Attack" rule_priority="Major" src_ip="87.152.58.74" src_country="USA" dst_ip="192.168.178.9" dst_country="R1" protocol="TCP" src_port=31828 dst_port=3050 os_name="Windows" category="server-other" victim="Server"
cheers
chic
Reply all
Reply to author
Forward
0 new messages