decoders for fortigate
1,642 views
Skip to first unread message
Miki Alkalay
Jan 29, 2020, 10:16:52 AM1/29/20
to Wazuh mailing list
Hi,
i just receiving logs from Fortigate firewall:
i have added rules and decoders as it on the attached files.
the issue is that the decoder doesn't parse the log:
2020 Jan 29 15:22:27 ExportISR_400148094->192.116.219.149 Jan 29 15:22:27 ExportISR_400148094 CEF:0|Fortinet|Fortigate|v6.0.6|00020|traffic:forward accept|3|deviceExternalId=FG100E4Q17023606 FTNTFGTlogid=0000000020 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=root FTNTFGTeventtime=1580304147 src=100.0.10.103 shost=galj-win10.export.gov.il spt=61296 deviceInboundInterface=port1 FTNTFGTsrcintfrole=lan dst=35.170.0.145 dpt=443 deviceOutboundInterface=wan1 FTNTFGTdstintfrole=wan FTNTFGTpoluuid=28f1d19a-41e2-51ea-5c32-d68bf123b6c8 externalId=504681517 proto=6 act=accept FTNTFGTpolicyid=87 FTNTFGTpolicytype=policy app=HTTPS FTNTFGTdstcountry=United States FTNTFGTsrccountry=United States FTNTFGTtrandisp=snat sourceTranslatedAddress=192.116.219.149 sourceTranslatedPort=61296 FTNTFGTduration=4241 out=48972 in=40863 FTNTFGTsentpkt=295 FTNTFGTrcvdpkt=293 FTNTFGTappcat=unscanned FTNTFGTsentdelta=0 FTNTFGTrcvddelta=0 FTNTFGTdevtype=Windows PC FTNTFGTdevcategory=Windows Device FTNTFGTosname=Windows 10 / 2016 FTNTFGTmastersrcmac=54:e1:ad:68:c8:9f FTNTFGTsrcmac=54:e1:ad:68:c8:9f FTNTFGTsrcserver=0
please advice
Miki
Miguel Keane
Jan 29, 2020, 11:52:21 AM1/29/20
to Wazuh mailing list
Hello Miki,
Where did you obtain these logs from?
Not long ago I developed some rules and decoder to support Fortigate 5.6, 6.0 and 6.2. But the log you sent looks really different. What version is it?
Here you can find the rules and decoder I was telling you about: https://github.com/wazuh/wazuh-ruleset/pull/516/files
Hopefully, the main code will be updated soon.
Best regards,
Miguel Keane
Miguel Keane
Miki Alkalay
Jan 30, 2020, 2:38:53 AM1/30/20
to Miguel Keane, Wazuh mailing list
hi,
i got them from archive logs..
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/30f15cd2-a373-49ba-a62e-f94cb6e03623%40googlegroups.com.
Best Regards
Miki Alkalay
Mobile: 972-54-6496293
Miki Alkalay
Jan 30, 2020, 9:03:30 AM1/30/20
to Wazuh mailing list
Hi,
there more log format for fortigate:
Jan 30 15:58:42 ExportISR_400148094 CEF:0|Fortinet|Fortigate|v6.0.6|00013|traffic:forward deny|3|deviceExternalId=FG100E4Q17023606 FTNTFGTlogid=0000000013 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=root FTNTFGTeventtime=1580392722 src=80.82.64.73 spt=46154 deviceInboundInterface=wan1 FTNTFGTsrcintfrole=wan dst=192.116.219.252 dpt=39933 deviceOutboundInterface=wan1 FTNTFGTdstintfrole=wan externalId=507784014 proto=6 act=deny FTNTFGTpolicyid=0 FTNTFGTpolicytype=policy app=tcp/39933 FTNTFGTdstcountry=Israel FTNTFGTsrccountry=Netherlands FTNTFGTtrandisp=noop FTNTFGTduration=0 out=0 in=0 FTNTFGTsentpkt=0 FTNTFGTappcat=unscanned FTNTFGTcrscore=30 FTNTFGTcraction=131072 FTNTFGTcrlevel=high
please advice
Miki
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7fe2b801-f2d3-4f6f-8ebf-72a418d09241%40googlegroups.com.
Miguel Keane
Jan 31, 2020, 3:36:11 PM1/31/20
to Wazuh mailing list
Hello Miki,
I have looked into your issue. Fortigate has the option to write logs in CEF format: https://docs.fortinet.com/document/fortigate/6.0.4/fortios-log-message-reference/604144/cef-support
As of now, our decoders only support the default version of logging. If you want our decoders to work, I would recommend changing the logging configuration back to the other logs type and to use the new rules and decoders we have for it here: https://github.com/wazuh/wazuh-ruleset/pull/516/files
Please let us know if we can further help you with this issue.
Best regards,
Miguel Keane
Miguel Keane
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7fe2b801-f2d3-4f6f-8ebf-72a418d09241%40googlegroups.com.
Miki Alkalay
Feb 3, 2020, 5:12:35 AM2/3/20
to Miguel Keane, Wazuh mailing list
Hi,
What it means other log format: syslog?
please advise
Miki
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7fe2b801-f2d3-4f6f-8ebf-72a418d09241%40googlegroups.com.
--Best Regards
Miki AlkalayMobile: 972-54-6496293
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a9979c64-7162-4177-ac87-e2abca03f68b%40googlegroups.com.
Miguel Keane
Feb 3, 2020, 8:23:20 AM2/3/20
to Wazuh mailing list
Hello Miki,
yes, our decoders work correctly with syslog. Here you can find more information about setting it up: https://help.fortinet.com/fadc/4-5-1/olh/Content/FortiADC/handbook/log_remote.htm
Hopefully, changing the formating and with the new decoders I sent you, you should be able to decode all the information from fortigate. But please, let us know if you have any questions.
Best regards,
Miguel Keane
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7fe2b801-f2d3-4f6f-8ebf-72a418d09241%40googlegroups.com.
--Best Regards
Miki AlkalayMobile: 972-54-6496293
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a9979c64-7162-4177-ac87-e2abca03f68b%40googlegroups.com.
filip faredge
Mar 18, 2021, 10:28:51 PM3/18/21
to Wazuh mailing list
Hi Miguel,
I am just starting my adventure with Wazuh so please excuse me if I missing something obvious :-)
I found this post regarding fortigate rules and decoder.
We have quite a few fortigates with different software versions 6.0, 6.2 & 6.4.
Do you know if the rules will work with Fortigate 6.4 ?
I see the rules were updated in Nov 2019, I am currently using Wazuh 4.1.0 I hope they can still work with this Wazuh version.
If I understand correctly I need to append the content of your files to 0100-fortigate_decoders.xml & 0390-fortigate_rules.xml found in /var/ossec/ruleset ?
/regards
Filip
Miguel Keane
Mar 24, 2021, 4:02:37 PM3/24/21
to Wazuh mailing list
Hello Filip,
these rules are indeed a bit old now, but they should work on your v4.1.0 environment if you configure them correctly.
The decoder should work without any issues for up to 6.2, but I am not sure about what changes there are on 6.4.
Can you send me some logs for testing? You may also test them yourself using Wazuh-logtest. If you add the rules and decores, you can execute the binary in /var/ossec/bin/wazuh-logtest and paste your logs there. Without restarting, the changes will not be applied, but you will be able to see what will the logs look like when they go through Wazuh's ruleset.
Feel free to send me a log file, deleting any information you wouldn't want to share first, and I will gladly run a few tests on 6.4. Possibly send it to the development team to improve our ruleset and finally merge those Fortigate rules into production.
Best regards,
Miguel Keane
Miguel Keane
filip faredge
Mar 28, 2021, 7:28:02 PM3/28/21
to Wazuh mailing list
Hi Miguel,
Last week I've spent some time with Wazuh and so far the rules work correctly with v6.2
If I have the time this week I will try to do some tests with 6.4 and I will provide some logs then.
Not sure why but Wazuh-logtest gives me:
** Wazuh-logtest error when connecting with ossec-analysisd
But /var/ossec/bin/ossec-logtest seems to be working
Since the logs are generating on average 300000 entries per day for just one router I decided it would be good to ignore some notifications.
I have some success with rules similar to this:
<rule id="81618" level="0" >
<if_sid>81603</if_sid>
<match>srcip=192.168.1.1|srcip="192.168.1.1"</match>
<description>Fortigate: Ignore host 192.168.1.1</description>
</rule>
<rule id="81655" level="0">
<if_sid>81603</if_sid>
<match>app=Microsoft.Portal|app="Microsoft.Portal"</match>
<description>Fortigate: Filtering out MS</description>
</rule>
Would you say this is the right approach? I tried using the "noalert" in the syntax but without success.
Best regards,
Filip
Miguel Keane
Mar 29, 2021, 12:31:14 PM3/29/21
to Wazuh mailing list
Hi Filip,
yes, creating a child rule alert and setting its value to zero is the best approach for silencing certain alerts. In case you have multiple IPs you want to whitelist, I would also recommend taking a look at CDB lists. Take a look at our documentation on the topic here: https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html
Let me know if you have any questions!
Regards,
Miguel Keane
Miguel Keane
filip faredge
Apr 22, 2021, 1:49:53 AM4/22/21
to Wazuh mailing list
Logs example from 6.4.5
So far they are working with the rules I have from 6.2.
7.0 has been released so more testing further down the line...
Regards
So far they are working with the rules I have from 6.2.
7.0 has been released so more testing further down the line...
Apr 22 13:00:18 192.168.54.254 date=2021-04-22 time=13:00:18 devname="bdr01-clientX" devid="FGT60XXXXXXXXXXX" eventtime=1619060418438470290 tz="+1000" logid="0100032003" type="event" subtype="system" level="information" vd="root" logdesc="Admin logout successful" sn="1111111111" user="admin" ui="https(20.20.20.20)" method="https" srcip=20.20.20.20 dstip=30.20.20.20 action="logout" status="success" duration=384 reason="timeout" msg="Administrator admin timed out on https(20.20.20.20)"
Apr 22 12:53:54 192.168.54.254 date=2021-04-22 time=12:53:54 devname="bdr01-clientX" devid="FGT60XXXXXXXXXXX" eventtime=1111111111850272350 tz="+1000" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1111111111" user="admin" ui="https(20.20.20.20)" method="https" srcip=20.20.20.20 dstip=30.20.20.20 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from https(20.20.20.20)"
Apr 22 12:16:18 192.168.54.254 date=2021-04-22 time=12:16:18 devname="bdr01-clientX" devid="FGT60XXXXXXXXXXX" eventtime=1619057778902415150 tz="+1000" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.54.27 srcport=49800 srcintf="internal" srcintfrole="lan" dstip=52.139.168.125 dstport=443 dstintf="wan1" dstintfrole="wan" srccountry="Reserved" dstinetsvc="Microsoft-Microsoft.Update" dstcountry="Hong Kong" dstcity="Hong Kong" sessionid=1943420 proto=6 action="client-rst" policyid=27 policytype="policy" poluuid="11cf95de-857e-51eb-0c2b-b35f9b43a6e5" policyname="PublicCloudServices" service="Microsoft-Microsoft.Update" trandisp="snat" transip=30.20.20.20 transport=49800 duration=6 sentbyte=2892 rcvdbyte=4700 sentpkt=14 appcat="unscanned"
Apr 22 12:08:41 192.168.54.254 date=2021-04-22 time=12:08:41 devname="bdr01-clientX" devid="FGT60XXXXXXXXXXX" eventtime=1619057321524382370 tz="+1000" logid="0100032102" type="event" subtype="system" level="alert" vd="root" logdesc="Configuration changed" user="admin" ui="https(192.168.30.90)" msg="Configuration is changed in the admin session"
Apr 22 11:14:42 192.168.54.254 date=2021-04-22 time=11:14:41 devname="bdr01-clientX" devid="FGT60XXXXXXXXXXX" eventtime=1619054082642481969 tz="+1000" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(192.168.30.90)" action="Edit" cfgtid=8519923 cfgpath="system.dhcp.server" cfgobj="1" cfgattr="dns-service[specify->local]ip-range:1[<Delete>start-ip[192.168.54.25]end-ip[192.168.54.100]]" msg="Edit system.dhcp.server 1"
Apr 22 10:49:02 192.168.54.254 date=2021-04-22 time=10:49:00 devname="bdr01-clientX" devid="FGT60XXXXXXXXXXX" eventtime=1619052542022542450 tz="+1000" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(192.168.30.78)" action="Edit" cfgtid=8519921 cfgpath="system.admin" cfgobj="admin" cfgattr="gui-dashboard:5[widget:10[type[tr-history]x-pos[9]width[2]height[1]interface[wan1]fortigate[FGT60XXXXXXXXXXX]]]" msg="Edit system.admin admin"
Apr 21 13:28:02 192.168.54.254 date=2021-04-21 time=13:28:01 devname="bdr01-clientX" devid="FGT60XXXXXXXXXXX" eventtime=1618975682402112830 tz="+1000" logid="0101037131" type="event" subtype="vpn" level="error" vd="root" logdesc="IPsec ESP" msg="IPsec ESP" action="error" remip=40.20.20.20 locip=30.20.20.20 remport=57613 locport=500 outintf="ppp1" cookies="N/A" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="esp_error" error_num="Received ESP packet with unknown SPI." spi="47455420" seq="2f204854"
Apr 21 14:08:58 192.168.54.254 date=2021-04-21 time=14:08:58 devname="bdr01-clientX" devid="FGT60XXXXXXXXXXX" eventtime=1618978138788014070 tz="+1000" logid="0100032003" type="event" subtype="system" level="information" vd="root" logdesc="Admin logout successful" sn="1618977189" user="admin" ui="https(192.168.30.78)" method="https" srcip=192.168.30.78 dstip=192.168.54.254 action="logout" status="success" duration=949 state="Config-Changed" reason="timeout" msg="Administrator admin timed out on https(192.168.30.78)"
Apr 22 13:40:50 192.168.54.254 date=2021-04-22 time=13:40:48 devname="bdr01-clientX" devid="FGT60XXXXXXXXXXX" eventtime=1619062850333386230 tz="+1000" logid="0101037128" type="event" subtype="vpn" level="error" vd="root" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=216.218.206.94 locip=30.20.20.20 remport=41141 locport=500 outintf="ppp1" cookies="3e35c70729dfedef/0000000000000000" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="failure" init="remote" mode="main" dir="inbound" stage=1 role="responder" result="ERROR"
Apr 22 13:38:50 192.168.54.254 date=2021-04-22 time=13:38:49 devname="bdr01-clientX" devid="FGT60XXXXXXXXXXX" eventtime=1619062730369234850 tz="+1000" logid="0101037124" type="event" subtype="vpn" level="error" vd="root" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action="negotiate" remip=220.238.191.194 locip=30.20.20.20 remport=500 locport=500 outintf="ppp1" cookies="2d04f6e04f284c7c/0000000000000000" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="negotiate_error" reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE"
Apr 20 15:43:15 192.168.54.254 date=2021-04-20 time=15:43:15 devname="bdr01-clientX" devid="FGT60XXXXXXXXXXX" eventtime=1618897395048174950 tz="+1000" logid="0101037138" type="event" subtype="vpn" level="notice" vd="root" logdesc="IPsec connection status changed" msg="IPsec connection status change" action="tunnel-up" remip=141.168.54.53 locip=30.20.20.20 remport=4500 locport=4500 outintf="ppp1" cookies="e5547f94dda93e45/3b872249b36a9416" user="N/A" group="N/A" useralt="N/A" xauthuser="clint.eastwood" xauthgroup="DIALUP_VPN_ACCESS" assignip=192.168.55.2 vpntunnel="Dialup IPSec_0" tunnelip=192.168.55.2 tunnelid=2568211439 tunneltype="ipsec" duration=0 sentbyte=0 rcvdbyte=0 nextstat=0
Filip
Reply all
Reply to author
Forward
0 new messages