Geolocation doesn't work using custom rules
451 views
Skip to first unread message
mauro....@cmcc.it
Mar 5, 2024, 4:07:22 PM3/5/24
to Wazuh | Mailing List
Dear Users,
I'm using Wazuh v.4.70 and I just created the following custom rule:
<rule id="100309" level="0" noalert="1">
<decoded_as>json</decoded_as>
<field name="Timestamp">\.+</field>
<field name="SenderType">Firewall</field>
<field name="InfoMsg">New SSL VPN connection accepted</field>
<field name="Situation">SSLVPN-connection-done</field>
<field name="Service">\.+</field>
<field name="Src">\.+</field>
<field name="Dst">\.+</field>
<description>New SSL VPN connection accepted</description>
</rule>
<decoded_as>json</decoded_as>
<field name="Timestamp">\.+</field>
<field name="SenderType">Firewall</field>
<field name="InfoMsg">New SSL VPN connection accepted</field>
<field name="Situation">SSLVPN-connection-done</field>
<field name="Service">\.+</field>
<field name="Src">\.+</field>
<field name="Dst">\.+</field>
<description>New SSL VPN connection accepted</description>
</rule>
It works as expected, but I'm not able to detect the Geolocation info.
How can I enable Geolocation in order to see, in "Security event" page, the GeoIP info about the source IP of the VPN connected users?
I noticed that Geolocation is working for all other "default" events managed by Wazuh, but it is not working for this custom rule.
Thank you in advance.
Mauro
Fabian Ruiz
Mar 5, 2024, 9:09:07 PM3/5/24
to Wazuh | Mailing List
Hi,
I would understand that you have geolocation enabled for wazuh and its alerts, can you confirm this?
On the other hand, currently the geolocation data is added to the alert on Wazuh indexer level, after being processed by all decoders and rules.
On the other hand, currently the geolocation data is added to the alert on Wazuh indexer level, after being processed by all decoders and rules.
Regards.
mauro....@cmcc.it
Mar 6, 2024, 4:22:03 AM3/6/24
to Wazuh | Mailing List
Hi Fabian,
thank you for your reply.
How can I understand if geolocation is enabled for wazh and alerts? Sorry, but I’m still a newbie.
I’m running Wazuh v.4.7.3 and I can see Geolocation info related to all other security events in “Security Page”. I can’t see the Geolocation info for the custom rules I created.
I read that GeoIP should be enabled adding some parameter comilating the Wazuh source code…but I installed Wauzh using yum and rpm packages.
On the other hand, currently the geolocation data is added to the alert on Wazuh indexer level, after being processed by all decoders and rules.
Does it mean that the custom rule must be configured to create an alert event in order to have GeoIp info?
Thank you for your patience,
Mauro
Fabian Ruiz
Mar 6, 2024, 10:13:01 AM3/6/24
to Wazuh | Mailing List
Hi,
The alert contains a srcip or
dstip field in it, this field must come with this name for the geolocation to work, can you confirm this?
Regards.
mauro....@cmcc.it
Mar 6, 2024, 10:52:25 AM3/6/24
to Wazuh | Mailing List
Hi Fabian,
<field name="Src">\.+</field>
<field name="Dst">\.+</field>
this is the log from the VPN server:
2024-03-05T21:18:54.941872+01:00 smc {"Timestamp": "2024-03-05 21:18:54","LogId":"797237304","NodeId":"xxxxxx","Facility":"SSL VPN","Type":"Notification","Src":"xxxxxx","Dst":"xxxxx","Service":"HTTPS","Protocol":"6","Sport":"xxx","Dport":"xxx","AccElapsed":"68","Username":"xxxxx","CompId":"xxxxx","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-05 21:18:54","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"xxxxx","UserDomain":"xxxx"}
2024-03-05T21:18:54.941872+01:00 smc {"Timestamp": "2024-03-05 21:18:54","LogId":"797237304","NodeId":"xxxxxx","Facility":"SSL VPN","Type":"Notification","Src":"xxxxxx","Dst":"xxxxx","Service":"HTTPS","Protocol":"6","Sport":"xxx","Dport":"xxx","AccElapsed":"68","Username":"xxxxx","CompId":"xxxxx","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-05 21:18:54","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"xxxxx","UserDomain":"xxxx"}
and this is the rule I created:
<rule id="100309" level="0" noalert="1">
<decoded_as>json</decoded_as>
<field name="Timestamp">\.+</field>
<field name="SenderType">Firewall</field>
<field name="InfoMsg">New SSL VPN connection accepted</field>
<field name="Situation">SSLVPN-connection-done</field>
<field name="Service">\.+</field>
<field name="Src">\.+</field>
<field name="Dst">\.+</field>
<description>New SSL VPN connection accepted</description>
</rule>
<decoded_as>json</decoded_as>
<field name="Timestamp">\.+</field>
<field name="SenderType">Firewall</field>
<field name="InfoMsg">New SSL VPN connection accepted</field>
<field name="Situation">SSLVPN-connection-done</field>
<field name="Service">\.+</field>
<field name="Src">\.+</field>
<field name="Dst">\.+</field>
<description>New SSL VPN connection accepted</description>
</rule>
If I'm not wrong, in order to capture the Src and Dst fields mentioned in the logs, I have to use :
<field name="Src">\.+</field>
<field name="Dst">\.+</field>
How can I change Src to srcip and Dst to dstip in the rule preserving the correct functioning of the rule?
Thanks,
Mauro
Fabian Ruiz
Mar 6, 2024, 1:49:05 PM3/6/24
to Wazuh | Mailing List
Hi,
For this you could create a custom decoder that allows you to take the json values and organize them with different names.
For this you can check these two documentations that can help you:
For this you could create a custom decoder that allows you to take the json values and organize them with different names.
For this you can check these two documentations that can help you:
Regards.
mauro....@cmcc.it
Mar 7, 2024, 5:05:14 AM3/7/24
to Wazuh | Mailing List
Hi Fabian,
2024-03-05T21:18:54.941872+01:00 smc {"Timestamp": "2024-03-05 21:18:54","LogId":"797237304","NodeId":"xxxxxx","Facility":"SSL VPN","Type":"Notification","Src":"xxxxxx","Dst":"xxxxx","Service":"HTTPS","Protocol":"6","Sport":"xxx","Dport":"xxx","AccElapsed":"68","Username":"xxxxx","CompId":"xxxxx","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-05 21:18:54","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"xxxxx","UserDomain":"xxxx"}
2024-03-05T21:18:54.941872+01:00 smc {"Timestamp": "2024-03-05 21:18:54","LogId":"797237304","NodeId":"xxxxxx","Facility":"SSL VPN","Type":"Notification","Src":"xxxxxx","Dst":"xxxxx","Service":"HTTPS","Protocol":"6","Sport":"xxx","Dport":"xxx","AccElapsed":"68","Username":"xxxxx","CompId":"xxxxx","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-05 21:18:54","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"xxxxx","UserDomain":"xxxx"}
thank you for your patience.
I followed you suggestion and I created a decoder and a rule in order to parse this log example:
2024-03-05T21:18:54.941872+01:00 smc {"Timestamp": "2024-03-05 21:18:54","LogId":"797237304","NodeId":"xxxxxx","Facility":"SSL VPN","Type":"Notification","Src":"xxxxxx","Dst":"xxxxx","Service":"HTTPS","Protocol":"6","Sport":"xxx","Dport":"xxx","AccElapsed":"68","Username":"xxxxx","CompId":"xxxxx","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-05 21:18:54","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"xxxxx","UserDomain":"xxxx"}
This is the decoder I created:
<decoder name="forcepoint">
<program_name>^smc</program_name>
</decoder>
<decoder name="forcepoint-vpn">
<parent>forcepoint</parent>
<regex>^"Timestamp": "(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d:\d)","logID":"(\d+)","NodeId":"(\d+)","Facility":"(\w+)","Type":"(\w+)","Src":"(\d+.\d+.d+.\d+)","Dst":"(d+.\d+.d+.\d+)","Service":"(\w+)","Protocol":"(\d)","Sport":"(\d+)","Dport":(\d+),"AccElapsed":"(\d+)","Username:"(\w+)","CompId":"(\d+)","InfoMsg":(\S+),"ReceptionTime":"(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d:\d)","SenderType":"(\w+)","Situation":"(\w+)","EventId":"(\d+)","UserDomain":"(\w+.\w+.w+)"</regex>
<order>timestamp, logid, nodeid, facility, type, srcip, dstip, service, protocol, sport, dport, accelapsed, username, compid, receptiontime, sendertype, situation, eventid, userdomain</order>
</decoder>
<program_name>^smc</program_name>
</decoder>
<decoder name="forcepoint-vpn">
<parent>forcepoint</parent>
<regex>^"Timestamp": "(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d:\d)","logID":"(\d+)","NodeId":"(\d+)","Facility":"(\w+)","Type":"(\w+)","Src":"(\d+.\d+.d+.\d+)","Dst":"(d+.\d+.d+.\d+)","Service":"(\w+)","Protocol":"(\d)","Sport":"(\d+)","Dport":(\d+),"AccElapsed":"(\d+)","Username:"(\w+)","CompId":"(\d+)","InfoMsg":(\S+),"ReceptionTime":"(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d:\d)","SenderType":"(\w+)","Situation":"(\w+)","EventId":"(\d+)","UserDomain":"(\w+.\w+.w+)"</regex>
<order>timestamp, logid, nodeid, facility, type, srcip, dstip, service, protocol, sport, dport, accelapsed, username, compid, receptiontime, sendertype, situation, eventid, userdomain</order>
</decoder>
This is the rule:
<rule id="100309" level="3" noalert="0">
<decoded_as>forcepoint</decoded_as>
<match>Mobile session created</match>
<description>Test</description>
</rule>
<decoded_as>forcepoint</decoded_as>
<match>Mobile session created</match>
<description>Test</description>
</rule>
But when I try to check them using wazuh logtest, I can see that only json decoder is still used:
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.7.3
Type one log per line
Starting wazuh-logtest v4.7.3
Type one log per line
2024-03-05T21:18:54.941872+01:00 smc {"Timestamp": "2024-03-05 21:18:54","LogId":"797237304","NodeId":"xxxxxx","Facility":"SSL VPN","Type":"Notification","Src":"xxxxxx","Dst":"xxxxx","Service":"HTTPS","Protocol":"6","Sport":"xxx","Dport":"xxx","AccElapsed":"68","Username":"xxxxx","CompId":"xxxxx","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-05 21:18:54","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"xxxxx","UserDomain":"xxxx"}
**Phase 1: Completed pre-decoding.
full event: '2024-03-05T21:18:54.941872+01:00 smc {"Timestamp": "2024-03-05 21:18:54","LogId":"797237304","NodeId":"xxxxxx","Facility":"SSL VPN","Type":"Notification","Src":"xxxxxx","Dst":"xxxxx","Service":"HTTPS","Protocol":"6","Sport":"xxx","Dport":"xxx","AccElapsed":"68","Username":"xxxxx","CompId":"xxxxx","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-05 21:18:54","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"xxxxx","UserDomain":"xxxx"}'
timestamp: '2024-03-05T21:18:54.941872+01:00'
**Phase 2: Completed decoding.
name: 'json'
AccElapsed: '68'
CompId: 'xxxxx'
Dport: 'xxx'
Dst: 'xxxxx'
EventId: 'xxxxx'
Facility: 'SSL VPN'
InfoMsg: 'Mobile session created'
LogId: '797237304'
NodeId: 'xxxxxx'
Protocol: '6'
ReceptionTime: '2024-03-05 21:18:54'
SenderType: 'Firewall'
Service: 'HTTPS'
Situation: 'User-Session-Created'
Sport: 'xxx'
Src: 'xxxxxx'
Timestamp: '2024-03-05 21:18:54'
Type: 'Notification'
UserDomain: 'xxxx'
Username: 'xxxxx'
full event: '2024-03-05T21:18:54.941872+01:00 smc {"Timestamp": "2024-03-05 21:18:54","LogId":"797237304","NodeId":"xxxxxx","Facility":"SSL VPN","Type":"Notification","Src":"xxxxxx","Dst":"xxxxx","Service":"HTTPS","Protocol":"6","Sport":"xxx","Dport":"xxx","AccElapsed":"68","Username":"xxxxx","CompId":"xxxxx","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-05 21:18:54","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"xxxxx","UserDomain":"xxxx"}'
timestamp: '2024-03-05T21:18:54.941872+01:00'
**Phase 2: Completed decoding.
name: 'json'
AccElapsed: '68'
CompId: 'xxxxx'
Dport: 'xxx'
Dst: 'xxxxx'
EventId: 'xxxxx'
Facility: 'SSL VPN'
InfoMsg: 'Mobile session created'
LogId: '797237304'
NodeId: 'xxxxxx'
Protocol: '6'
ReceptionTime: '2024-03-05 21:18:54'
SenderType: 'Firewall'
Service: 'HTTPS'
Situation: 'User-Session-Created'
Sport: 'xxx'
Src: 'xxxxxx'
Timestamp: '2024-03-05 21:18:54'
Type: 'Notification'
UserDomain: 'xxxx'
Username: 'xxxxx'
Could you please help me to understand what I'm doing wrong?
Thank you in advance,
Mauro
Fabian Ruiz
Mar 9, 2024, 9:39:03 AM3/9/24
to Wazuh | Mailing List
Hi
This is because your log is not Syslog-like, so it cannot match with the program_name, can you try add ':' next to the smc text,
Example: 2024-03-05T21:18:54.941872+01:00 smc: {"Timestamp": "2024-03-05 21:18:54","LogId":"797237304","NodeId":"xxxxxx","Facility":"SSL VPN","Type":"Notification","Src":"xxxxxx","Dst":"xxxxx","Service":"HTTPS","Protocol":"6","Sport":"xxx","Dport":"xxx","AccElapsed":"68","Username":"xxxxx","CompId":"xxxxx","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-05 21:18:54","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"xxxxx","UserDomain":"xxxx"}
mauro....@cmcc.it
Mar 11, 2024, 7:20:03 AM3/11/24
to Wazuh | Mailing List
Hi Fabian,
thank you for your help. I tried to add ":" to "smc". the wazuh-logtest works as expected.
But now I think I have a problem: smc is the hostname of the syslog-ng client and I can't change it at source due to some configuration constraints and dependencies.
Do you solved similar issues in the past for other users?
Thank you in advance,
Mauro
Fabian Ruiz
Mar 11, 2024, 8:09:00 AM3/11/24
to Wazuh | Mailing List
Hi,
I understand, but you must not change the hostname, you must change to a correct format, I think you can use the templates to manipulate the syslog-ng format: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.20/administration-guide/59#TOPIC-1122002
But if you can't change the format, you should use prematch decoder, it should allow you to apply the decoder: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html#prematch
Regards.
mauro....@cmcc.it
Mar 12, 2024, 3:55:27 AM3/12/24
to Wazuh | Mailing List
Good morning Fabian,
<match>Mobile session created</match>
thank you for your reply and support.
In the end, I had been able to modify syslog-ng.conf as needed and now, in the logs, $HOST is equal to "smc:"
wazuh-logtest output seems to be partially ok:
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.7.3
Type one log per line
Starting wazuh-logtest v4.7.3
Type one log per line
Mar 12 08:38:46 smc: {"Timestamp":"2024-03-12 08:38:46","LogId":"682824861","NodeId":"8.8.8.8","Facility":"SSL VPN","Type":"Notification","Src":"1.1.1.1","Dst":"1.1.1.2","Service":"HTTPS","Protocol":"6","Sport":"49269","Dport":"443","AccElapsed":"6","Username":"user07","CompId":"Site node 2","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-12 08:38:46","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"7173220860553270429","UserDomain":"xxx.xxxx.xx"}
**Phase 1: Completed pre-decoding.
full event: 'Mar 12 08:38:46 smc: {"Timestamp":"2024-03-12 08:38:46","LogId":"682824861","NodeId":"8.8.8.8","Facility":"SSL VPN","Type":"Notification","Src":"1.1.1.1","Dst":"1.1.1.2","Service":"HTTPS","Protocol":"6","Sport":"49269","Dport":"443","AccElapsed":"6","Username":"user07","CompId":"Site node 2","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-12 08:38:46","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"7173220860553270429","UserDomain":"xxx.xxxx.xx"}'
timestamp: 'Mar 12 08:38:46'
hostname: 'smc:'
program_name: 'smc'
**Phase 2: Completed decoding.
name: 'fp'
**Phase 3: Completed filtering (rules).
id: '100309'
level: '3'
description: 'SSL VPN Mobile Session created'
groups: '['forcepoint']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
**Phase 1: Completed pre-decoding.
full event: 'Mar 12 08:38:46 smc: {"Timestamp":"2024-03-12 08:38:46","LogId":"682824861","NodeId":"8.8.8.8","Facility":"SSL VPN","Type":"Notification","Src":"1.1.1.1","Dst":"1.1.1.2","Service":"HTTPS","Protocol":"6","Sport":"49269","Dport":"443","AccElapsed":"6","Username":"user07","CompId":"Site node 2","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-12 08:38:46","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"7173220860553270429","UserDomain":"xxx.xxxx.xx"}'
timestamp: 'Mar 12 08:38:46'
hostname: 'smc:'
program_name: 'smc'
**Phase 2: Completed decoding.
name: 'fp'
**Phase 3: Completed filtering (rules).
id: '100309'
level: '3'
description: 'SSL VPN Mobile Session created'
groups: '['forcepoint']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
"fp" decoder is detected, but fields substitution didn't happen as expected.
Taking a look at Wazuh "security events" page, I can't see any reference to srcip or dstip and, for this reason (I think), no geolocation info are available.
Could you please help me to understand what is wrong in my decoders?
<decoder name="fp">
<program_name>smc</program_name>
</decoder>
<decoder name="fp-vpn">
<parent>fp</parent>
<regex offset="after_parent">^"Timestamp": (\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d),"logID":(\d+),"NodeId":(\d+.\d+.\d+.\d+),"Facility":(\S+),"Type":(\w+),"Src":(\d+.\d+.\d+.\d+),"Dst":(d+.\d+.\d+.\d+),"Service":(\w+),"Protocol":(\d),"Sport":(\d+),"Dport":(\d+),"AccElapsed":(\d+),"Username":(\w+),"CompId":(\d+),"InfoMsg":(\S+),"ReceptionTime":(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d),"SenderType":(\w+),"Situation":(\S+),"EventId":(\d+),"UserDomain":(\w+.\w+.\w+)</regex>
<order>timestamp, logid, nodeid, facility, type, srcip, dstip, service, protocol, sport, dport, accelapsed, username, compid, infomsg, receptiontime, sendertype, situation, eventid, userdomain</order>
</decoder>
<decoder name="fp">
<program_name>smc</program_name>
</decoder>
<decoder name="fp-vpn">
<parent>fp</parent>
<regex offset="after_parent">^"Timestamp": (\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d),"logID":(\d+),"NodeId":(\d+.\d+.\d+.\d+),"Facility":(\S+),"Type":(\w+),"Src":(\d+.\d+.\d+.\d+),"Dst":(d+.\d+.\d+.\d+),"Service":(\w+),"Protocol":(\d),"Sport":(\d+),"Dport":(\d+),"AccElapsed":(\d+),"Username":(\w+),"CompId":(\d+),"InfoMsg":(\S+),"ReceptionTime":(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d),"SenderType":(\w+),"Situation":(\S+),"EventId":(\d+),"UserDomain":(\w+.\w+.\w+)</regex>
<order>timestamp, logid, nodeid, facility, type, srcip, dstip, service, protocol, sport, dport, accelapsed, username, compid, infomsg, receptiontime, sendertype, situation, eventid, userdomain</order>
</decoder>
This is the 100309 rule:
<rule id="100309" level="3" noalert="0">
<decoded_as>fp</decoded_as>
<match>Mobile session created</match>
<description>SSL VPN Mobile Session created</description>
</rule>
</rule>
Thank you in advance,
Mauro
Fabian Ruiz
Mar 12, 2024, 8:41:36 PM3/12/24
to Wazuh | Mailing List
Hi,
<order>timestamp, logid, nodeid, facility, type, srcip, dstip, service, protocol, sport, dport, accelapsed, username, compid, infomsg, receptiontime, sendertype, situation, eventid, userdomain</order>
</decoder>
**Phase 1: Completed pre-decoding.
full event: '2024-03-05T21:18:54.941872+01:00 smc: {"Timestamp":"2024-03-05 21:18:54","LogId":"797237304","NodeId":"xxxxxx","Facility":"SSL VPN","Type":"Notification","Src":"xxxxxx","Dst":"xxxxx","Service":"HTTPS","Protocol":"6","Sport":"xxx","Dport":"xxx","AccElapsed":"68","Username":"xxxxx","CompId":"xxxxx","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-05 21:18:54","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"xxxxx","UserDomain":"xxxx"}'
timestamp: '2024-03-05T21:18:54.941872+01:00'
**Phase 3: Completed filtering (rules).
Can you check this configuration for your decoder?
Decoder:
<decoder name="fp">
<program_name>smc</program_name>
</decoder>
<decoder name="fp-vpn">
<parent>fp</parent>
<program_name>smc</program_name>
</decoder>
<decoder name="fp-vpn">
<parent>fp</parent>
<regex offset="after_parent" type="pcre2">{"Timestamp":"([^"]*)","LogId":"([^"]*)","NodeId":"([^"]*)","Facility":"([^"]*)","Type":"([^"]*)","Src":"([^"]*)","Dst":"([^"]*)","Service":"([^"]*)","Protocol":"([^"]*)","Sport":"([^"]*)","Dport":"([^"]*)","AccElapsed":"([^"]*)","Username":"([^"]*)","CompId":"([^"]*)","InfoMsg":"([^"]*)","ReceptionTime":"([^"]*)","SenderType":"([^"]*)","Situation":"([^"]*)","EventId":"([^"]*)","UserDomain":"([^"]*)"}</regex>
<order>timestamp, logid, nodeid, facility, type, srcip, dstip, service, protocol, sport, dport, accelapsed, username, compid, infomsg, receptiontime, sendertype, situation, eventid, userdomain</order>
</decoder>
Logs:
2024-03-05T21:18:54.941872+01:00 smc: {"Timestamp":"2024-03-05 21:18:54","LogId":"797237304","NodeId":"xxxxxx","Facility":"SSL VPN","Type":"Notification","Src":"xxxxxx","Dst":"xxxxx","Service":"HTTPS","Protocol":"6","Sport":"xxx","Dport":"xxx","AccElapsed":"68","Username":"xxxxx","CompId":"xxxxx","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-05 21:18:54","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"xxxxx","UserDomain":"xxxx"}
Decoder Test:
**Messages:
WARNING: (7003): '24457805' token expires
INFO: (7202): Session initialized with token '4a7a62a5'
WARNING: (7003): '24457805' token expires
INFO: (7202): Session initialized with token '4a7a62a5'
**Phase 1: Completed pre-decoding.
full event: '2024-03-05T21:18:54.941872+01:00 smc: {"Timestamp":"2024-03-05 21:18:54","LogId":"797237304","NodeId":"xxxxxx","Facility":"SSL VPN","Type":"Notification","Src":"xxxxxx","Dst":"xxxxx","Service":"HTTPS","Protocol":"6","Sport":"xxx","Dport":"xxx","AccElapsed":"68","Username":"xxxxx","CompId":"xxxxx","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-05 21:18:54","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"xxxxx","UserDomain":"xxxx"}'
timestamp: '2024-03-05T21:18:54.941872+01:00'
program_name: 'smc'
**Phase 2: Completed decoding.
name: 'fp'
**Phase 2: Completed decoding.
name: 'fp'
accelapsed: '68'
compid: 'xxxxx'
dport: 'xxx'
dstip: 'xxxxx'
eventid: 'xxxxx'
facility: 'SSL VPN'
infomsg: 'Mobile session created'
logid: '797237304'
nodeid: 'xxxxxx'
protocol: '6'
receptiontime: '2024-03-05 21:18:54'
sendertype: 'Firewall'
service: 'HTTPS'
situation: 'User-Session-Created'
sport: 'xxx'
srcip: 'xxxxxx'
timestamp: '2024-03-05 21:18:54'
type: 'Notification'
userdomain: 'xxxx'
username: 'xxxxx'
compid: 'xxxxx'
dport: 'xxx'
dstip: 'xxxxx'
eventid: 'xxxxx'
facility: 'SSL VPN'
infomsg: 'Mobile session created'
logid: '797237304'
nodeid: 'xxxxxx'
protocol: '6'
receptiontime: '2024-03-05 21:18:54'
sendertype: 'Firewall'
service: 'HTTPS'
situation: 'User-Session-Created'
sport: 'xxx'
srcip: 'xxxxxx'
timestamp: '2024-03-05 21:18:54'
type: 'Notification'
userdomain: 'xxxx'
username: 'xxxxx'
**Phase 3: Completed filtering (rules).
id: '100010'
level: '0'
description: 'Test'
groups: '["custom_rules_example"]'
firedtimes: '1'
mail: 'false'
level: '0'
description: 'Test'
groups: '["custom_rules_example"]'
firedtimes: '1'
mail: 'false'
Regards.
mauro....@cmcc.it
Mar 13, 2024, 6:45:45 AM3/13/24
to Wazuh | Mailing List
Wow!!! Great! You are a genius! Compliments.
It works like a charm now.
Many thanks for your help. wazuh-logtest gives the expected output and I can see related alerts saved in /var/osses/logs/alerts/alerts.log.
I detected only 1 last issue: I can't see any reference to "100309" rule in the Wazuh Dashboard -> security Events
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.7.3
Type one log per line
2024-03-05T21:18:54.941872+01:00 smc: {"Timestamp":"2024-03-05 21:18:54","LogId":"797237304","NodeId":"xxxxxx","Facility":"SSL VPN","Type":"Notification","Src":"xxxxxx","Dst":"xxxxx","Service":"HTTPS","Protocol":"6","Sport":"xxx","Dport":"xxx","AccElapsed":"68","Username":"xxxxx","CompId":"xxxxx","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-05 21:18:54","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"xxxxx","UserDomain":"xxxx"}
**Phase 1: Completed pre-decoding.
full event: '2024-03-05T21:18:54.941872+01:00 smc: {"Timestamp":"2024-03-05 21:18:54","LogId":"797237304","NodeId":"xxxxxx","Facility":"SSL VPN","Type":"Notification","Src":"xxxxxx","Dst":"xxxxx","Service":"HTTPS","Protocol":"6","Sport":"xxx","Dport":"xxx","AccElapsed":"68","Username":"xxxxx","CompId":"xxxxx","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-05 21:18:54","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"xxxxx","UserDomain":"xxxx"}'
timestamp: '2024-03-05T21:18:54.941872+01:00'
Starting wazuh-logtest v4.7.3
Type one log per line
2024-03-05T21:18:54.941872+01:00 smc: {"Timestamp":"2024-03-05 21:18:54","LogId":"797237304","NodeId":"xxxxxx","Facility":"SSL VPN","Type":"Notification","Src":"xxxxxx","Dst":"xxxxx","Service":"HTTPS","Protocol":"6","Sport":"xxx","Dport":"xxx","AccElapsed":"68","Username":"xxxxx","CompId":"xxxxx","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-05 21:18:54","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"xxxxx","UserDomain":"xxxx"}
**Phase 1: Completed pre-decoding.
full event: '2024-03-05T21:18:54.941872+01:00 smc: {"Timestamp":"2024-03-05 21:18:54","LogId":"797237304","NodeId":"xxxxxx","Facility":"SSL VPN","Type":"Notification","Src":"xxxxxx","Dst":"xxxxx","Service":"HTTPS","Protocol":"6","Sport":"xxx","Dport":"xxx","AccElapsed":"68","Username":"xxxxx","CompId":"xxxxx","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-05 21:18:54","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"xxxxx","UserDomain":"xxxx"}'
timestamp: '2024-03-05T21:18:54.941872+01:00'
program_name: 'smc'
**Phase 2: Completed decoding.
name: 'fp'
accelapsed: '68'
compid: 'xxxxx'
dport: 'xxx'
dstip: 'xxxxx'
eventid: 'xxxxx'
facility: 'SSL VPN'
infomsg: 'Mobile session created'
logid: '797237304'
nodeid: 'xxxxxx'
protocol: '6'
receptiontime: '2024-03-05 21:18:54'
sendertype: 'Firewall'
service: 'HTTPS'
situation: 'User-Session-Created'
sport: 'xxx'
srcip: 'xxxxxx'
timestamp: '2024-03-05 21:18:54'
type: 'Notification'
userdomain: 'xxxx'
username: 'xxxxx'
**Phase 3: Completed filtering (rules).
**Phase 2: Completed decoding.
name: 'fp'
accelapsed: '68'
compid: 'xxxxx'
dport: 'xxx'
dstip: 'xxxxx'
eventid: 'xxxxx'
facility: 'SSL VPN'
infomsg: 'Mobile session created'
logid: '797237304'
nodeid: 'xxxxxx'
protocol: '6'
receptiontime: '2024-03-05 21:18:54'
sendertype: 'Firewall'
service: 'HTTPS'
situation: 'User-Session-Created'
sport: 'xxx'
srcip: 'xxxxxx'
timestamp: '2024-03-05 21:18:54'
type: 'Notification'
userdomain: 'xxxx'
username: 'xxxxx'
**Phase 3: Completed filtering (rules).
id: '100309'
level: '3'
description: 'SSL VPN Mobile Session created'
groups: '['forcepoint']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
level: '3'
description: 'SSL VPN Mobile Session created'
groups: '['forcepoint']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Where is my fault?
Thank you,
Mauro
Fabian Ruiz
Mar 13, 2024, 10:38:25 PM3/13/24
to Wazuh | Mailing List
Hi Mauro,
How have you configured your rule?
Note: The wazuh-logtest should not create alerts in your environment.
How have you configured your rule?
Note: The wazuh-logtest should not create alerts in your environment.
Regards.
mauro....@cmcc.it
Mar 14, 2024, 5:05:17 AM3/14/24
to Wazuh | Mailing List
Hi Fabian,
and this is one of the alerts I can see in alerts.log file:
this is the rule I created:
<rule id="100309" level="3">
<decoded_as>fp</decoded_as>
<match>Mobile session created</match>
<description>SSL VPN Mobile Session created</description>
</rule>
This is the syslog-ng log file relevant row:
Mar 14 09:49:06 smc: {"Timestamp":"2024-03-14 09:49:06","LogId":"838072787","NodeId":"172.31.0.41","Facility":"SSL VPN","Type":"Notification","Src":"xxx.xxx.xxx.xxx","Dst":"xxx.xxx.xxx.xxx","Service":"HTTPS","Protocol":"6","Sport":"49319","Dport":"443","AccElapsed":"18","Username":"xxxxxxxx","CompId":"xxxx node 1","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-14 09:49:06","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"7173963340026477011","UserDomain":"xxx.xxxx.xxx}
** Alert 1710406624.48233318: - forcepoint,
2024 Mar 14 09:57:04 curiosity->/var/log/forcepoint/ngfw.log
Rule: 100309 (level 3) -> 'SSL VPN Mobile Session created'
Src IP: xxx.xxx.xxx.xxx
Dst IP: xxx.xxx.xxx.xxx
Mar 14 09:57:04 smc: {"Timestamp":"2024-03-14 09:57:04","LogId":"838124598","NodeId":"172.31.0.41","Facility":"SSL VPN","Type":"Notification","Src":"xxx.xxx.xxx.xxx","Dst":"xxx.xxx.xxx.xxx","Service":"HTTPS","Protocol":"6","Sport":"49695","Dport":"443","AccElapsed":"1","Username":"xxxxxx","CompId":"Lecce node 1","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-14 09:57:04","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"7173965345776256054","UserDomain":"xxx.xxxx.xxx"}
timestamp: 2024-03-14 09:57:04
logid: 838124598
nodeid: xxx.xxx.xxx.xxx
facility: SSL VPN
type: Notification
service: HTTPS
sport: 49695
dport: 443
accelapsed: 1
username: xxxxxx
compid: Lecce node 1
infomsg: Mobile session created
receptiontime: 2024-03-14 09:57:04
sendertype: Firewall
situation: User-Session-Created
eventid: 7173965345776256054
userdomain: xxx.xxxx.xxx
Thank you in advance,
Mauro
Fabian Ruiz
Mar 15, 2024, 10:09:22 PM3/15/24
to Wazuh | Mailing List
Hi mauro,
You can check if the alert was generated in alert.json
On the other hand, can you also check the ossec.log?
Regards.
mauro....@cmcc.it
Mar 16, 2024, 7:11:55 PM3/16/24
to Wazuh | Mailing List
Hi Fabian,
yes, the alert was generated both in alert.log both in alert.json file.
{"timestamp":"2024-03-16T22:30:15.281+0000","rule":{"level":3,"description":"SSL VPN Mobile Session created","id":"100309","firedtimes":1,"mail":false,"groups":["xxxxx"]},"agent":{"id":"000","name":"xxxx"},"manager":{"name":"xxxxxx"},"id":"1710628215.4841917","full_log":"Mar 16 23:30:14 smc: {\"Timestamp\":\"2024-03-16 23:30:14\",\"LogId\":\"853447218\",\"NodeId\":\"172.31.0.41\",\"Facility\":\"SSL VPN\",\"Type\":\"Notification\",\"Src\":\"151.50.129.17\",\"Dst\":\"90.147.177.126\",\"Service\":\"HTTPS\",\"Protocol\":\"6\",\"Sport\":\"44546\",\"Dport\":\"443\",\"AccElapsed\":\"41\",\"Username\":\"xxxxx\",\"CompId\":\"Lecce node 1\",\"InfoMsg\":\"Mobile session created\",\"ReceptionTime\":\"2024-03-16 23:30:14\",\"SenderType\":\"Firewall\",\"Situation\":\"User-Session-Created\",\"EventId\":\"7174894763829531186\",\"UserDomain\":\"xxx.xxx.xxx\"}","predecoder":{"program_name":"smc","timestamp":"Mar 16 23:30:14","hostname":"xxx:"},"decoder":{"name":"fp"},"data":{"protocol":"6","srcip":"xxx.xxx.xxx.xxx","dstip":"xxx.xxx.xxx.xxx","timestamp":"2024-03-16 23:30:14","logid":"853447218","nodeid":"172.31.0.41","facility":"SSL VPN","type":"Notification","service":"HTTPS","sport":"44546","dport":"443","accelapsed":"41","username":"xxxx","compid":"Lecce node 1","infomsg":"Mobile session created","receptiontime":"2024-03-16 23:30:14","sendertype":"Firewall","situation":"User-Session-Created","eventid":"7174894763829531186","userdomain":xxx.xxx.xxx"},"location":"/var/log/forcepoint/ngfw.log"}
Both it is not mentioned in wazuh dashboard (security events).
Other alerts seem to be ok.
Thank you,
Mauro
Fabian Ruiz
Mar 18, 2024, 10:49:42 PM3/18/24
to Wazuh | Mailing List
Hi, Mauro,
Could you send me your ossec.conf configuration, plus the logs of the indexer and ossec.log, obfuscate all sensitive information please.
Regards.
mauro....@cmcc.it
Mar 20, 2024, 3:55:20 AM3/20/24
to Wazuh | Mailing List
Hi Fabian,
caould you please say me where I can find the indexer logs?
I did a fast search and I found that they should be in /var/log/wazuh-indexer but which file you need?
I did a fast search and I found that they should be in /var/log/wazuh-indexer but which file you need?
Thanks,
Mauro
Fabian Ruiz
Mar 20, 2024, 9:47:10 PM3/20/24
to Wazuh | Mailing List
HI Mauro.
You can retrieve all this information using these commands:
Wazuh Indexer:
- cat /var/log/wazuh-indexer/wazuh-cluster.log
Wazuh Manager:
- cat /var/log/filebeat/filebeat
- cat /var/ossec/logs/ossec.log
Regards.
mauro....@cmcc.it
Mar 23, 2024, 3:16:03 PM3/23/24
to Wazuh | Mailing List
Hi Fabian,
<decoder name="fp">
<program_name>smc</program_name>
</decoder>
<parent>fp</parent>
<regex offset="after_parent" type="pcre2">{"Timestamp":"([^"]*)","LogId":"([^"]*)","NodeId":"([^"]*)","Facility":"([^"]*)","Type":"([^"]*)","Src":"([^"]*)","Dst":"([^"]*)","Service":"([^"]*)","Protocol":"([^"]*)","Sport":"([^"]*)","Dport":"([^"]*)","AccElapsed":"([^"]*)","Username":"([^"]*)","CompId":"([^"]*)","InfoMsg":"([^"]*)","ReceptionTime":"([^"]*)","SenderType":"([^"]*)","Situation":"([^"]*)","EventId":"([^"]*)","UserDomain":"([^"]*)"}</regex>
<order>timestamp, logid, nodeid, facility, type, srcip, dstip, service, protocol, sport, dport, accelapsed, username, compid, infomsg, receptiontime, sendertype, situation, eventid, userdomain</order>
</decoder>
<decoder name="fp">
<program_name>smc</program_name>
</decoder>
<parent>fp</parent>
<regex offset="after_parent" type="pcre2">{"Timestamp":"([^"]*)","LogId":"([^"]*)","NodeId":"([^"]*)","Facility":"([^"]*)","Type":"([^"]*)","Src":"([^"]*)","Dst":"([^"]*)","Service":"([^"]*)","Protocol":"([^"]*)","Sport":"([^"]*)","Dport":"([^"]*)","AccElapsed":"([^"]*)","Username":"([^"]*)","CompId":"([^"]*)","InfoMsg":"([^"]*)","ReceptionTime":"([^"]*)","SenderType":"([^"]*)","Situation":"([^"]*)","EventId":"([^"]*)","UserDomain":"([^"]*)"}</regex>
<order>timestamp, logid, nodeid, facility, type, srcip, dstip, service, protocol, sport, dport, accelapsed, username, compid, infomsg, receptiontime, sendertype, situation, eventid, userdomain</order>
</decoder>
sorry for my late answer, but I had some urgent problem to solve at work.
In attachment you can find the logs you need. To be honest, it seems there are no particular errors.
It is very strange. wazuh-logtest is ok, alerts are saved in alerts.log and alerts.json, but these specific alerts don't appear in security events wazuh dashboard.
You can see below a summary of my logs, decoders and rules.
Mar 23 19:04:35 smc: {"Timestamp":"2024-03-23 19:04:35","LogId":"887785301","NodeId":"9.9.9.9","Facility":"SSL VPN","Type":"Notification","Src":"2.2.2.2","Dst":"1.1.1.1","Service":"HTTPS","Protocol":"6","Sport":"49228","Dport":"443","AccElapsed":"15","Username":"ad07521","CompId":"Location node 1","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-23 19:04:35","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"7177364623462139733","UserDomain":"idm.cmcc.scc"}
alerts.log:Mar 23 19:04:35 smc: {"Timestamp":"2024-03-23 19:04:35","LogId":"887785301","NodeId":"9.9.9.9","Facility":"SSL VPN","Type":"Notification","Src":"2.2.2.2","Dst":"1.1.1.1","Service":"HTTPS","Protocol":"6","Sport":"49228","Dport":"443","AccElapsed":"15","Username":"ad07521","CompId":"Location node 1","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-23 19:04:35","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"7177364623462139733","UserDomain":"idm.cmcc.scc"}
alerts.json:{"timestamp":"2024-03-23T18:04:36.029+0000","rule":{"level":5,"description":"SSL VPN Mobile Session created","id":"100310","firedtimes":1,"mail":false,"groups":["forcepoint"]},"agent":{"id":"000","name":"curiosity"},"manager":{"name":"curiosity"},"id":"1711217076.7617433","full_log":"Mar 23 19:04:35 smc: {\"Timestamp\":\"2024-03-23 19:04:35\",\"LogId\":\"887785301\",\"NodeId\":\"9.9.9.9\",\"Facility\":\"SSL VPN\",\"Type\":\"Notification\",\"Src\":\"2.2.2.2\",\"Dst\":\"1.1.1.1\",\"Service\":\"HTTPS\",\"Protocol\":\"6\",\"Sport\":\"49228\",\"Dport\":\"443\",\"AccElapsed\":\"15\",\"Username\":\"ad07521\",\"CompId\":\"Location node 1\",\"InfoMsg\":\"Mobile session created\",\"ReceptionTime\":\"2024-03-23 19:04:35\",\"SenderType\":\"Firewall\",\"Situation\":\"User-Session-Created\",\"EventId\":\"7177364623462139733\",\"UserDomain\":\"idm.cmcc.scc\"}","predecoder":{"program_name":"smc","timestamp":"Mar 23 19:04:35","hostname":"smc:"},"decoder":{"name":"fp"},"data":{"protocol":"6","srcip":"2.2.2.2","dstip":"1.1.1.1","timestamp":"2024-03-23 19:04:35","logid":"887785301","nodeid":"9.9.9.9","facility":"SSL VPN","type":"Notification","service":"HTTPS","sport":"49228","dport":"443","accelapsed":"15","username":"ad07521","compid":"Location node 1","infomsg":"Mobile session created","receptiontime":"2024-03-23 19:04:35","sendertype":"Firewall","situation":"User-Session-Created","eventid":"7177364623462139733","userdomain":"idm.cmcc.scc"},"location":"/var/log/forcepoint/vpn.log"}
You can see below the custom decoders I created for our firewall:
alerts.log:Mar 23 19:04:35 smc: {"Timestamp":"2024-03-23 19:04:35","LogId":"887785301","NodeId":"9.9.9.9","Facility":"SSL VPN","Type":"Notification","Src":"2.2.2.2","Dst":"1.1.1.1","Service":"HTTPS","Protocol":"6","Sport":"49228","Dport":"443","AccElapsed":"15","Username":"ad07521","CompId":"Location node 1","InfoMsg":"Mobile session created","ReceptionTime":"2024-03-23 19:04:35","SenderType":"Firewall","Situation":"User-Session-Created","EventId":"7177364623462139733","UserDomain":"idm.cmcc.scc"}
alerts.json:{"timestamp":"2024-03-23T18:04:36.029+0000","rule":{"level":5,"description":"SSL VPN Mobile Session created","id":"100310","firedtimes":1,"mail":false,"groups":["forcepoint"]},"agent":{"id":"000","name":"curiosity"},"manager":{"name":"curiosity"},"id":"1711217076.7617433","full_log":"Mar 23 19:04:35 smc: {\"Timestamp\":\"2024-03-23 19:04:35\",\"LogId\":\"887785301\",\"NodeId\":\"9.9.9.9\",\"Facility\":\"SSL VPN\",\"Type\":\"Notification\",\"Src\":\"2.2.2.2\",\"Dst\":\"1.1.1.1\",\"Service\":\"HTTPS\",\"Protocol\":\"6\",\"Sport\":\"49228\",\"Dport\":\"443\",\"AccElapsed\":\"15\",\"Username\":\"ad07521\",\"CompId\":\"Location node 1\",\"InfoMsg\":\"Mobile session created\",\"ReceptionTime\":\"2024-03-23 19:04:35\",\"SenderType\":\"Firewall\",\"Situation\":\"User-Session-Created\",\"EventId\":\"7177364623462139733\",\"UserDomain\":\"idm.cmcc.scc\"}","predecoder":{"program_name":"smc","timestamp":"Mar 23 19:04:35","hostname":"smc:"},"decoder":{"name":"fp"},"data":{"protocol":"6","srcip":"2.2.2.2","dstip":"1.1.1.1","timestamp":"2024-03-23 19:04:35","logid":"887785301","nodeid":"9.9.9.9","facility":"SSL VPN","type":"Notification","service":"HTTPS","sport":"49228","dport":"443","accelapsed":"15","username":"ad07521","compid":"Location node 1","infomsg":"Mobile session created","receptiontime":"2024-03-23 19:04:35","sendertype":"Firewall","situation":"User-Session-Created","eventid":"7177364623462139733","userdomain":"idm.cmcc.scc"},"location":"/var/log/forcepoint/vpn.log"}
You can see below the custom decoders I created for our firewall:
<decoder name="fp">
<program_name>smc</program_name>
</decoder>
<decoder name="fp-ngfw">
<parent>fp</parent>
<regex offset="after_parent" type="pcre2">{"Timestamp":"([^"]*)","LogId":"([^"]*)","NodeId":"([^"]*)","Facility":"([^"]*)","Type":"([^"]*)","Src":"([^"]*)","Dst":"([^"]*)","Service":"([^"]*)","Protocol":"([^"]*)","Sport":"([^"]*)","Dport":"([^"]*)","AccElapsed":"([^"]*)","Username":"([^"]*)","CompId":"([^"]*)","InfoMsg":"([^"]*)","ReceptionTime":"([^"]*)","SenderType":"([^"]*)","Situation":"([^"]*)","EventId":"([^"]*)","UserDomain":"([^"]*)"}</regex>
<order>timestamp, logid, nodeid, facility, type, srcip, dstip, service, protocol, sport, dport, accelapsed, username, compid, infomsg, receptiontime, sendertype, situation, eventid, userdomain</order>
</decoder>
<!--
<decoder name="fp-ngfw">
<parent>fp</parent>
<regex offset="after_parent" type="pcre2">{"Timestamp":"([^"]*)","EventId":"([^"]*)","NodeId":"([^"]*)","CompId":"([^"]*)","UserOriginator":"([^"]*)","ClientIpAddress":"([^"]*)","TypeDescription":"([^"]*)","Result":"([^"]*)","ObjetcName":"([^"]*)","InfoMsg":"([^"]*)","SenderType":"([^"]*)"}</regex>
<order>timestamp, eventid, nodeid, compid, originator, srcip, typedesc, result, objectname, infomsg, sendertype</order>
</decoder>
-->
And this is the rule:
<rule id="100310" level="5">
<decoded_as>fp</decoded_as>
<field name="infomsg">Mobile session created</field>
<description>SSL VPN Mobile Session created for $(username) from $(srcip)</description>
</rule>
You can see below the custom decoders I created for our firewall:
<decoder name="fp-ngfw">
<parent>fp</parent>
<regex offset="after_parent" type="pcre2">{"Timestamp":"([^"]*)","EventId":"([^"]*)","NodeId":"([^"]*)","CompId":"([^"]*)","UserOriginator":"([^"]*)","ClientIpAddress":"([^"]*)","TypeDescription":"([^"]*)","Result":"([^"]*)","ObjetcName":"([^"]*)","InfoMsg":"([^"]*)","SenderType":"([^"]*)"}</regex>
<order>timestamp, eventid, nodeid, compid, originator, srcip, typedesc, result, objectname, infomsg, sendertype</order>
</decoder>
-->
And this is the rule:
<rule id="100310" level="5">
<decoded_as>fp</decoded_as>
<field name="infomsg">Mobile session created</field>
<description>SSL VPN Mobile Session created for $(username) from $(srcip)</description>
</rule>
You can see below the custom decoders I created for our firewall:
<decoder name="fp">
<program_name>smc</program_name>
</decoder>
<decoder name="fp-ngfw">
<parent>fp</parent>
<regex offset="after_parent" type="pcre2">{"Timestamp":"([^"]*)","LogId":"([^"]*)","NodeId":"([^"]*)","Facility":"([^"]*)","Type":"([^"]*)","Src":"([^"]*)","Dst":"([^"]*)","Service":"([^"]*)","Protocol":"([^"]*)","Sport":"([^"]*)","Dport":"([^"]*)","AccElapsed":"([^"]*)","Username":"([^"]*)","CompId":"([^"]*)","InfoMsg":"([^"]*)","ReceptionTime":"([^"]*)","SenderType":"([^"]*)","Situation":"([^"]*)","EventId":"([^"]*)","UserDomain":"([^"]*)"}</regex>
<order>timestamp, logid, nodeid, facility, type, srcip, dstip, service, protocol, sport, dport, accelapsed, username, compid, infomsg, receptiontime, sendertype, situation, eventid, userdomain</order>
</decoder>
<!--
<decoder name="fp-ngfw">
<parent>fp</parent>
<regex offset="after_parent" type="pcre2">{"Timestamp":"([^"]*)","EventId":"([^"]*)","NodeId":"([^"]*)","CompId":"([^"]*)","UserOriginator":"([^"]*)","ClientIpAddress":"([^"]*)","TypeDescription":"([^"]*)","Result":"([^"]*)","ObjetcName":"([^"]*)","InfoMsg":"([^"]*)","SenderType":"([^"]*)"}</regex>
<order>timestamp, eventid, nodeid, compid, originator, srcip, typedesc, result, objectname, infomsg, sendertype</order>
</decoder>
-->
And this is the rule:
<rule id="100310" level="5">
<decoded_as>fp</decoded_as>
<field name="infomsg">Mobile session created</field>
<description>SSL VPN Mobile Session created for $(username) from $(srcip)</description>
</rule>
<decoder name="fp-ngfw">
<parent>fp</parent>
<regex offset="after_parent" type="pcre2">{"Timestamp":"([^"]*)","EventId":"([^"]*)","NodeId":"([^"]*)","CompId":"([^"]*)","UserOriginator":"([^"]*)","ClientIpAddress":"([^"]*)","TypeDescription":"([^"]*)","Result":"([^"]*)","ObjetcName":"([^"]*)","InfoMsg":"([^"]*)","SenderType":"([^"]*)"}</regex>
<order>timestamp, eventid, nodeid, compid, originator, srcip, typedesc, result, objectname, infomsg, sendertype</order>
</decoder>
-->
And this is the rule:
<rule id="100310" level="5">
<decoded_as>fp</decoded_as>
<field name="infomsg">Mobile session created</field>
<description>SSL VPN Mobile Session created for $(username) from $(srcip)</description>
</rule>
Thank you,
Mauro
Fabian Ruiz
Mar 25, 2024, 7:29:02 PM3/25/24
to Wazuh | Mailing List
Hi Mauro,
I'm sorry for the delay late response, I have been investigating what has been happening in your case, I did a wazuh install to test your rules/decoders and efectivate they are not working as they should.
In short the Timestamp that we decode, generates a conflict with the indexer, since it tries to parse it to a format according to the mapping, to solve it simply change the name of the group that we generate in the decoder.
In short the Timestamp that we decode, generates a conflict with the indexer, since it tries to parse it to a format according to the mapping, to solve it simply change the name of the group that we generate in the decoder.
<decoder name="fp-ngfw">
<parent>fp</parent>
<regex offset="after_parent" type="pcre2">{"Timestamp":"([^"]*)","LogId":"([^"]*)","NodeId":"([^"]*)","Facility":"([^"]*)","Type":"([^"]*)","Src":"([^"]*)","Dst":"([^"]*)","Service":"([^"]*)","Protocol":"([^"]*)","Sport":"([^"]*)","Dport":"([^"]*)","AccElapsed":"([^"]*)","Username":"([^"]*)","CompId":"([^"]*)","InfoMsg":"([^"]*)","ReceptionTime":"([^"]*)","SenderType":"([^"]*)","Situation":"([^"]*)","EventId":"([^"]*)","UserDomain":"([^"]*)"}</regex>
<parent>fp</parent>
<regex offset="after_parent" type="pcre2">{"Timestamp":"([^"]*)","LogId":"([^"]*)","NodeId":"([^"]*)","Facility":"([^"]*)","Type":"([^"]*)","Src":"([^"]*)","Dst":"([^"]*)","Service":"([^"]*)","Protocol":"([^"]*)","Sport":"([^"]*)","Dport":"([^"]*)","AccElapsed":"([^"]*)","Username":"([^"]*)","CompId":"([^"]*)","InfoMsg":"([^"]*)","ReceptionTime":"([^"]*)","SenderType":"([^"]*)","Situation":"([^"]*)","EventId":"([^"]*)","UserDomain":"([^"]*)"}</regex>
<order>time, logid, nodeid, facility, type, srcip, dstip, service, protocol, sport, dport, accelapsed, username, compid, infomsg, receptiontime, sendertype, situation, eventid, userdomain</order>
</decoder>
</decoder>
It is possible that you did not see the error logs due to the rotation.
Regards.
mauro....@cmcc.it
Mar 26, 2024, 4:38:07 AM3/26/24
to Wazuh | Mailing List
Hi Fabian,
thank you very much for your important help.
I really appreciated your support and the solution you provided.
It works like a charm.
Now I have the srcip geolocation info and I can try to implement an "impossible travel" check with related alert.
Did you ever implement this kind of control on VPN users connection?
Thanks again for the time you spent for my case.
Have a great day.
Mauro
Fabian Ruiz
Mar 26, 2024, 9:53:55 PM3/26/24
to Wazuh | Mailing List
Hi Mauro,
Can you explain me better what you want to do?
Regards.
mauro....@cmcc.it
Mar 27, 2024, 5:10:06 AM3/27/24
to Wazuh | Mailing List
Hi Fabian,
you are right, I should explain better my needs.
As you know, I'm now able to capture VPN users connections started from different places of the world.
I have in my hand the srcuser, srcip, dstip values and I can filter security events by the specific rule. I created a visualization with the a world map and geolocation.
Now, I would like to receive an alert when the same srcuser is connecting in the same time range from different geoip city or country and IP.
In cyber security, we detect an "impossible travel" when the same user is connecting to the VPN server (or something else) from two different location in a short time.
Is there a way to do it using Wazuh?
Thank you,
Mauro
Fabian Ruiz
Mar 31, 2024, 3:26:37 PM3/31/24
to Wazuh | Mailing List
Hi mauro,
Regards.
mauro....@cmcc.it
Mar 31, 2024, 5:23:17 PM3/31/24
to Wazuh | Mailing List
Hi Fabian,
<decoded_as>fp</decoded_as>
<field name="infomsg">Mobile session created</field>
Now I have the last problem to solve:
many thanks for your solution.
Anyway, I think I solved my issue in this way:
I created a rule and an aggregation rule as follows:
<rule id="100310" level="7">
<decoded_as>fp</decoded_as>
<field name="infomsg">Mobile session created</field>
<description>SSL VPN Mobile Session created for $(srcuser) from $(srcip)</description>
</rule>
<rule id="100311" level="12" frequency="2" timeframe="3600">
<decoded_as>fp</decoded_as>
<if_matched_sid>100310</if_matched_sid>
<same_srcuser />
<different_srcip />
<different_field>location.country</different_field>
<same_dstip />
<description>SSL VPN Mobile Impossible Travel for $(srcuser) from different source IPs: last IP $(srcip)</description>
</rule>
</rule>
<rule id="100311" level="12" frequency="2" timeframe="3600">
<decoded_as>fp</decoded_as>
<if_matched_sid>100310</if_matched_sid>
<same_srcuser />
<different_srcip />
<different_field>location.country</different_field>
<same_dstip />
<description>SSL VPN Mobile Impossible Travel for $(srcuser) from different source IPs: last IP $(srcip)</description>
</rule>
Now I have the last problem to solve:
Rule 100310 works as expected and I receive the alert.
BUT, when aggregation rule matches 100310 rule for two times in 3600 seconds, I receive:
- 1 alert for rule 100310
- 1 alert for rule 100310
- 1 alert for rule 100311
My question is:
Why I don't receive:
- 2 alerts for rule 100310
- 1 alert for rule 100311
I would like to receive 2 alerts for 100310 and 1 alert for 100311 because in the visualization (that I will create) I would filter for rule.id = 100310.
So, I will be able to check the last srcip for a particular user connection each time I will receive the 100311 alert.
Thank you in advance,
Thank you in advance,
Mauro
Fabian Ruiz
Apr 1, 2024, 10:24:26 PM4/1/24
to Wazuh | Mailing List
Hi mauro,
If I am not mistaken this is because you are configuring the rule with the decoded_as field, this would be giving priority to that alert, you can remove the decoded_as field from the rule 100311 and check if it works as you want.
<rule id="100311" level="12" frequency="2" timeframe="3600">
<if_matched_sid>100310</if_matched_sid>
<same_srcuser />
<different_srcip />
<different_field>location.country</different_field>
<same_dstip />
<description>SSL VPN Mobile Impossible Travel for $(srcuser) from different source IPs: last IP $(srcip)</description>
</rule>
<same_srcuser />
<different_srcip />
<different_field>location.country</different_field>
<same_dstip />
<description>SSL VPN Mobile Impossible Travel for $(srcuser) from different source IPs: last IP $(srcip)</description>
</rule>
Regards.
mauro....@cmcc.it
Apr 2, 2024, 3:55:08 AM4/2/24
to Wazuh | Mailing List
Hello Fabian,
thank you for your help.
I just tried to remove the "decoded_as" field, but, unfortunately, nothing changed.
Did you try it in your test lab or it is just an attempt?
I would like to understand if something is not working in my env or not :)
Did you try it in your test lab or it is just an attempt?
I would like to understand if something is not working in my env or not :)
Many thanks for your support.
Mauro
Fabian Ruiz
Apr 4, 2024, 9:00:50 PM4/4/24
to Wazuh | Mailing List
Hi mauro,
Sorry for my late reply, let me check in my test environment, I should be back with an answer soon.
Regards.
Federico Damian Lo Iacono
Apr 18, 2024, 2:09:58 PM4/18/24
to Wazuh | Mailing List
Hi Mauro, I'm Federico. I'll be taking over your issue while Fabian is absent.
Looking at the Rules Syntax documentation, I found the following when reading about same_field (the opposite of <different_field>, but with the same working principles):
- The last event will fire rule 100002 instead of 100001 because it found the value AAAA in three of the previous events.
Wazuh won't generate both events, in this case. A workaround to this could be:
- Lowering the alert level of rule 100310 below 3, as to avoid repeats in your dashboard,
- creating another rule with a <if_sid>100310</if_sid> field, which contains the same information as rule 100310, and serves as a "counter", and,
- keeping rule 100311 which triggers on Impossible Travel events.
The downside of this approach is that, while the events won't appear on the dashboard, they'll be logged into alerts.json anyways.
If you need further help, I'll be available.
Regards.
Reply all
Reply to author
Forward
0 new messages