CDB | Not matching

[John Carry]

Hello Wazuh Team,

I have created a CDB list "Fortigate-WebApps-Whitelist" where I have mentioned a large number of application names in-order to get it part of rule which will trigger whenever the Application specified isnot listed in  CDB.

Rules is triggering successfully for other applications but not for few application names like one of them is SSL, I have pasted the screenshot below. You are requested to confirm why still the rule is firing for SSL when I have already add SSL into CDB list.

Regards,

John carry

[Pacome Kemkeu]

Hello John,

As seen in your second rule, you are using the lookup "not_address_match_key" which is usually used when the field to match is an IP address.
Instead, I recommend you change it to lookup="not_match_key". This will search for the key stored in the field attribute and will match if it is not present in the database.

Kindly test this and give me a feedback please.

[John Carry]

Just to bring into your knowledge we had earlier used  lookup="not_match_key"  and  later on we used  not_address_match_key for testing purpose but the result was same for both.

[Pacome Kemkeu]

Hello John, Can you please provide a sample log and your current rules?
I'll test from my end and give you a feedback!

[John Carry]

FYI!

Sample Log:

date=2023-02-08 time=16:01:26 devname="XXX" devid="FG6H1ETB21907474" eventtime=1675854086564795921 tz="+0500" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" appid=15895 user="XXX"  group="XXX"  srcip=XXX dstip=XXX4 srcport=36338 dstport=443 srcintf="XXX" srcintfrole="undefined" dstintf="port5" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=11 sessionid=146915145 applist="default" action="pass" appcat="Network.Service" app="SSL" hostname="cdnjs.cloudflare.com" incidentserialno=17940180 url="/" msg="Network.Service: SSL," apprisk="elevated" scertcname="sni.cloudflaressl.com"

Current Rule:

    <rule id="81633" level="0" overwrite="yes">
        <if_sid>81603</if_sid>
        <match>subtype="app-ctrl"|subtype=app-ctrl</match>
        <action>pass</action>
        <list field="app" lookup="match_key">etc/lists/Fortigate-WebApps-Whitelist</list>
        <description>Fortigate: App passed by firewall-Whitelist Apps</description>
    </rule>
 
    <rule id="222032" level="5" >
        <if_sid>81603</if_sid>
        <match>subtype="app-ctrl"|subtype=app-ctrl</match>
        <action>pass</action>
        <list field="app" lookup="not_match_key">etc/lists/Fortigate-WebApps-Whitelist</list>
        <description>Fortigate: App passed by firewall-Needs Investigation for suspicious application</description>
    </rule>

Note:

The above mentioned issue is faced with SSL but also along with some other apps but they are having a low count as compared to SSL.

[Pacome Kemkeu]

Hello John,
If I understand you correctly you want to trigger alerts for applications that passed the Fortigate firewalls and are not inside your Fortigate-WebApps-Whitelist CDBlist. If that is the case I advice against modifying the default ruleset because we can solve this using custom rules. Please see the custom rules below:
1. This rule is for application that are listed in your CDB list but is silenced as you wanted:
<rule id="222032" level="0" >
    <if_sid>81633</if_sid>

    <list field="app" lookup="match_key">etc/lists/Fortigate-WebApps-Whitelist</list>
    <description>Fortigate: App passed by firewall-Whitelist Apps</description>
</rule>

I used the log sample you provided and created the list with the SSL entry to test.


2. This second rule triggers for applications not listed in your CDB list:
<rule id="222033" level="5" >
  <if_sid>81633</if_sid>

  <list field="app" lookup="not_match_key">etc/lists/Fortigate-WebApps-Whitelist</list>
  <description>Fortigate: App passed by firewall-Needs Investigation for suspicious application</description>
</rule>

This is a second test without the SSL entry in the list:


Kindly test them and tell me if they suit your needs.