Wazuh Sophos XG 135 Decoders and Rules
798 views
Skip to first unread message
Francisco Reis
Jun 13, 2023, 12:21:26 PM6/13/23
to Wazuh mailing list
Hi,
Has anyone managed to create Decoders and Rules for the Sophos XG 135 Firewall?
Has anyone managed to create Decoders and Rules for the Sophos XG 135 Firewall?
Thanks!
Mateo Cervilla
Jun 13, 2023, 3:07:31 PM6/13/23
to Wazuh mailing list
Hello Francisco,
Wazuh already support a group of Sophos logs, decoders are 0300-sophos_decoders.xml and 0510-sophos_fw_decoders.xml , and rules are 0415-sophos_rules.xml and 0705-sophos_fw_rules.xml.
Did you try using them?
Regards,
Mateo
Francisco Reis
Jun 14, 2023, 1:02:06 PM6/14/23
to Wazuh mailing list
Hi Mateo,
Thanks in advance for the prompt response!
Below is an example log:
As you can see, in phase 2, there is no match.
Do you have any suggestions?
Thanks in advance for the prompt response!
Below is an example log:
2023 Jun 14 14:30:52 siem->10.10.10.10 device_name="SFW" timestamp="2023-06-14T14:30:52+0100" device_model="XG135" device_serial_id="YYYYYYYYYY" log_id="010202601001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="N/A" nat_rule_id="0" fw_rule_type="NETWORK" ether_type="IPv4 (0x0800)" in_interface="Port1" src_ip="10.10.10.100" src_country="R1" dst_ip="100.100.100.100" dst_country="DEU" protocol="TCP" src_port=99999 dst_port=00 hb_status="No Heartbeat" message="Could not associate packet to any connection." app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port0" log_occurrence="1"
It turns out that when I put it in the Decoders Test, we have the following result:
It turns out that when I put it in the Decoders Test, we have the following result:
As you can see, in phase 2, there is no match.
Do you have any suggestions?
Mateo Cervilla
Jun 15, 2023, 5:41:22 PM6/15/23
to Wazuh mailing list
Hi Francisco,
Looks like your logs don't match the current decoders. If you take a look at /var/ossec/ruleset/decoders/0510-sophos_fw_decoders.xml you can see some log examples like:
- device="SFW" date=2019-10-09 time=17:19:06 timezone="+08" device_name="XG210" device_id=AAAAAAAA1234567 log_id=010101010101 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=14 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3" out_interface="Port2" src_mac=11:22:aa:bb:22:11 src_ip=11.22.33.44 src_country_code= dst_ip=44.33.22.11 dst_country_code= protocol="TCP" src_port=52667 dst_port=10051 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature"
You may notice that the structure is very similar but it has some differences.
What you can do is try to modify this decoder and the rules to adapt them to your logs.
Here is some related documentation:
If you find it too difficult and can't get it done, let me know and I'll try to help you do it.
Kind regards,
Mateo
Reply all
Reply to author
Forward
0 new messages