Wazuh rules for fortigate
623 views
Skip to first unread message
Ренат Ондар
Sep 29, 2023, 8:11:31 AM9/29/23
to Wazuh | Mailing List
Hello team
Ive got an issue with rule 81628. I cant understand the condition when this rule getting triggered.
Attacks targeting FortiGate firewalls can take various forms, including:
1) Firewall Bypass: Attempts to exploit vulnerabilities in the firewall's configuration or software to bypass its security measures and gain unauthorized access to the network.
2) Denial of Service (DoS): Deliberate attempts to overload the firewall with a flood of traffic or resource-intensive requests, causing it to become unresponsive and unable to perform its intended functions.
3) Unauthorized Access: Attempts to gain unauthorized access to the firewall's management interfaces or administrative accounts in order to manipulate its configuration, disable security features, or perform other malicious activities.
4) Exploiting Vulnerabilities: Exploiting known or unknown vulnerabilities in the FortiGate firmware or software to gain unauthorized access, execute arbitrary code, or perform privilege escalation.
5) Malware Distribution: Attempts to use the firewall to distribute malware or malicious payloads to other devices on the network, bypassing firewall security measures.
6) Firewall Policy Evasion: Techniques used to bypass or evade firewall policies, such as exploiting application-level vulnerabilities, encrypting traffic, or using advanced evasion techniques.
Attacks targeting FortiGate firewalls can take various forms, including:
1) Firewall Bypass: Attempts to exploit vulnerabilities in the firewall's configuration or software to bypass its security measures and gain unauthorized access to the network.
2) Denial of Service (DoS): Deliberate attempts to overload the firewall with a flood of traffic or resource-intensive requests, causing it to become unresponsive and unable to perform its intended functions.
3) Unauthorized Access: Attempts to gain unauthorized access to the firewall's management interfaces or administrative accounts in order to manipulate its configuration, disable security features, or perform other malicious activities.
4) Exploiting Vulnerabilities: Exploiting known or unknown vulnerabilities in the FortiGate firmware or software to gain unauthorized access, execute arbitrary code, or perform privilege escalation.
5) Malware Distribution: Attempts to use the firewall to distribute malware or malicious payloads to other devices on the network, bypassing firewall security measures.
6) Firewall Policy Evasion: Techniques used to bypass or evade firewall policies, such as exploiting application-level vulnerabilities, encrypting traffic, or using advanced evasion techniques.
Explain me please conditions of this rule:
rule id="81628" level="11">
<if_sid>81603</if_sid>
<match>attack</match>
<action>detected</action>
<description>Fortigate attack detected.</description>
<group>attack,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,pci_dss_10.6.1,</group>
</rule>
<if_sid>81603</if_sid>
<match>attack</match>
<action>detected</action>
<description>Fortigate attack detected.</description>
<group>attack,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,pci_dss_10.6.1,</group>
</rule>
Nicolas Alejandro Bertoldo
Sep 29, 2023, 9:53:15 AM9/29/23
to Wazuh | Mailing List
Hi Ренат Ондар,
I hope you are doing well.
The conditions that trigger this rule are:
In addition, these two files may be useful to understand:
Mar 22 19:21:00 10.10.10.10 date=2016-03-22 time=19:20:46 devname=Text devid=FGT3HD0000000000 logid=0000018000 type=anomaly subtype=anomaly level=alert vd="root" severity=critical srcip=10.10.10.35 dstip=10.10.10.84 srcintf="port2" sessionid=0 action=detected proto=6 service=tcp/36875 count=1903 attack="tcp_syn_flood" srcport=32835 dstport=2960 attackid=100663396 profile="DoS-policy1" ref="http://www.fortinet.com/ids/VID100663396" msg="anomaly: tcp_syn_flood, 2001 > threshold 2000, repeats 1903 times" crscore=50 crlevel=critical
The wazuh-logtest output:
Starting wazuh-logtest v4.5.2
Type one log per line
Mar 22 19:21:00 10.10.10.10 date=2016-03-22 time=19:20:46 devname=Text devid=FGT3HD0000000000 logid=0000018000 type=anomaly subtype=anomaly level=alert vd="root" severity=critical srcip=10.10.10.35 dstip=10.10.10.84 srcintf="port2" sessionid=0 action=detected proto=6 service=tcp/36875 count=1903 attack="tcp_syn_flood" srcport=32835 dstport=2960 attackid=100663396 profile="DoS-policy1" ref="http://www.fortinet.com/ids/VID100663396" msg="anomaly: tcp_syn_flood, 2001 > threshold 2000, repeats 1903 times" crscore=50 crlevel=critical
**Phase 1: Completed pre-decoding.
full event: 'Mar 22 19:21:00 10.10.10.10 date=2016-03-22 time=19:20:46 devname=Text devid=FGT3HD0000000000 logid=0000018000 type=anomaly subtype=anomaly level=alert vd="root" severity=critical srcip=10.10.10.35 dstip=10.10.10.84 srcintf="port2" sessionid=0 action=detected proto=6 service=tcp/36875 count=1903 attack="tcp_syn_flood" srcport=32835 dstport=2960 attackid=100663396 profile="DoS-policy1" ref="http://www.fortinet.com/ids/VID100663396" msg="anomaly: tcp_syn_flood, 2001 > threshold 2000, repeats 1903 times" crscore=50 crlevel=critical'
timestamp: 'Mar 22 19:21:00'
hostname: '10.10.10.10'
**Phase 2: Completed decoding.
name: 'fortigate-firewall-v5'
action: 'detected'
attack: 'tcp_syn_flood'
attackid: '100663396'
count: '1903'
crlevel: 'critical'
crscore: '50'
devid: 'FGT3HD0000000000'
devname: 'Text'
dstip: '10.10.10.84'
dstport: '2960'
level: 'alert'
logid: '0000018000'
msg: 'anomaly: tcp_syn_flood, 2001 > threshold 2000, repeats 1903 times'
profile: 'DoS-policy1'
proto: '6'
ref: 'http://www.fortinet.com/ids/VID100663396'
service: 'tcp/36875'
sessionid: '0'
severity: 'critical'
srcintf: 'port2'
srcip: '10.10.10.35'
srcport: '32835'
subtype: 'anomaly'
time: '19:20:46'
type: 'anomaly'
vd: 'root'
**Phase 3: Completed filtering (rules).
id: '81628'
level: '11'
description: 'Fortigate attack detected.'
groups: '['fortigate', 'syslog', 'attack']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.6']'
pci_dss: '['10.6.1']'
**Alert to be generated.
I hope this helps. Let me know if you have any further question.
Regards
I hope you are doing well.
The conditions that trigger this rule are:
- <if_sid>81603</if_sid> : Rule 81603 must first be triggered
- <match>attack</match> : Log event contains "attack"
- <action>detected</action> : The field "action" contains the value "detected"
In addition, these two files may be useful to understand:
- Fortigate decoders: https://github.com/wazuh/wazuh/blob/4.5/ruleset/decoders/0100-fortigate_decoders.xml
- Fortigate rules: https://github.com/wazuh/wazuh/blob/4.5/ruleset/rules/0391-fortigate_rules.xml
Mar 22 19:21:00 10.10.10.10 date=2016-03-22 time=19:20:46 devname=Text devid=FGT3HD0000000000 logid=0000018000 type=anomaly subtype=anomaly level=alert vd="root" severity=critical srcip=10.10.10.35 dstip=10.10.10.84 srcintf="port2" sessionid=0 action=detected proto=6 service=tcp/36875 count=1903 attack="tcp_syn_flood" srcport=32835 dstport=2960 attackid=100663396 profile="DoS-policy1" ref="http://www.fortinet.com/ids/VID100663396" msg="anomaly: tcp_syn_flood, 2001 > threshold 2000, repeats 1903 times" crscore=50 crlevel=critical
The wazuh-logtest output:
Starting wazuh-logtest v4.5.2
Type one log per line
Mar 22 19:21:00 10.10.10.10 date=2016-03-22 time=19:20:46 devname=Text devid=FGT3HD0000000000 logid=0000018000 type=anomaly subtype=anomaly level=alert vd="root" severity=critical srcip=10.10.10.35 dstip=10.10.10.84 srcintf="port2" sessionid=0 action=detected proto=6 service=tcp/36875 count=1903 attack="tcp_syn_flood" srcport=32835 dstport=2960 attackid=100663396 profile="DoS-policy1" ref="http://www.fortinet.com/ids/VID100663396" msg="anomaly: tcp_syn_flood, 2001 > threshold 2000, repeats 1903 times" crscore=50 crlevel=critical
**Phase 1: Completed pre-decoding.
full event: 'Mar 22 19:21:00 10.10.10.10 date=2016-03-22 time=19:20:46 devname=Text devid=FGT3HD0000000000 logid=0000018000 type=anomaly subtype=anomaly level=alert vd="root" severity=critical srcip=10.10.10.35 dstip=10.10.10.84 srcintf="port2" sessionid=0 action=detected proto=6 service=tcp/36875 count=1903 attack="tcp_syn_flood" srcport=32835 dstport=2960 attackid=100663396 profile="DoS-policy1" ref="http://www.fortinet.com/ids/VID100663396" msg="anomaly: tcp_syn_flood, 2001 > threshold 2000, repeats 1903 times" crscore=50 crlevel=critical'
timestamp: 'Mar 22 19:21:00'
hostname: '10.10.10.10'
**Phase 2: Completed decoding.
name: 'fortigate-firewall-v5'
action: 'detected'
attack: 'tcp_syn_flood'
attackid: '100663396'
count: '1903'
crlevel: 'critical'
crscore: '50'
devid: 'FGT3HD0000000000'
devname: 'Text'
dstip: '10.10.10.84'
dstport: '2960'
level: 'alert'
logid: '0000018000'
msg: 'anomaly: tcp_syn_flood, 2001 > threshold 2000, repeats 1903 times'
profile: 'DoS-policy1'
proto: '6'
ref: 'http://www.fortinet.com/ids/VID100663396'
service: 'tcp/36875'
sessionid: '0'
severity: 'critical'
srcintf: 'port2'
srcip: '10.10.10.35'
srcport: '32835'
subtype: 'anomaly'
time: '19:20:46'
type: 'anomaly'
vd: 'root'
**Phase 3: Completed filtering (rules).
id: '81628'
level: '11'
description: 'Fortigate attack detected.'
groups: '['fortigate', 'syslog', 'attack']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.6']'
pci_dss: '['10.6.1']'
**Alert to be generated.
I hope this helps. Let me know if you have any further question.
Regards
Reply all
Reply to author
Forward
0 new messages