rule ist not triggering
60 views
Skip to first unread message
ccM
Sep 30, 2024, 3:44:44āÆAM9/30/24
to Wazuh | Mailing List
Hi i have a firewall rule for the detection of external IP-connections. In Ruleset Test the rule is triggering correctly but in the "real environment" is does not. Does anyone have a idea whats going wrong? Thanks a lotĀ
<group name="sophos-fw,">
Ā <rule id="700020" level="0">
Ā Ā <decoded_as>sophos-fw</decoded_as>
Ā Ā <description>Sophos XG210 Firewall event</description>
Ā </rule>
Ā <rule id="700020" level="0">
Ā Ā <decoded_as>sophos-fw</decoded_as>
Ā Ā <description>Sophos XG210 Firewall event</description>
Ā </rule>
Ā Ā <rule id="700032" level="0">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="dst_ip" type="pcre2">^(?!(10|127|169\.254|192\.168|172\.(2[0-9]|1[6-9]|3[0-1])|(25[6-9]|2[6-9][0-9]|[3-9][0-9][0-9]|99[1-9]))\.)[0-9]{1,3}(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}$</field>
Ā Ā <description>Detect external IP-Connections $(src_ip) to $(dst_ip) from $(dst_country)</description>
Ā Ā </rule>
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="dst_ip" type="pcre2">^(?!(10|127|169\.254|192\.168|172\.(2[0-9]|1[6-9]|3[0-1])|(25[6-9]|2[6-9][0-9]|[3-9][0-9][0-9]|99[1-9]))\.)[0-9]{1,3}(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}$</field>
Ā Ā <description>Detect external IP-Connections $(src_ip) to $(dst_ip) from $(dst_country)</description>
Ā Ā </rule>
**Messages:
Ā Ā INFO: (7202): Session initialized with token 'b2ce7850'
**Phase 1: Completed pre-decoding.
Ā Ā full event: 'device_name="SFW" timestamp="2024-09-30T09:34:45+0200" device_model="XGS4300" device_serial_id="XXXXXXXX" log_id="010102600002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="91" fw_rule_name="Drop All" fw_rule_section="Local rule" nat_rule_id="3" nat_rule_name="default MASQ" fw_rule_type="USER" web_policy_id=2 ether_type="IPv4 (0x0800)" out_interface="Port2" src_ip="12.32.213.1" src_country="DEU" dst_ip="123.32.12.1" dst_country="USA" protocol="TCP" src_port=49708 dst_port=443 hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" out_display_interface="External WAN" log_occurrence="1"'
**Phase 2: Completed decoding.
Ā Ā name: 'sophos-fw'
Ā Ā app_is_cloud: 'FALSE'
Ā Ā app_resolved_by: 'Signature'
Ā Ā device_model: 'XXXXXXXXXXX'
Ā Ā device_serial_id: 'XXXXXXXXXXXX'
Ā Ā dst_country: 'USA'
Ā Ā dst_ip: '123.32.12.1'
Ā Ā fw_rule_id: '91'
Ā Ā log_id: '010102600002'
Ā Ā log_subtype: 'Denied'
Ā Ā log_type: 'Firewall'
Ā Ā protocol: 'TCP'
Ā Ā qualifier: 'New'
Ā Ā severity: 'Information'
Ā Ā src_country: 'DEU'
Ā Ā src_ip: '12.32.213.1'
Ā Ā timestamp: '2024-09-30T09:34:45+0200'
**Phase 3: Completed filtering (rules).
Ā Ā id: '700032'
Ā Ā level: '0'
Ā Ā description: 'Detect external IP-Connections 12.32.213.1 to 123.32.12.1 from USA'
Ā Ā groups: '["sophos-fw"]'
Ā Ā firedtimes: '1'
Ā Ā mail: 'false'
Jose Luis Carreras Marin
Sep 30, 2024, 4:44:35āÆAM9/30/24
to Wazuh | Mailing List
Hello ccM,
Ā Ā <decoded_as>sophos-fw</decoded_as>
Ā Ā <description>Sophos XG210 Firewall event</description>
Ā </rule>
So you shouldn't need to create a random, it could be interfering with the order in which the rules are triggered.
It should be enough to add a custom rule to check the dst_ipĀ field (it is recommended to use rules IDs between 100000 and 120000, to ensure they don't collide with official rules).
Then, to verify the event we can activate the logall mode in the manager, and see the content of the archives.log file, where all the events arrive before being filtered by rules and decoders. This way we make sure that the event is arriving, and we can see its fields.Ā To activate logall:
Show me as much info as possible and I will try to reproduce and find a solution for your problem.
Greetings,
Jose
We will try to analyze step by step the use and operation of custom rules. I leave you a link to the related docu in case you find some useful information:Ā https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
First of all, I see that there is already an official rule to decode those events:
Ā <rule id=ā70020ā level=ā0ā>
First of all, I see that there is already an official rule to decode those events:
Ā <rule id=ā70020ā level=ā0ā>
Ā Ā <decoded_as>sophos-fw</decoded_as>
Ā Ā <description>Sophos XG210 Firewall event</description>
Ā </rule>
So you shouldn't need to create a random, it could be interfering with the order in which the rules are triggered.
It should be enough to add a custom rule to check the dst_ipĀ field (it is recommended to use rules IDs between 100000 and 120000, to ensure they don't collide with official rules).
Then, to verify the event we can activate the logall mode in the manager, and see the content of the archives.log file, where all the events arrive before being filtered by rules and decoders. This way we make sure that the event is arriving, and we can see its fields.Ā To activate logall:
- AddĀ <logall>yes</logall> to global block config.
- Restart manager.
- CheckĀ /var/ossec/logs/archives/archives.log file after triggering the events.
Show me as much info as possible and I will try to reproduce and find a solution for your problem.
Greetings,
Jose
ccM
Oct 2, 2024, 2:19:41āÆAM10/2/24
to Wazuh | Mailing List
Hi
<group name="sophos-fw,">
Ā <rule id="700020" level="0">
Ā Ā <decoded_as>sophos-fw</decoded_as>
Ā </rule>
Ā
Ā Ā <rule id="700032" level="0">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="dst_ip" type="pcre2">^(?!(10|127|169\.254|192\.168|172\.(2[0-9]|1[6-9]|3[0-1])|(25[6-9]|2[6-9][0-9]|[3-9][0-9][0-9]|99[1-9]))\.)[0-9]{1,3}(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}$</field>
Ā Ā <description>Detect external IP-Connections $(src_ip) to $(dst_ip) from $(dst_country)</description>
Ā Ā </rule>
i hope you are fine. Sorry for late response I was some days off.Ā
The official Sophos Rules are disabled because I had to do some modifications.
Ā <rule_exclude>0705-sophos_fw_rules.xml</rule_exclude>
Archives (logall) is also already enabled in my enviornment and the events I have tested are arriving.
Thats my whole (Sophos) ruleset:
<!--
Ā - Ā Sophos XGS-4300 Firewall rules
Ā - Ā Created by Wazuh, Inc.
Ā - Ā Copyright (C) 2015, Wazuh Inc.
Ā - Ā This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->
Thats my whole (Sophos) ruleset:
<!--
Ā - Ā Sophos XGS-4300 Firewall rules
Ā - Ā Created by Wazuh, Inc.
Ā - Ā Copyright (C) 2015, Wazuh Inc.
Ā - Ā This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->
<group name="sophos-fw,">
Ā <rule id="700020" level="0">
Ā Ā <decoded_as>sophos-fw</decoded_as>
Ā Ā <description>Sophos XGS4300 Firewall event</description>
Ā </rule>
Ā <rule id="700021" level="8">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Denied</field>
Ā Ā <description>Traffic Denied: from $(src_ip) to $(dst_ip)</description>
Ā </rule>
Ā <rule id="700022" level="3">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Allowed</field>
Ā Ā <description>Traffic Allowed: from $(src_ip) to $(dst_ip)</description>
Ā </rule>
Ā <rule id="700023" level="3">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Detect</field>
Ā Ā <description>Traffic Detected: from $(src_ip) to $(dst_ip)</description>
Ā </rule>
Ā <rule id="700024" level="3">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Drop</field>
Ā Ā <description>Traffic Dropped: from $(src_ip) to $(dst_ip)</description>
Ā </rule>
Ā <rule id="700025" level="3">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Clean</field>
Ā Ā <description>Traffic Cleaned: from $(src_ip) to $(dst_ip)</description>
Ā </rule>
Ā <rule id="700026" level="13">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Virus</field>
Ā Ā <description>Virus detected: source IP $(src_ip)</description>
Ā </rule>
Ā <rule id="700027" level="5">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Spam|Probable Spam</field>
Ā Ā <description>Spam: source IP $(src_ip)</description>
Ā </rule>
Ā <rule id="700028" level="3">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Admin</field>
Ā Ā <description>Admin Traffic: from $(src_ip) to $(dst_ip)</description>
Ā </rule>
Ā
Ā <rule id="700029" level="5">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Authentication</field>
Ā Ā <description>Authentication Traffic: from $(src_ip) to $(dst_ip)</description>
Ā </rule>
Ā
Ā <rule id="700030" level="3">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">System</field>
Ā Ā <description>System Traffic : from $(src_ip) to $(dst_ip)</description>
Ā </rule>
Ā
Ā <rule id="700031" level="12">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Alert</field>
Ā Ā <description>Traffik alerted : from $(src_ip) to $(dst_ip)</description>
Ā </rule>
Ā <rule id="700021" level="8">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Denied</field>
Ā Ā <description>Traffic Denied: from $(src_ip) to $(dst_ip)</description>
Ā </rule>
Ā <rule id="700022" level="3">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Allowed</field>
Ā Ā <description>Traffic Allowed: from $(src_ip) to $(dst_ip)</description>
Ā </rule>
Ā <rule id="700023" level="3">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Detect</field>
Ā Ā <description>Traffic Detected: from $(src_ip) to $(dst_ip)</description>
Ā </rule>
Ā <rule id="700024" level="3">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Drop</field>
Ā Ā <description>Traffic Dropped: from $(src_ip) to $(dst_ip)</description>
Ā </rule>
Ā <rule id="700025" level="3">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Clean</field>
Ā Ā <description>Traffic Cleaned: from $(src_ip) to $(dst_ip)</description>
Ā </rule>
Ā <rule id="700026" level="13">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Virus</field>
Ā Ā <description>Virus detected: source IP $(src_ip)</description>
Ā </rule>
Ā <rule id="700027" level="5">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Spam|Probable Spam</field>
Ā Ā <description>Spam: source IP $(src_ip)</description>
Ā </rule>
Ā <rule id="700028" level="3">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Admin</field>
Ā Ā <description>Admin Traffic: from $(src_ip) to $(dst_ip)</description>
Ā </rule>
Ā
Ā <rule id="700029" level="5">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Authentication</field>
Ā Ā <description>Authentication Traffic: from $(src_ip) to $(dst_ip)</description>
Ā </rule>
Ā
Ā <rule id="700030" level="3">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">System</field>
Ā Ā <description>System Traffic : from $(src_ip) to $(dst_ip)</description>
Ā </rule>
Ā
Ā <rule id="700031" level="12">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="log_subtype">Alert</field>
Ā Ā <description>Traffik alerted : from $(src_ip) to $(dst_ip)</description>
Ā </rule>
Ā
Ā Ā <rule id="700032" level="0">
Ā Ā <if_sid>700020</if_sid>
Ā Ā <field name="dst_ip" type="pcre2">^(?!(10|127|169\.254|192\.168|172\.(2[0-9]|1[6-9]|3[0-1])|(25[6-9]|2[6-9][0-9]|[3-9][0-9][0-9]|99[1-9]))\.)[0-9]{1,3}(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}$</field>
Ā Ā <description>Detect external IP-Connections $(src_ip) to $(dst_ip) from $(dst_country)</description>
Ā Ā </rule>
</group>
Piotr
Oct 2, 2024, 5:13:43āÆAM10/2/24
to Wazuh | Mailing List
Hi there,
please tell me how do you know that in "real environment" the 700032 rule doesn't work?
Maybe you should just higher the rule level from zero to something like 3 or above?
Cheers!
Piotr
Jose Luis Carreras Marin
Oct 4, 2024, 8:30:13āÆAM10/4/24
to Wazuh | Mailing List
Hello ccM
If you still have problems, let us know!
Regards,
Indeed, the problem seems to be the level of the alert you are waiting for, as Piotr says.
Alerts with a level lower than 3, will be muted and will not be displayed anywhere. Rules levels docu:
Alerts with a level lower than 3, will be muted and will not be displayed anywhere. Rules levels docu:
This value is configurable here:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/alerts.html#log-alert-level
If you still have problems, let us know!
Regards,
Jose
Reply all
Reply to author
Forward
0 new messages