rules against attacks for Stormshiel firewall integrated in wazuh

[Fl Passelerg]

hello

I integrated our Stormshield firewall into wazuh, with a decoder (with separate regex) and it works very well. 

The amount of logs is simply HUGE!! 

What rules do you recommend to create against attacks? and filter logs without threat?

What Are Wazuh Alerts Best Practices for Firewall Traffic Logs?

the logs are often action=pass but I don't think it's a good idea to ignore where the firewall lets a frame pass :-D

I want to monitor and detect these actions for example  :

- nmap sniffing

- man in the middle actions

- path the hash

- responder , ntlmrelayx and the impacket tools

- proxychain and pivoting attacks

etc..

thank you for your advises !!

Florence

[Sebastian Dario Bustos]

Hello Florence,

Thank you for using Wazuh!!!

The rules are organized in a hierarchy, so, even if an event generates a lower level alert because of a pass action there can be child rules that detect a pattern of multiple consecutive events for example. The most clear example is drop events and a rule that analyze those drop events in frequency during a timeframe (and from the same source ip) to generate a higher level alert than the original and a possible attack indicator.

For example these are the generic firewall rules you can find on our default ruleset (file 0900-firewall_rules.xml):

<group name="firewall,">
  <rule id="4100" level="0">
    <category>firewall</category>
    <description>Firewall rules grouped.</description>
  </rule>


  <rule id="4101" level="5">
    <if_sid>4100</if_sid>
    <action>DROP</action>
    <options>no_log</options>
    <description>Firewall drop event.</description>
    <group>firewall_drop,pci_dss_1.4,gpg13_4.12,gdpr_IV_35.7.d,hipaa_164.312.a.1,nist_800_53_SC.7,tsc_CC6.7,tsc_CC6.8,</group>
  </rule>

  <rule id="4151" level="10" frequency="18" timeframe="45" ignore="240">
    <if_matched_sid>4101</if_matched_sid>
    <same_source_ip />
    <description>Multiple Firewall drop events from same source.</description>
    <group>multiple_drops,pci_dss_1.4,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,hipaa_164.312.a.1,hipaa_164.312.b,nist_800_53_SC.7,nist_800_53_AU.6,tsc_CC6.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
</group>

It is a good idea to check the specific firewall rule files on our default ruleset for a good example on firewall rules and then, once you have the base, you can make more complex rules if your intention is to catch a specific behavior / attack. A very developed and long dated rule file is for fortigate devices (/var/ossec/ruleset/rules/0391-fortigate_rules.xml).

You can find a strong base in that file and also you will find examples of attacks detection on our blog, it is constantly being updated with new techniques and integrations.

Hope this helps.

Regards.

[Fl Passelerg]

Thank you for your response Sebastian

I modified my custom rule like this, is it correct ? because, right now I no longer have an alert from my stormshied

<group name="firewall,">
  <rule id="100010" level="5">
    <if_sid>4151</if_sid>
    <decoded_as>stormshield_decoder</decoded_as>  
    <description>Stormshield logs grouping rule</description>  
  </rule>
</group>

I will analyse your /var/ossec/ruleset/rules/0391-fortigate_rules.xml which seems very complete !

Florence

[Fl Passelerg]

Or, should I do it like that ?

<group name="firewall,">

  <rule id="100010" level="5">

    <decoded_as>stormshield_decoder</decoded_as>  
    <description>Stormshield logs grouping rule</description>  
  </rule>

  <rule id="100011" level="0">
    <if_sid>100010</if_sid>

    <action>DROP</action>
    <options>no_log</options>
    <description>Firewall drop event.</description>
    <group>firewall_drop,pci_dss_1.4,gpg13_4.12,gdpr_IV_35.7.d,hipaa_164.312.a.1,nist_800_53_SC.7,tsc_CC6.7,tsc_CC6.8,</group>
  </rule>

  <rule id="100012" level="10" frequency="18" timeframe="45" ignore="240">
    <if_matched_sid>100011</if_matched_sid>

    <same_source_ip />
    <description>Multiple Firewall drop events from same source.</description>
    <group>multiple_drops,pci_dss_1.4,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,hipaa_164.312.a.1,hipaa_164.312.b,nist_800_53_SC.7,nist_800_53_AU.6,tsc_CC6.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
</group>

[Sebastian Dario Bustos]

Hello Florence,

The ideal is to set the parent rule (the one that groups events) of a level 0 and then create child rules that separate the events for different actions, once you have those you can create more complex rules that depend on them and analyze for patterns like multiple attempts from the same ip for example, you will have to check if the field names like action have the same name on your logs so your rules can properly trigger.

Here are some modifications to your posted rules:

<group name="firewall,">

  <rule id="100010" level="0">

    <decoded_as>stormshield_decoder</decoded_as>  
    <description>Stormshield logs grouping rule</description>  
  </rule>

  <rule id="100011" level="5">

    <if_sid>100010</if_sid>

    <action>DROP</action>
    <options>no_log</options>
    <description>Firewall drop event.</description>
    <group>firewall_drop,pci_dss_1.4,gpg13_4.12,gdpr_IV_35.7.d,hipaa_164.312.a.1,nist_800_53_SC.7,tsc_CC6.7,tsc_CC6.8,</group>
  </rule>

  <rule id="100012" level="10" frequency="18" timeframe="45" ignore="240">
    <if_matched_sid>100011</if_matched_sid>

    <same_source_ip />
    <description>Multiple Firewall drop events from same source.</description>
    <group>multiple_drops,pci_dss_1.4,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,hipaa_164.312.a.1,hipaa_164.312.b,nist_800_53_SC.7,nist_800_53_AU.6,tsc_CC6.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
</group>

If you want to see other alerts for other actions (perhaps with lower level, the minimum is 3 by default) you may want to include a few more child rules of 100010 with the rest of the actions you want to view, if you need to check for a more specific behavior you can also create child rules of them matching a field's value or frequency as in the example.

If you want to share your decoder and a log sample for a drop event I can check the field name assigned to the action field is correct.

Let me know if this helps.

Regards

[Fl Passelerg]

hello Sebastian

Ok, I understand and I have changed the level of my first rule 100010 to "0": it's much better !

I managed to simulate an bruteforce VPN attack in order to build new rules :-)

I want to block the IP src adresse when there are multiple authentification failures concerning the password only (10 attempts for the moment during 45 s)

Is my 100014 rule correct ?

<group name="firewall,">

  <rule id="100010" level="0">
    <decoded_as>stormshield_decoder</decoded_as>  
    <description>Stormshield logs grouping rule</description>  
  </rule>
  <rule id="100011" level="5">
    <if_sid>100010</if_sid>
    <action>DROP</action>
    <options>no_log</options>
    <description>Firewall drop event.</description>
    <group>firewall_drop,pci_dss_1.4,gpg13_4.12,gdpr_IV_35.7.d,hipaa_164.312.a.1,nist_800_53_SC.7,tsc_CC6.7,tsc_CC6.8,</group>
  </rule>
  <rule id="100012" level="10" frequency="18" timeframe="45" ignore="240">
    <if_matched_sid>100011</if_matched_sid>
    <same_source_ip />
    <description>Multiple Firewall drop events from same source.</description>
    <group>multiple_drops,pci_dss_1.4,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,hipaa_164.312.a.1,hipaa_164.312.b,nist_800_53_SC.7,nist_800_53_AU.6,tsc_CC6.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>

  <rule id="100013" level="12">
    <if_sid>100010</if_sid>
    <match>"Error during authentication : authentication failed, bad password"</match>
    <description>MDP invalide en VPN</description>
    <options>alert_by_email</options>
  </rule>

  <rule id="100014" level="12" frequency="10" timeframe="45" >
    <if_sid>100010</if_sid>
    <match>"Error during authentication : user not found in ldap"</match>
    <description>Acces invalide en VPN</description>
    <options>alert_by_email</options>
  </rule>
</group>

And I will add the 100014 rule in the manager configuration like this to block the IP adresse during 24h

  <active-response>
    <command>firewall-drop</command>
    <location>local</location>
    <rules_id>100014,</rules_id>
    <timeout>86400</timeout>    
  </active-response>

What do you think about that ?

Florence

[Sebastian Dario Bustos]

Hi Florence,

Regarding these 2 rules, it would be more appropriate to give the initial rule a lower alert level and then make the more complex rule the level 12 in this example:

  <rule id="100013" level="7">

    <if_sid>100010</if_sid>
    <match>"Error during authentication : authentication failed, bad password"</match>
    <description>MDP invalide en VPN</description>
    <options>alert_by_email</options>
  </rule>

  <rule id="100014" level="12" frequency="10" timeframe="45" >
    <if_sid>100010</if_sid>
    <match>"Error during authentication : user not found in ldap"</match>
    <description>Acces invalide en VPN</description>
    <options>alert_by_email</options>
  </rule>

Regarding the active response, just one little change, I'm removing the trailing comma from the rules_list field, the rest looks fine:

  

  <active-response>
    <command>firewall-drop</command>
    <location>local</location>

    <rules_id>100014</rules_id>
    <timeout>86400</timeout>    
  </active-response>

Here is a guide to what you are trying to accomplish: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/blocking-ssh-brute-force.html

Hope it helps.

Regards.

[Fl Passelerg]

Hi sebastian

very good.

I have another question.

I get the alert "Alerte : IP BLOQUEE" triggered by the firewall-drop command.

But, in this case, the IP is not bloqued, I can continue attacking my firewall with my malicious script.

What IP does wazuh choose to block? :

here is the full log :

_index wazuh-alerts-4.x-2024.04.20
agent.id 000
agent.name wazuh
data.command add
data.dstuser attaquant
data.origin.module wazuh-execd
data.origin.name node01
data.parameters.alert.agent.id 000
data.parameters.alert.agent.name wazuh
data.parameters.alert.data.dstuser attaquant
data.parameters.alert.data.fw Fw_Compans1
data.parameters.alert.data.logtype xvpn
data.parameters.alert.data.msg Error during authentication : user not found in ldap
data.parameters.alert.data.startime 2024-04-20 09:56:59
data.parameters.alert.data.time 2024-04-20 09:56:59
data.parameters.alert.data.tz +0200
data.parameters.alert.decoder.name stormshield_decoder
data.parameters.alert.full_log
1 2024-04-20T09:56:59+02:00 Fw1 openvpn_auth - - - id=firewall time="2024-04-20 09:56:59" fw="Fw1" tz=+0200 startime="2024-04-20 09:56:59" ipproto="UDP" user="attaquant" domain="masociete.fr" src=88.166.26.80 msg="Error during authentication : user not found in ldap" logtype="xvpn"
data.parameters.alert.id 1713599817.44042456
data.parameters.alert.location 192.168.1.1
data.parameters.alert.manager.name wazuh
data.parameters.alert.rule.description Acces invalide en VPN
data.parameters.alert.rule.firedtimes 67
data.parameters.alert.rule.groups firewall
data.parameters.alert.rule.id 100014
data.parameters.alert.rule.level 12
data.parameters.alert.rule.mail true
data.parameters.alert.timestamp 2024-04-20T07:56:57.908+0000
data.parameters.extra_args
data.parameters.program active-response/bin/firewall-drop
data.version 1
decoder.name ar_log_json
decoder.parent ar_log_json
full_log
2024/04/20 07:56:57 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2024-04-20T07:56:57.908+0000","rule":{"level":12,"description":"Acces invalide en VPN","id":"100014","firedtimes":67,"mail":true,"groups":["firewall"]},"agent":{"id":"000","name":"wazuh"},"manager":{"name":"wazuh"},"id":"1713599817.44042456","full_log":"1 2024-04-20T09:56:59+02:00 Fw1 openvpn_auth - - - id=firewall time=\"2024-04-20 09:56:59\" fw=\"Fw1\" tz=+0200 startime=\"2024-04-20 09:56:59\" ipproto=\"UDP\" user=\"attaquant\" domain=\"masociete.fr\" src=88.166.26.80 msg=\"Error during authentication : user not found in ldap\" logtype=\"xvpn\"","decoder":{"name":"stormshield_decoder"},"data":{"dstuser":"attaquant","time":"2024-04-20 09:56:59","fw":"Fw1","tz":"+0200","startime":"2024-04-20 09:56:59","msg":"Error during authentication : user not found in ldap","logtype":"xvpn"},"location":"192.168.1.1"},"program":"active-response/bin/firewall-drop"}}
id 1713599819.44053511
input.type log
location /var/ossec/logs/active-responses.log
manager.name wazuh
rule.description Alerte : IP BLOQUEE
rule.firedtimes 67
rule.groups local, syslog, sshd, web
rule.id 100003
rule.level 13
rule.mail true
timestamp Apr 20, 2024 @ 09:56:59.649

 

Thanks a lot !

Florence

[Sebastian Dario Bustos]

Hi Florence,

The active response script should be adding the alert's source ip to block on your firewall, you may want to check on your agent's "<install_dir>/active-response/bin" to see if the script you are pointing to is available, perhaps you are attempting to use a firewall-drop command instead of a netsh for Windows, here is a reference of the default active response scripts per platform:
https://documentation.wazuh.com/current/user-manual/capabilities/active-response/default-active-response-scripts.html

If the above is not the case, it would be helpful to take a look at the agent's ossec.log and active-response.log for errors while executing the active response command (I assume the log you pasted is from the manager's logs, please correct me if I'm wrong).

Let me know,

Regards.

[Fl Passelerg]

Hello Sebastian

Sorry for the delay, I was in Paris for the CYSAT show where I tried to explain that our wazuh is fabulous!

I tried to understand your message..

In my case,
my endpoint is a Windows PC with a wazuh agent (or not if it's an attacker), and access to our VPN or a malicious access
Or
my endpoint is a PC running Linux with no wazuh agent and malicious access to our VPN

This PC tried to bruteforce our VPN and I want to block it

So, if I understand, I need to use the righ active-response depend on the attacker ?

for my example, my malicious script is launched from a linux PC without a wazuh agent.

 I used this active-response

 <active-response>
    <command>firewall-drop</command>
    <location>local</location>
    <rules_id>100014</rules_id>

    <timeout>120</timeout>    <!-- 120 just to test !-->
  </active-response>

Actually, I wanted to follow exactly the same case describe here : https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/blocking-ssh-brute-force.html

THis works very fine, even if the endpoint is not registred in wazuh, 
I blocked several IPs around the world which attack a web server hosted at OVH :-)

But, it doesn't work in my case.. so, what is the right active-response ?

Should I create a specific active-response for my stormshield firewall ?

and you're right, the log I pasted is from the manager's logs

thanks a lot

Florence


 

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/pojpHaB-1XA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e2c6a7db-d7d3-48c6-8226-66e7762e28b2n%40googlegroups.com.