Web traffic by user from firewall syslog

[matthewr.univ...@gmail.com]

Hello,

I am testing out Wazuh and one of the possible use cases I am wondering about is monitoring web browsing. I can connect a firewall to Wazuh with syslog, for example: a Sonicwall with CFS logging on. If I do so, is there a dashboard or nice looking way to show which users, went to which site/type of site, for how long? For example https://www.fastvue.co/ does this, but Wazuh collects all the same information and a nice dashboard it can be displayed on as well.

1. Is there an alert set that sorts web traffic from firewall syslog? 

Maybe this is as simple as sorting social media sites into a specific alert level, proxies or whatever into another.

2. Is there a pre-built dashboard we could import that shows this sort of info when a firewall is connected?

In my head this would label the alert levels into their respective category like 'social media' and display it in a easy to understand way. Being able to filter by user would be critical.

3. Does the above seem possible to do with Wazuh, or is this out of scope?

With my limited understanding of Wazuh, it seems possible and a likely thing someone has already done. From a brief search I couldn't find anything, and my alternative motive is that I also wanted to see how active this forum is.

Thanks!

Matt

[Jesus Linares]

Hi Matt,

Sorry for the late response. Wazuh is able to monitor web browsing using the logs of firewalls, web servers, proxys, etc. As far as I know, we don't have specific dashboards or rules for that purpose right now but we have seen customers using Wazuh for a similar goal successfully.

If you share your logs related to web browsing, we can help you in the creation of decoders, rules, and dashboard to achieve your purpose.

Thank you for your feedback. 

[matthewr.univ...@gmail.com]

Jesus,

It is traffic logs in syslog format from a Sonicwall. I can turn on log all and grab an exact example if need be, but here is an official example. 

http://software.sonicwall.com/Manual/232-003353-00_RevA_SonicOS_6.2.6_LogEvents_ReferenceGuide.pdf   From page 70:

<134>id=firewall sn=18B1690729A8 time="2016-06-16 17:21:40 UTC" fw=10.205.123.15 pri=6 c=1024 m=97 app=48 n=9 src=192.168.168.10:52589:X0 dst=69.192.240.232:443:X1:a69-192-240-232.deploy.akamaitechnologies.com srcMac=98:90:96:de:f1:78 dstMac=ec:f4:bb:fb:f7:f6 proto=tcp/https op=1 sent=798 rcvd=12352 result=403 dstname=www.suntrust.com arg=/favicon.ico code=20 Category="Online Banking"

I am currently getting alerts from the Sonicwall in Kibana on the premade OVA image of Wazuh 3.4. I am guessing next step would be add a decoder for dstname=**** and src=****. Then add a rule with alert level 3 or so. Then we can filter by site or source computer.

I appreciate any help. I understand the basics of decoders and rules but am not familiar with regex or the proper rule syntax yet.

Thanks,

Matt

[Miguel Casares]

Hello Matthew,

I have been doing a running test and even if you are receiving alerts from SonicWall the SonicWall decoders do not work correctly. We have opened an issue in order to fix this decoder. You can follow the status of it in the following link: https://github.com/wazuh/wazuh-ruleset/issues/162

Thank you very much because we have become aware of this issue through your contribution.

To understand how regex works and rules syntax it is a good idea to make your own decoders and rules. For testing purposes, you can create your own decoders and custom rules from existing ones and also add new ones. In this case, I will show you how to create your own decoders and rules:

I am going to describe this procedure using an easy example. Here is a log from a program called Example:

Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '192.168.1.100' with id=023

First, we need to decode this information, so we add the new decoder to /var/ossec/etc/decoders/local_decoder.xml:

<decoder name="example">
    <program_name>^example</program_name>
</decoder>
<decoder name="example">
    <parent>example</parent>
    <regex>User '(\w+)' logged from '(\d+.\d+.\d+.\d+)' with \w+=(\d+)</regex>
    <order>user, srcip, id</order>
</decoder>

You can check the decoders syntax that Wazuh use in the following link: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html and the regex syntax in the following link: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

Now, we have to match the program name with the rule. For this, we will add the following rule to /var/ossec/etc/rules/local_rules.xml:

 <rule id= "1000010" level="3">
    <program_name>example</program_name>
    <description>User logged</description>
  </rule>

You can check the rules syntax that Wazuh use in the following link: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

We can check if it works by using /var/ossec/bin/ossec-logtest:

**Phase 1: Completed pre-decoding.
       full event: 'Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '192.168.1.100' with id=023'
       timestamp: 'Dec 25 20:45:02'
       hostname: 'MyHost'
       program_name: 'example'
       log: 'User 'admin' logged from '192.168.1.100' with id=023' 

**Phase 2: Completed decoding.
       decoder: 'example'
       dstuser: 'admin'
       srcip: '192.168.1.100'
       id: '023' 

**Phase 3: Completed filtering (rules).
       Rule id: '100010'
       Level: '3'
       Description: 'User logged'
**Alert to be generated.

If you need more information on rules and decoder you can check the following link: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

I hope this helps you.

Best regards,

Miguel Casares

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d9f010ac-5a7d-4425-99e5-2e1dece61e29%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.