Sophos Decoders Issue

31 views
Skip to first unread message

Domenica Wairimu

unread,
Feb 27, 2026, 5:41:08 AM (6 days ago) Feb 27
to Wazuh | Mailing List
Hello,
I have been working on Sophos decoders and rules for two weeks now. I can't seem to figure them out.
Kindly help me out

2026-02-15T00:22:04.224289+00:00 mail.ABC.com device_name="C240777JYDX4V72" timestamp="2026-02-15T03:22:04+0300" device_model="XGS2300" device_serial_id="X230228634MR9BD" log_id="106025618011" log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" log_version=1 severity="Information" reported_id="P520052J64WYRF8" ssid="EXECUTIVE" con_count=1

2026-02-15T00:22:04.314200+00:00 mail.ABC.com device_name="C240777JYDX4V72" timestamp="2026-02-15T03:22:04+0300" device_model="XGS2300" device_serial_id="X230228634MR9BD" log_id="010101600001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" log_version=1 severity="Information" fw_rule_id="18" fw_rule_name="SVR_LAN-TO-WAN" fw_rule_section="Local rule" nat_rule_id="2" nat_rule_name="Default SNAT IPv4" fw_rule_type="USER" gw_id_request=3 gw_name_request="DATA-FIBER" sdwan_route_id_request=2 sdwan_route_name_request="Primary-Internet-Access" web_policy_id=1 app_filter_policy_id=1 ether_type="Unknown (0x0000)" in_interface="Port1" out_interface="PortF1" src_mac="00:0C:29:09:78:62" dst_mac="A8:91:62:13:66:61" src_ip="192.168.1.232" src_country="R1" dst_ip="172.67.154.27" dst_country="USA" protocol="TCP" src_port=58150 dst_port=443 src_trans_ip="25.206.44.88" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_event="Start" con_id="241232500" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port1" out_display_interface="PortF1" log_occurrence="1"


2026-02-15T00:21:40.023530+00:00 mail.ABC.com device_name="C240777JYDX4V72" timestamp="2026-02-15T03:21:39+0300" device_model="XGS2300" device_serial_id="X230228634MR9BD" log_id="010202601001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" log_version=1 severity="Information" fw_rule_id="N/A" nat_rule_id="0" fw_rule_type="NETWORK" ether_type="IPv4 (0x0800)" src_ip="192.168.0.230" src_country="R1" dst_ip="2.17.169.110" dst_country="KEN" protocol="TCP" src_port=55704 dst_port=443 hb_status="No Heartbeat" message="Could not associate packet to any connection." app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" log_occurrence="1"

Regards,
Domenica

Bony V John

unread,
Feb 27, 2026, 6:02:45 AM (6 days ago) Feb 27
to Wazuh | Mailing List
Hi,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.

Bony V John

unread,
Feb 27, 2026, 7:20:45 AM (6 days ago) Feb 27
to Wazuh | Mailing List
Hi,

Based on the three logs you shared, I created a custom Sophos decoder and some basic rules to trigger alerts on the Wazuh Dashboard.
I used a sibling decoder approach so each decoder block extracts values from the log separately.

You can try the custom decoder below using the sample logs you shared:

<decoder name="sophos-firewall">
  <prematch>device_name="\S*" timestamp="\S*" device_model="XGS2300"</prematch>
</decoder>

<decoder name="sophos-firewall">
  <parent>sophos-firewall</parent>
  <regex type="osregex">device_name="(\S*)" timestamp="(\S*)" device_model="(\S*)" device_serial_id="(\S*)" log_id="(\d*)" log_type="(\.*)" log_component="(\.*)" log_subtype="(\S*)" log_version=(\d*) severity="(\w*)"</regex>
  <order>device_name, event_timestamp, device_model, device_serial_id, log_id, log_type, log_component, log_subtype, log_version, severity</order>
</decoder>

<decoder name="sophos-firewall">
  <parent>sophos-firewall</parent>
  <regex type="osregex">reported_id="(\S*)"</regex>
  <order>reported_id</order>
</decoder>

<decoder name="sophos-firewall">
  <parent>sophos-firewall</parent>
  <regex type="osregex">ssid="(\S*)"</regex>
  <order>ssid</order>
</decoder>

<decoder name="sophos-firewall">
  <parent>sophos-firewall</parent>
  <regex type="osregex">con_count=(\d*)</regex>
  <order>con_count</order>
</decoder>

<decoder name="sophos-firewall">
  <parent>sophos-firewall</parent>
  <regex type="osregex">fw_rule_id="(\S*)"</regex>
  <order>fw_rule_id</order>
</decoder>

<decoder name="sophos-firewall">
  <parent>sophos-firewall</parent>
  <regex type="osregex">fw_rule_name="(\S*)"</regex>
  <order>fw_rule_name</order>
</decoder>

<decoder name="sophos-firewall">
  <parent>sophos-firewall</parent>
  <regex type="osregex">fw_rule_section="(\.*)"\s</regex>
  <order>fw_rule_section</order>
</decoder>

<decoder name="sophos-firewall">
  <parent>sophos-firewall</parent>
  <regex type="osregex">nat_rule_id="(\d*)"</regex>
  <order>nat_rule_id</order>
</decoder>

<decoder name="sophos-firewall">
  <parent>sophos-firewall</parent>
  <regex type="osregex">nat_rule_id="(\d*)"</regex>
  <order>nat_rule_id</order>
</decoder>

<decoder name="sophos-firewall">
  <parent>sophos-firewall</parent>
  <regex type="osregex">nat_rule_name="(\.*)"</regex>
  <order>nat_rule_name</order>
</decoder>

<decoder name="sophos-firewall">
  <parent>sophos-firewall</parent>
  <regex type="osregex">fw_rule_type="(\S*)"</regex>
  <order>fw_rule_type</order>
</decoder>

<decoder name="sophos-firewall">
  <parent>sophos-firewall</parent>
  <regex type="osregex">fw_rule_type="(\S*)"</regex>
  <order>fw_rule_type</order>
</decoder>

Also, you can try the basic rules below to trigger alerts:
<group name="sophos,wireless,">
  <rule id="110001" level="0">
    <decoded_as>sophos-firewall</decoded_as>
    <description>Sophos Firewall events grouped</description>
  </rule>
 
  <rule id="110002" level="5">
    <if_sid>110001</if_sid>
    <field name="log_type">Wireless Protection</field>
    <field name="ssid">EXECUTIVE</field>
    <description>Sophos Wireless: Activity on SSID EXECUTIVE (reported_id=$(reported_id), con_count=$(con_count))</description>
    <group>wireless,sophos,ssid_monitoring</group>
  </rule>
 
  <rule id="110003" level="8">
    <if_sid>110001</if_sid>
    <field name="log_type">Firewall</field>
    <field name="log_subtype">Denied</field>
    <field name="log_component">Invalid Traffic</field>
    <description>Sophos Firewall: Denied invalid traffic</description>
    <group>network,firewall,deny,sophos</group>
  </rule>

  <rule id="110004" level="3">
    <if_sid>110001</if_sid>
    <field name="log_type">Firewall</field>
    <field name="log_subtype">Allowed</field>
    <field name="log_component">Firewall Rule</field>
    <description>Sophos Firewall: Allowed traffic by firewall rule $(fw_rule_name) (ID $(fw_rule_id))</description>
    <group>network,firewall,allow,sophos</group>
  </rule>
</group>

In the decoder above, I created a full decoder to extract values from the first log. For the second and third events you shared, it will decode only some fields. To decode the remaining fields, you can add additional sibling decoder blocks in the same way.

You can also create more custom rules based on your requirement.

You can refer to the following documentation:

Screenshot 2026-02-27 174955.png

Reply all
Reply to author
Forward
0 new messages