creating a custom rule that triggers in 2 fields decoded by sonicwall's decoder.
103 views
Skip to first unread message
bodyboader_SV
Jun 13, 2023, 12:26:28 AM6/13/23
to Wazuh mailing list
I'm breaking my head in creating a custom rule that triggers in 2 fields decoded by sonicwall's decoder.
Ex: I would like a level 10 alert to be generated, when the event contains the values: pri=6 and m=745 .
Below is a sample event
id=firewall sn=XPTOXPTO time="2023-06-12 16:28:09 UTC" fw=199.99.999.1 pri=6 c=16 m=745 msg="User login denied - LDAP authentication failure" src=212.212.212.20:0:X1 dst=172.10.21.3:0:X1 usr="teste.teste" proto=tcp sess="sslvpnc" note="teste.teste" n=188 fw_action="NA"
id=firewall sn=XPTOXPTO time="2023-06-12 16:28:09 UTC" fw=199.99.999.1 pri=6 c=16 m=745 msg="User login denied - LDAP authentication failure" src=212.212.212.20:0:X1 dst=172.10.21.3:0:X1 usr="teste.teste" proto=tcp sess="sslvpnc" note="teste.teste" n=188 fw_action="NA"
Christian Borla
Jun 13, 2023, 10:56:19 AM6/13/23
to Wazuh mailing list
Hi bodyboader_SV!
I hope you are doing fine!
Add following custom rule into /var/ossec/etc/rules/local_rules.xml
<rule id="100080" level="10">
<if_sid>4806</if_sid>
<regex type="pcre2">firewall.*? pri\=6\s+.*? m\=745\s+</regex>
<description>SonicWall custom rule.</description>
</rule>
Then restart the manager service to update ruleset.
Success case
The event contains the following description pri=6 and m=745
Event to test
id=firewall sn=XPTOXPTO time="2023-06-12 16:28:09 UTC" fw=199.99.999.1 pri=6 c=16 m=745 msg="User login denied - LDAP authentication failure" src=212.212.212.20:0:X1 dst=172.10.21.3:0:X1 usr="teste.teste" proto=tcp sess="sslvpnc" note="teste.teste" n=188 fw_action="NA"
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.4.0
Type one log per line
id=firewall sn=XPTOXPTO time="2023-06-12 16:28:09 UTC" fw=199.99.999.1 pri=6 c=16 m=745 msg="User login denied - LDAP authentication failure" src=212.212.212.20:0:X1 dst=172.10.21.3:0:X1 usr="teste.teste" proto=tcp sess="sslvpnc" note="teste.teste" n=188 fw_action="NA"
full event: 'id=firewall sn=XPTOXPTO time="2023-06-12 16:28:09 UTC" fw=199.99.999.1 pri=6 c=16 m=745 msg="User login denied - LDAP authentication failure" src=212.212.212.20:0:X1 dst=172.10.21.3:0:X1 usr="teste.teste" proto=tcp sess="sslvpnc" note="teste.teste" n=188 fw_action="NA"'
**Phase 2: Completed decoding.
name: 'sonicwall'
action: 'User login denied - LDAP authentication failure'
dstip: '172.10.21.3'
dstport: '0'
protocol: 'tcp'
srcip: '212.212.212.20'
srcport: '0'
status: '6'
**Phase 3: Completed filtering (rules).
id: '100080'
level: '10'
description: 'SonicWall custom rule.'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
An aler will be generated.
Failure case
Event without pri=6 or m=745
Event to test
id=firewall sn=XPTOXPTO time="2023-06-12 16:28:09 UTC" fw=199.99.999.1 pri=6 c=16 m=7 msg="User login denied - LDAP authentication failure" src=212.212.212.20:0:X1 dst=172.10.21.3:0:X1 usr="teste.teste" proto=tcp sess="sslvpnc" note="teste.teste" n=188 fw_action="NA"
Test
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.4.0
Type one log per line
id=firewall sn=XPTOXPTO time="2023-06-12 16:28:09 UTC" fw=199.99.999.1 pri=6 c=16 m=7 msg="User login denied - LDAP authentication failure" src=212.212.212.20:0:X1 dst=172.10.21.3:0:X1 usr="teste.teste" proto=tcp sess="sslvpnc" note="teste.teste" n=188 fw_action="NA"
**Phase 1: Completed pre-decoding.
full event: 'id=firewall sn=XPTOXPTO time="2023-06-12 16:28:09 UTC" fw=199.99.999.1 pri=6 c=16 m=7 msg="User login denied - LDAP authentication failure" src=212.212.212.20:0:X1 dst=172.10.21.3:0:X1 usr="teste.teste" proto=tcp sess="sslvpnc" note="teste.teste" n=188 fw_action="NA"'
**Phase 2: Completed decoding.
name: 'sonicwall'
action: 'User login denied - LDAP authentication failure'
dstip: '172.10.21.3'
dstport: '0'
protocol: 'tcp'
srcip: '212.212.212.20'
srcport: '0'
status: '6'
**Phase 3: Completed filtering (rules).
id: '4806'
level: '0'
description: 'SonicWall informational message.'
groups: '['syslog', 'sonicwall']'
firedtimes: '1'
mail: 'False'
Let me know if that works for you!
Regards.
bodyboader_SV
Jun 13, 2023, 11:56:26 AM6/13/23
to Wazuh mailing list
Thanks Borla.
I'll do the tests now
I share in the sequence if I was successful or not.
I'll do the tests now
I share in the sequence if I was successful or not.
; )
bodyboader_SV
Jun 13, 2023, 6:13:11 PM6/13/23
to Wazuh mailing list
Borla, it worked perfectly :)
Abusing your knowledge, what if I want to trigger 3 fields?
This third field of mine is not being decoded. (red color)
would be the sess="sslvpnc" of this same log.
Hugs
Jr.
Christian Borla
Jun 14, 2023, 6:46:35 AM6/14/23
to Wazuh mailing list
Hi
bodyboader_SV
If you want to include a new trigger condition for this rule, you can use following regex, replace regex type="pcre2">firewall.*? pri\=6\s+.*? m\=745\s+</regex> with following.
regex type="pcre2"> firewall.*? pri\=6\s+.*? m\=745\s+.*?sess\="sslvpnc"</regex>
Let me know if that works for you.
Regards.
If you want to include a new trigger condition for this rule, you can use following regex, replace regex type="pcre2">firewall.*? pri\=6\s+.*? m\=745\s+</regex> with following.
regex type="pcre2"> firewall.*? pri\=6\s+.*? m\=745\s+.*?sess\="sslvpnc"</regex>
Let me know if that works for you.
Regards.
bodyboader_SV
Jun 14, 2023, 10:07:10 AM6/14/23
to Wazuh mailing list
Borla, Thnks!
It worked as expected and I've even grouped the rules here to raise the Alert.
Thanks again
Jr.
Reply all
Reply to author
Forward
0 new messages