forcepoint vpn fails decoder

146 views
Skip to first unread message

Sarah Milani

unread,
Oct 17, 2023, 9:29:52 AM10/17/23
to Wazuh | Mailing List
Hello Guys =)

I am trying to write decoders and rules for Forcepoint Firewall which is in syslog format:

2023 Oct 16 17:28:35 wazuh-server->255.255.255.255 {"Timestamp":"2023-10-16 17:28:35","LogId":"672972873","NodeId":"255.255.255.255","Facility":"SSL VPN","Type":"Error","Src":"255.255.255.255"","Dst":"255.255.255.255"","Service":"TCP/000","Protocol":"0","Sport":"00000","Dport":"000","AccElapsed":"00","Username":"user.lastname","CompId":"test","InfoMsg":"User authentication failed","ReceptionTime":"2023-10-16 17:28:35","SenderType":"Firewall","Situation":"VPN-User-Authentication-Failed","EventId":"7119781193819406409","UserDomain":"domain.net"}


How can I write a rule and a decoder to extract username and infomsg?
ex: "user.lastname : User authentication failed"




Julian Bustamante Narvaez

unread,
Oct 17, 2023, 9:54:14 AM10/17/23
to Wazuh | Mailing List
Hi, I'm going to try and as soon as I have an answer I'll let you know.
Regards

Julian Bustamante Narvaez

unread,
Oct 17, 2023, 12:45:45 PM10/17/23
to Wazuh | Mailing List
you need to match the record to be able to differentiate it from others, then use the regular expression to extract the data and finally create a custom rule for what you need.


modify /var/ossec/etc/decoders/local_decoder.xml file and paste this:

<decoder name="sarah-deco">
        <prematch>"SenderType":"Firewall"</prematch>
</decoder>

<decoder name="sarah-deco">
  <parent>sarah-deco</parent>

  <regex type="pcre2">"Username":"(.*?)".*"InfoMsg":"(.*?)"</regex>
  <order>dato1,dato2</order>
</decoder>

modify /var/ossec/etc/rules/local_rules.xml file and paste this:
  <rule id="100053" level="12">
          <decoded_as>sarah-deco</decoded_as>
          <description>custom rule</description>
  </rule>



log-test output:


julian-A15-FA506QM:/home/thejbte/Documents# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.5.0
Type one log per line


2023 Oct 16 17:28:35 wazuh-server->255.255.255.255 {"Timestamp":"2023-10-16 17:28:35","LogId":"672972873","NodeId":"255.255.255.255","Facility":"SSL VPN","Type":"Error","Src":"255.255.255.255"","Dst":"255.255.255.255"","Service":"TCP/000","Protocol":"0","Sport":"00000","Dport":"000","AccElapsed":"00","Username":"user.lastname","CompId":"test","InfoMsg":"User authentication failed","ReceptionTime":"2023-10-16 17:28:35","SenderType":"Firewall","Situation":"VPN-User-Authentication-Failed","EventId":"7119781193819406409","UserDomain":"domain.net"}

**Phase 1: Completed pre-decoding.
full event: '2023 Oct 16 17:28:35 wazuh-server->255.255.255.255 {"Timestamp":"2023-10-16 17:28:35","LogId":"672972873","NodeId":"255.255.255.255","Facility":"SSL VPN","Type":"Error","Src":"255.255.255.255"","Dst":"255.255.255.255"","Service":"TCP/000","Protocol":"0","Sport":"00000","Dport":"000","AccElapsed":"00","Username":"user.lastname","CompId":"test","InfoMsg":"User authentication failed","ReceptionTime":"2023-10-16 17:28:35","SenderType":"Firewall","Situation":"VPN-User-Authentication-Failed","EventId":"7119781193819406409","UserDomain":"domain.net"}'
timestamp: '2023 Oct 16 17:28:35'

**Phase 2: Completed decoding.
name: 'sarah-deco'
dato1: 'user.lastname'
dato2: 'User authentication failed'

**Phase 3: Completed filtering (rules).
id: '100053'
level: '12'
description: 'custom rule'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'True'
**Alert to be generated.


Screenshot from 2023-10-17 11-32-30.png

Sarah Milani

unread,
Oct 17, 2023, 3:10:54 PM10/17/23
to Wazuh | Mailing List
Wow Julian! Awesome =)
Thanks for help me! Now the rules match with syslogs entries but i still can't see this events on discovery wazuh.

Julian Bustamante Narvaez

unread,
Oct 17, 2023, 3:32:50 PM10/17/23
to Wazuh | Mailing List
If you see the rule in /var/ossec/logs/alerts/alerts.json (tail -f /var/ossec/logs/alerts/alerts.json ), you need to check other components (indexer, filebeat) to see why it is not see  on discovery wazuh.

regards

Sarah Milani

unread,
Oct 22, 2023, 6:13:10 AM10/22/23
to Wazuh | Mailing List
OK ;)
Thank u

mauro....@cmcc.it

unread,
Oct 23, 2023, 4:38:20 PM10/23/23
to Wazuh | Mailing List
Hi Sarah, Hi Julian,

I found this topic while I was struggling about sending Forcepoint NGFW logs to Wazuh using syslog.
I already did something like that for pfSense, but, now, doing it again for Forcepoint NGFW seems to be a challenge.

Since I'm still a newbie, I would like to ask you some questions.
The first question is for Sarah :) How do you set "Log Forwarding" in your Forcepoint Log Server or, in other words, what you sent to Wazuh syslog and how do you filter the logs ? I'm trying to understand what is really interesting to be parsed using Wazuh. I think that it is not important to trace any "discard" action, let's say... So, I can check VPN client authentication, DoS attack, alerts... but the filters list is so long and I have to select the most important ones. Could yu please help me ?
The second question is for Julian :) I'm trying to create a decoder for this kind of "alert", but it doesn't work

2023-10-23T13:09:39.592616+02:00 172.31.3.50 {"ReceptionTime": "2023-10-23 13:09:39","Timestamp":"2023-10-23 13:09:39","LogId":"334","EventId":"7122177247944002005","NodeId":"172.31.0.42","CompId":"Lecce node 2","Alert":"P2P Traffic","SenderType":"Firewall","Situation":"Connection_Discarded","Action":"Discard","Service":"HTTP","Protocol":"6","Src":"192.168.34.27","Dst":"YY.YY.YY.YY","Sport":"55608","Dport":"80","NatSrc":"XX.XX.XX.XX","NatDst":"YY.YY.YY.YY","NatSport":"63923","NatDport":"80"}

<decoder name="forcepoint">

    <prematch>"SenderType":"Firewall"</prematch>

</decoder>


<decoder name="forcepoint">

  <parent>forcepoint</parent>

  <regex type="pcre2">"Username":"(.*?)".*"InfoMsg":"(.*?)"</regex>

  <order>dato1,dato2</order>

</decoder>


<decoder name="alert">

  <parent>forcepoint</parent>

  <regex type="pcre2">"Alert":"(.*?)".*"Situation":"(.*?)".*"Action":"(.*?)".*"Service":"(.*?)".*"Src":"(.*?)".*"Dst":"(.*?)".*"Sport":"(.*?)".*"Dport":"(.*?)".*"NatSrc":"(.*?)".*"NatDst":"(.*?)".*"NatSport":"(.*?)".*"NatDport":"(.*?)"</regex>

  <order>alert,situation,action,service,src,dstsport,dport,natsrc,natdst,natsport,natdport</order>

</decoder>

Could you pease help me to start working with it?

Thank you,
Mauro

Julian Bustamante Narvaez

unread,
Oct 24, 2023, 11:52:52 AM10/24/23
to Wazuh | Mailing List
Hi Mauro, please remember to create another thread when there are different questions.

Since full_log is JSON, it is decoded as such (this is implemented in C) and is not typically combined with decoders implemented in XML. If you don't configure any decoder, wazuh decodes it as JSON. you can create a decoder like this and extract only what you need.

<decoder name="mauro-deco">
  <parent>json</parent>

  <regex type="pcre2">"Alert":"(.*?)".*"SenderType":"(.*?)".*"Situation":"(.*?)".*"Action":"(.*?)".*"Service":"(.*?)".*"Src":"(.*?)".*"Dst":"(.*?)".*"Sport":"(.*?)".*"Dport":"(.*?)".*"NatSrc":"(.*?)".*"NatDst":"(.*?)".*"NatSport":"(.*?)".*"NatDport":"(.*?)"</regex>
  <order>alert,senderType,situation,action,service,src,dstsport,dport,natsrc,natdst,natsport,natdport</order>
</decoder>


 <rule id="100054" level="12">
          <decoded_as>json</decoded_as>
          <field name="senderType">Firewall</field>

          <description>custom rule</description>
  </rule>


Regards

Sarah Milani

unread,
Jan 11, 2024, 6:24:17 AM1/11/24
to Wazuh | Mailing List
Sorry for the long delay, I didn't see a response to this post.
Did u do the syslog forcepoint configuration?
I just configured the redirection with the VPN filter I wanted as this figure shows
Reply all
Reply to author
Forward
0 new messages