Fortigate decoders and rules
284 views
Skip to first unread message
KnaT
May 18, 2023, 10:28:38 PM5/18/23
to Wazuh mailing list
Hi everyone,
I have a problem with Fortigate decoders and rules. My logs in archives.log have the same like the log file.
But in my wazuh-dashboard, I just seen the alert about "Fortigate: Multiple high traffic events from same source" like image
Why my alerts have no other alerts from logs?
Thanks
Mario Andres Ruiz Hernandez
May 18, 2023, 10:46:10 PM5/18/23
to Wazuh mailing list
Hi,
let me take a look at this.
KnaT
May 18, 2023, 11:14:50 PM5/18/23
to Wazuh mailing list
Hi Mario,
Waiting for your response.
Thanks!
Mario Andres Ruiz Hernandez
May 19, 2023, 6:31:21 PM5/19/23
to Wazuh mailing list
Hi KnaT,
please take a look at the following threads/forums and try the configs mentioned there, please. Feel free to reach out and tell me how it went.
https://github.com/wazuh/wazuh-kibana-app/issues/2152
https://groups.google.com/g/wazuh/c/LCv4C0KYA0g
https://github.com/wazuh/wazuh-kibana-app/issues/2152
Regards.
https://github.com/wazuh/wazuh-kibana-app/issues/2152
https://groups.google.com/g/wazuh/c/LCv4C0KYA0g
https://github.com/wazuh/wazuh-kibana-app/issues/2152
Regards.
KnaT
May 21, 2023, 10:52:29 PM5/21/23
to Wazuh mailing list
Hi Mario,
2023 May 22 08:43:27 dc-siemtest->10.33.5.6 logver=604061879 timestamp=1684719866 tz="UTC+7" devname="FortiGate_HA_FGT2KE" devid="FGT2KETB19900273" vd="root" date=2023-05-22 time=08:44:26 eventtime=1684719866451753252 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=10.33.137.144 srcport=53325 srcintf="Vlan_4" srcintfrole="lan" dstip=10.33.5.62 dstport=53 dstintf="Vlan_51" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=1887373928 proto=17 action="accept" policyid=126 policytype="policy" poluuid="1bf99d44-0c07-51ea-6e7b-0bb9781e5fc2" policyname="AD2" service="TCP_UDP_53" trandisp="noop" duration=97 sentbyte=234 rcvdbyte=78 sentpkt=3 rcvdpkt=1 appcat="unscanned" mastersrcmac="40:06:d5:2a:4f:d7" srcmac="40:06:d5:2a:4f:d7" srcserver=0 dsthwvendor="VMware" masterdstmac="00:50:56:93:9b:10" dstmac="00:50:56:93:9b:10" dstserver=1
2023 May 22 08:43:27 dc-siemtest->10.33.5.6 logver=604061879 timestamp=1684719866 tz="UTC+7" devname="FortiGate_HA_FGT2KE" devid="FGT2KETB19900273" vd="root" date=2023-05-22 time=08:44:26 eventtime=1684719866621743440 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=10.33.5.141 srcport=64839 srcintf="Vlan_53" srcintfrole="lan" dstip=10.81.161.201 dstport=80 dstintf="Vlan_4" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=1887447008 proto=6 action="timeout" policyid=176 policytype="policy" poluuid="1c6f260c-c659-51e9-64ff-90c68a11bc67" policyname="Permit-ALL" service="HTTP" trandisp="noop" duration=8 sentbyte=44 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appcat="unscanned" masterdstmac="40:06:d5:2a:4f:d7" dstmac="40:06:d5:2a:4f:d7" dstserver=0
2023 May 22 08:43:27 dc-siemtest->10.33.5.6 logver=604061879 timestamp=1684719866 tz="UTC+7" devname="FortiGate_HA_FGT2KE" devid="FGT2KETB19900273" vd="root" date=2023-05-22 time=08:44:26 eventtime=1684719866491746978 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=10.33.6.35 srcport=34560 srcintf="Vlan_4" srcintfrole="lan" dstip=10.33.5.77 dstport=444 dstintf="Vlan_52" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=1887449416 proto=6 action="server-rst" policyid=382 policytype="policy" poluuid="2d99ce7c-afff-51ec-5862-0a5d00d2d330" policyname="DR-AD" service="tcp/444" trandisp="noop" duration=5 sentbyte=449 rcvdbyte=313 sentpkt=5 rcvdpkt=4 appcat="unscanned" mastersrcmac="40:06:d5:2a:4f:d7" srcmac="40:06:d5:2a:4f:d7" srcserver=0 dsthwvendor="VMware" dstosname="Windows" dstswversion="8" dstunauthuser="thuy-th" dstunauthusersource="kerberos" masterdstmac="00:50:56:93:22:ee" dstmac="00:50:56:93:22:ee" dstserver=0
2023 May 22 08:43:27 dc-siemtest->10.33.5.6 logver=604061879 timestamp=1684719866 tz="UTC+7" devname="FortiGate_HA_FGT2KE" devid="FGT2KETB19900273" vd="root" date=2023-05-22 time=08:44:26 eventtime=1684719866561745933 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=10.33.6.35 srcport=34571 srcintf="Vlan_4" srcintfrole="lan" dstip=10.33.5.78 dstport=444 dstintf="Vlan_52" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=1887449446 proto=6 action="server-rst" policyid=382 policytype="policy" poluuid="2d99ce7c-afff-51ec-5862-0a5d00d2d330" policyname="DR-AD" service="tcp/444" trandisp="noop" duration=5 sentbyte=449 rcvdbyte=313 sentpkt=5 rcvdpkt=4 appcat="unscanned" mastersrcmac="40:06:d5:2a:4f:d7" srcmac="40:06:d5:2a:4f:d7" srcserver=0 dsthwvendor="VMware" dstosname="Windows" dstswversion="8" dstunauthuser="administrator" dstunauthusersource="kerberos" masterdstmac="00:50:56:93:a7:a2" dstmac="00:50:56:93:a7:a2" dstserver=0
2023 May 22 08:43:27 dc-siemtest->10.33.5.6 logver=604061879 timestamp=1684719866 tz="UTC+7" devname="FortiGate_HA_FGT2KE" devid="FGT2KETB19900273" vd="root" date=2023-05-22 time=08:44:26 eventtime=1684719866511746704 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=10.33.6.35 srcport=34566 srcintf="Vlan_4" srcintfrole="lan" dstip=10.33.5.77 dstport=444 dstintf="Vlan_52" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=1887449434 proto=6 action="server-rst" policyid=382 policytype="policy" poluuid="2d99ce7c-afff-51ec-5862-0a5d00d2d330" policyname="DR-AD" service="tcp/444" trandisp="noop" duration=5 sentbyte=449 rcvdbyte=313 sentpkt=5 rcvdpkt=4 appcat="unscanned" mastersrcmac="40:06:d5:2a:4f:d7" srcmac="40:06:d5:2a:4f:d7" srcserver=0 dsthwvendor="VMware" dstosname="Windows" dstswversion="8" dstunauthuser="thuy-th" dstunauthusersource="kerberos" masterdstmac="00:50:56:93:22:ee" dstmac="00:50:56:93:22:ee" dstserver=0
I have checked the threads from you above, but it seem like not my problem.
With the Fortinet logs I have send, my wazuh just display one alert and it is rule id
81619.
The alert in image.
Although my alert logs are different from each other, but i don't know why there is just one alert.
I have checked the archives.log and see everything is normally:
2023 May 22 08:43:27 dc-siemtest->10.33.5.6 logver=604061879 timestamp=1684719866 tz="UTC+7" devname="FortiGate_HA_FGT2KE" devid="FGT2KETB19900273" vd="root" date=2023-05-22 time=08:44:26 eventtime=1684719866621743440 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=10.33.5.141 srcport=64839 srcintf="Vlan_53" srcintfrole="lan" dstip=10.81.161.201 dstport=80 dstintf="Vlan_4" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=1887447008 proto=6 action="timeout" policyid=176 policytype="policy" poluuid="1c6f260c-c659-51e9-64ff-90c68a11bc67" policyname="Permit-ALL" service="HTTP" trandisp="noop" duration=8 sentbyte=44 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appcat="unscanned" masterdstmac="40:06:d5:2a:4f:d7" dstmac="40:06:d5:2a:4f:d7" dstserver=0
2023 May 22 08:43:27 dc-siemtest->10.33.5.6 logver=604061879 timestamp=1684719866 tz="UTC+7" devname="FortiGate_HA_FGT2KE" devid="FGT2KETB19900273" vd="root" date=2023-05-22 time=08:44:26 eventtime=1684719866491746978 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=10.33.6.35 srcport=34560 srcintf="Vlan_4" srcintfrole="lan" dstip=10.33.5.77 dstport=444 dstintf="Vlan_52" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=1887449416 proto=6 action="server-rst" policyid=382 policytype="policy" poluuid="2d99ce7c-afff-51ec-5862-0a5d00d2d330" policyname="DR-AD" service="tcp/444" trandisp="noop" duration=5 sentbyte=449 rcvdbyte=313 sentpkt=5 rcvdpkt=4 appcat="unscanned" mastersrcmac="40:06:d5:2a:4f:d7" srcmac="40:06:d5:2a:4f:d7" srcserver=0 dsthwvendor="VMware" dstosname="Windows" dstswversion="8" dstunauthuser="thuy-th" dstunauthusersource="kerberos" masterdstmac="00:50:56:93:22:ee" dstmac="00:50:56:93:22:ee" dstserver=0
2023 May 22 08:43:27 dc-siemtest->10.33.5.6 logver=604061879 timestamp=1684719866 tz="UTC+7" devname="FortiGate_HA_FGT2KE" devid="FGT2KETB19900273" vd="root" date=2023-05-22 time=08:44:26 eventtime=1684719866561745933 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=10.33.6.35 srcport=34571 srcintf="Vlan_4" srcintfrole="lan" dstip=10.33.5.78 dstport=444 dstintf="Vlan_52" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=1887449446 proto=6 action="server-rst" policyid=382 policytype="policy" poluuid="2d99ce7c-afff-51ec-5862-0a5d00d2d330" policyname="DR-AD" service="tcp/444" trandisp="noop" duration=5 sentbyte=449 rcvdbyte=313 sentpkt=5 rcvdpkt=4 appcat="unscanned" mastersrcmac="40:06:d5:2a:4f:d7" srcmac="40:06:d5:2a:4f:d7" srcserver=0 dsthwvendor="VMware" dstosname="Windows" dstswversion="8" dstunauthuser="administrator" dstunauthusersource="kerberos" masterdstmac="00:50:56:93:a7:a2" dstmac="00:50:56:93:a7:a2" dstserver=0
2023 May 22 08:43:27 dc-siemtest->10.33.5.6 logver=604061879 timestamp=1684719866 tz="UTC+7" devname="FortiGate_HA_FGT2KE" devid="FGT2KETB19900273" vd="root" date=2023-05-22 time=08:44:26 eventtime=1684719866511746704 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=10.33.6.35 srcport=34566 srcintf="Vlan_4" srcintfrole="lan" dstip=10.33.5.77 dstport=444 dstintf="Vlan_52" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=1887449434 proto=6 action="server-rst" policyid=382 policytype="policy" poluuid="2d99ce7c-afff-51ec-5862-0a5d00d2d330" policyname="DR-AD" service="tcp/444" trandisp="noop" duration=5 sentbyte=449 rcvdbyte=313 sentpkt=5 rcvdpkt=4 appcat="unscanned" mastersrcmac="40:06:d5:2a:4f:d7" srcmac="40:06:d5:2a:4f:d7" srcserver=0 dsthwvendor="VMware" dstosname="Windows" dstswversion="8" dstunauthuser="thuy-th" dstunauthusersource="kerberos" masterdstmac="00:50:56:93:22:ee" dstmac="00:50:56:93:22:ee" dstserver=0
2023 May 22 08:43:27 dc-siemtest->10.33.5.6 logver=604061879 timestamp=1684719866 tz="UTC+7" devname="FortiGate_HA_FGT2KE" devid="FGT2KETB19900273" vd="root" date=2023-05-22 time=08:44:26 eventtime=1684719866581748960 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=10.33.6.35 srcport=34585 srcintf="Vlan_4" srcintfrole="lan" dstip=10.33.5.78 dstport=444 dstintf="Vlan_52" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=1887449470 proto=6 action="server-rst" policyid=382 policytype="policy" poluuid="2d99ce7c-afff-51ec-5862-0a5d00d2d330" policyname="DR-AD" service="tcp/444" trandisp="noop" duration=5 sentbyte=449 rcvdbyte=313 sentpkt=5 rcvdpkt=4 appcat="unscanned" mastersrcmac="40:06:d5:2a:4f:d7" srcmac="40:06:d5:2a:4f:d7" srcserver=0 dsthwvendor="VMware" dstosname="Windows" dstswversion="8" dstunauthuser="administrator" dstunauthusersource="kerberos" masterdstmac="00:50:56:93:a7:a2" dstmac="00:50:56:93:a7:a2" dstserver=0
And the thing I actually want is for each log, it will be one alert, not like now.
Mario Andres Ruiz Hernandez
May 24, 2023, 8:48:16 PM5/24/23
to Wazuh mailing list
Hi KnaT,
I'll take a deeper look at this. Ok?
Best regards.
Best regards.
Mario Andres Ruiz Hernandez
Jun 15, 2023, 7:50:08 PM6/15/23
to Wazuh mailing list
Hey KnaT,
the rule 81618 has 81619 as a child. That's why you seem to watch the same alert.
<rule id="81619" level="3" frequency="18" timeframe="45" ignore="240">
<if_matched_sid>81618</if_matched_sid>
<same_source_ip />
<description>Fortigate: Multiple high traffic events from same source.</description>
<group>gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,pci_dss_10.6.1,</group>
</rule>
One thing you can do is override the rule and specify how the rules need to be displayed: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule
the rule 81618 has 81619 as a child. That's why you seem to watch the same alert.
<rule id="81619" level="3" frequency="18" timeframe="45" ignore="240">
<if_matched_sid>81618</if_matched_sid>
<same_source_ip />
<description>Fortigate: Multiple high traffic events from same source.</description>
<group>gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,pci_dss_10.6.1,</group>
</rule>
One thing you can do is override the rule and specify how the rules need to be displayed: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule
Reply all
Reply to author
Forward
0 new messages