-
Notifications
You must be signed in to change notification settings - Fork 203
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fortigate issue 137 #147
Fortigate issue 137 #147
Conversation
We've adjusted the fortigate decoders so you can generate alerts when you receive events in a new format.
Fixed fortigate decoders and rules to decode new fortigate format. GPDR tagging still needed.
GDPR groups added to the new rules.
Typos fixed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All new event formats have been tested and the corresponding rules have been triggered correctly.
Great job by frgv.
Kind regards,
Alfonso Ruiz-Bravo
We have added two traffic decoders to obtain the action and level fields.
Hello team, We have added two traffic decoders to get the action and level fields, according to the issue #168 :
Kind regards, Alfonso Ruiz-Bravo |
…fortigate-issue-137
On my Fortigate with firmware 6 worked like a charm !! Has this been committed yet? I pulled the code from master but these changes seem not to be present... push it ASAP if you can, will help a lot of people. Thank you very much! |
Hello, I use Wazuh and, after each update, I must to rewrite this files to decode logs for Fortigate 5.6. Thank you in advance for your anwsers ^^ |
@Enaxadrel you can add it to your custom decoder, it will remain even after update. |
Thank you for your answer. Sorry if I have used the wrong place for this problem, this my first use of github. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello team!
I've tested and it seems works fine. Rules and decoders work correctly:
lopezziur-S551LN ossec # bin/ossec-logtest
2019/07/30 09:05:26 ossec-testrule: INFO: Started (pid: 10338).
ossec-testrule: Type one log per line.
2019 Jul 25 14:53:17 log01->XXX.XXX.XXX.XXX date=2019-07-25 time=13:53:16 devname="MyFortinetDevice" devid="FG800C3913801163" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1564080796 srcip=XXX.XXX.XXX.XXX srcname="SOME-PC" srcport=64306 srcintf="netprt_office" srcintfrole="lan" dstip=XXX.XXX.XXX.XXX dstport=443 dstintf="netprt_inscope" dstintfrole="lan" poluuid="d4dc65a0-6a43-51e4-c73d-71cf9316c554" sessionid=2209333306 proto=6 action="close" user="FAKEUSER" policyid=153 policytype="policy" service="HTTPS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=55 sentbyte=132 rcvdbyte=132 sentpkt=3 rcvdpkt=3 appcat="unscanned" devtype="Windows PC" osname="Windows" osversion="7 or 8" mastersrcmac="00:de:ad:be:ef:de:00" srcmac="00:de:ad:be:ef:de:00" srcserver=0 dstdevtype="Linux PC" dstosname="Linux" dstosversion="(x64)" masterdstmac="00:de:ad:be:ef:de:00" dstmac="00:de:ad:be:ef:de:00" dstserver=1
**Phase 1: Completed pre-decoding.
full event: '2019 Jul 25 14:53:17 log01->XXX.XXX.XXX.XXX date=2019-07-25 time=13:53:16 devname="MyFortinetDevice" devid="FG800C3913801163" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1564080796 srcip=XXX.XXX.XXX.XXX srcname="SOME-PC" srcport=64306 srcintf="netprt_office" srcintfrole="lan" dstip=XXX.XXX.XXX.XXX dstport=443 dstintf="netprt_inscope" dstintfrole="lan" poluuid="d4dc65a0-6a43-51e4-c73d-71cf9316c554" sessionid=2209333306 proto=6 action="close" user="FAKEUSER" policyid=153 policytype="policy" service="HTTPS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=55 sentbyte=132 rcvdbyte=132 sentpkt=3 rcvdpkt=3 appcat="unscanned" devtype="Windows PC" osname="Windows" osversion="7 or 8" mastersrcmac="00:de:ad:be:ef:de:00" srcmac="00:de:ad:be:ef:de:00" srcserver=0 dstdevtype="Linux PC" dstosname="Linux" dstosversion="(x64)" masterdstmac="00:de:ad:be:ef:de:00" dstmac="00:de:ad:be:ef:de:00" dstserver=1'
timestamp: '2019 Jul 25 14:53:17'
hostname: 'lopezziur-S551LN'
program_name: '(null)'
log: 'log01->XXX.XXX.XXX.XXX date=2019-07-25 time=13:53:16 devname="MyFortinetDevice" devid="FG800C3913801163" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1564080796 srcip=XXX.XXX.XXX.XXX srcname="SOME-PC" srcport=64306 srcintf="netprt_office" srcintfrole="lan" dstip=XXX.XXX.XXX.XXX dstport=443 dstintf="netprt_inscope" dstintfrole="lan" poluuid="d4dc65a0-6a43-51e4-c73d-71cf9316c554" sessionid=2209333306 proto=6 action="close" user="FAKEUSER" policyid=153 policytype="policy" service="HTTPS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=55 sentbyte=132 rcvdbyte=132 sentpkt=3 rcvdpkt=3 appcat="unscanned" devtype="Windows PC" osname="Windows" osversion="7 or 8" mastersrcmac="00:de:ad:be:ef:de:00" srcmac="00:de:ad:be:ef:de:00" srcserver=0 dstdevtype="Linux PC" dstosname="Linux" dstosversion="(x64)" masterdstmac="00:de:ad:be:ef:de:00" dstmac="00:de:ad:be:ef:de:00" dstserver=1'
**Phase 2: Completed decoding.
decoder: 'fortigate-firewall-v5'
level: 'notice'
srcip: 'XXX.XXX.XXX.XXX'
srcport: '64306'
dstip: 'XXX.XXX.XXX.XXX'
dstport: '443'
action: 'close'
protocol: 'unscanned'
**Phase 3: Completed filtering (rules).
Rule id: '81618'
Level: '3'
Description: 'Fortigate: Traffic to be aware of.'
**Alert to be generated.
2019 Jul 25 14:53:17 log01->XXX.XXX.XXX.XXX date=2019-07-25 time=13:53:16 devname="MyFortinetDevice" devid="FG800C3913801163" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1564080796 srcip=XXX.XXX.XXX.XXX srcname="SOME-PC" srcport=55105 srcintf="netprt_office" srcintfrole="lan" dstip=XXX.XXX.XXX.XXX dstport=53 dstintf="netprt_cde" dstintfrole="wan" poluuid="86fcb9c6-3dcf-51e8-c853-db98f216b8d8" sessionid=2209322167 proto=17 action="accept" user="FAKEUSER" policyid=374 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=75 rcvdbyte=91 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Windows PC" osname="Windows" osversion="7 or 8" mastersrcmac="00:de:ad:be:ef:de:00" srcmac="00:de:ad:be:ef:de:00" srcserver=0
**Phase 1: Completed pre-decoding.
full event: '2019 Jul 25 14:53:17 log01->XXX.XXX.XXX.XXX date=2019-07-25 time=13:53:16 devname="MyFortinetDevice" devid="FG800C3913801163" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1564080796 srcip=XXX.XXX.XXX.XXX srcname="SOME-PC" srcport=55105 srcintf="netprt_office" srcintfrole="lan" dstip=XXX.XXX.XXX.XXX dstport=53 dstintf="netprt_cde" dstintfrole="wan" poluuid="86fcb9c6-3dcf-51e8-c853-db98f216b8d8" sessionid=2209322167 proto=17 action="accept" user="FAKEUSER" policyid=374 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=75 rcvdbyte=91 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Windows PC" osname="Windows" osversion="7 or 8" mastersrcmac="00:de:ad:be:ef:de:00" srcmac="00:de:ad:be:ef:de:00" srcserver=0'
timestamp: '2019 Jul 25 14:53:17'
hostname: 'lopezziur-S551LN'
program_name: '(null)'
log: 'log01->XXX.XXX.XXX.XXX date=2019-07-25 time=13:53:16 devname="MyFortinetDevice" devid="FG800C3913801163" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1564080796 srcip=XXX.XXX.XXX.XXX srcname="SOME-PC" srcport=55105 srcintf="netprt_office" srcintfrole="lan" dstip=XXX.XXX.XXX.XXX dstport=53 dstintf="netprt_cde" dstintfrole="wan" poluuid="86fcb9c6-3dcf-51e8-c853-db98f216b8d8" sessionid=2209322167 proto=17 action="accept" user="FAKEUSER" policyid=374 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=75 rcvdbyte=91 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Windows PC" osname="Windows" osversion="7 or 8" mastersrcmac="00:de:ad:be:ef:de:00" srcmac="00:de:ad:be:ef:de:00" srcserver=0'
**Phase 2: Completed decoding.
decoder: 'fortigate-firewall-v5'
level: 'notice'
srcip: 'XXX.XXX.XXX.XXX'
srcport: '55105'
dstip: 'XXX.XXX.XXX.XXX'
dstport: '53'
action: 'accept'
protocol: 'unscanned'
**Phase 3: Completed filtering (rules).
Rule id: '81618'
Level: '3'
Description: 'Fortigate: Traffic to be aware of.'
**Alert to be generated.
And runtest pass:
lopezziur@lopezziur-S551LN ~/repositorios/wazuh-ruleset/tools/rules-testing $ sudo python runtests.py
[sudo] password for lopezziur:
- [ File = ./tests/pam.ini ] ---------
.....
- [ File = ./tests/apache.ini ] ---------
............
- [ File = ./tests/rsh.ini ] ---------
..
- [ File = ./tests/systemd.ini ] ---------
.
- [ File = ./tests/mailscanner.ini ] ---------
.
- [ File = ./tests/opensmtpd.ini ] ---------
.......
- [ File = ./tests/modsecurity.ini ] ---------
......
- [ File = ./tests/su.ini ] ---------
.....
- [ File = ./tests/apparmor.ini ] ---------
.....
- [ File = ./tests/netscreen.ini ] ---------
....
- [ File = ./tests/syslog.ini ] ---------
.....
- [ File = ./tests/nginx.ini ] ---------
............
- [ File = ./tests/web_rules.ini ] ---------
.....
- [ File = ./tests/doas.ini ] ---------
....
- [ File = ./tests/oscap.ini ] ---------
................................
- [ File = ./tests/sudo.ini ] ---------
........
- [ File = ./tests/sshd.ini ] ---------
...........................
- [ File = ./tests/samba.ini ] ---------
....
- [ File = ./tests/proftpd.ini ] ---------
.......
- [ File = ./tests/vsftpd.ini ] ---------
....
- [ File = ./tests/cisco_ios.ini ] ---------
.....
- [ File = ./tests/sysmon.ini ] ---------
...
- [ File = ./tests/firewalld.ini ] ---------
..
- [ File = ./tests/cimserver.ini ] ---------
..
- [ File = ./tests/postfix.ini ] ---------
..
- [ File = ./tests/cpanel.ini ] ---------
.......
- [ File = ./tests/named.ini ] ---------
.....
- [ File = ./tests/unbound.ini ] ---------
- [ File = ./tests/exim.ini ] ---------
.....
- [ File = ./tests/ossec.ini ] ---------
.....
- [ File = ./tests/web_appsec.ini ] ---------
...............................
- [ File = ./tests/dovecot.ini ] ---------
...............
Regards, Eva
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fortigate decoders and rules are fixed and improved to fit Fortigate's new logging format, maintaining backward compatibility with previous versions. Also, new kind of logs (like UTM-Virus) has been added.
2018 Jun 21 00:00:35 XXX->127.0.0.1 date=2018-06-21 time=03:00:35 devname="xxx" devid="FG123341414414" logid="111111111" type="traffic" subtype="forward" level="notice" vd="xxx" eventtime=111111111 srcip=127.0.0.1 srcport=11111 srcintf="port111" srcintfrole="undefined" dstip=127.0.0.1 dstport=1111 dstintf="xxxxx" dstintfrole="undefined" sessionid=122111221 proto=6 action="deny" policyid=1 policytype="policy" service="tcp/11111" dstcountry="xxxxx" srccountry="xxxx" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=111 craction=11111 crlevel="high"
2018 Jun 21 00:11:50 XXX->127.0.0.1 date=2018-06-21 time=03:11:49 devname="xxx" devid="FG123341414414" logid="111111111" type="utm" subtype="virus" eventtype="analytics" level="information" vd="xxx" eventtime=111111111 msg="File submitted to Sandbox." action="analytics" service="XXX" sessionid=11111111 srcip=127.0.0.1 dstip=127.0.0.1 srcport=111111 dstport=111 srcintf="port1" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" policyid=111 proto=1 direction="incoming" filename="xxx.xx" url="wwww.test.com/xxx.xx" profile="XXXX" agent="XXXX" analyticscksum="12k3jljfi1ljfo1jokfjko1ofk1jf" analyticssubmit="true"
2018 Jun 21 00:00:35 XXX->127.0.0.1 date=2018-06-21 time=03:00:35 devname="xxx" devid="FG123341414414" logid="111111111" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="xxx" eventtime=111111111 policyid=111 sessionid=111111111 srcip=127.0.0.1 srcport=11111 srcintf="port1" srcintfrole="undefined" dstip=127.0.0.1 dstport=111 dstintf="port111" dstintfrole="undefined" proto=1 service="XXX" hostname="xxxxx.com" profile="xx" action="passthrough" reqtype="direct" url="/xxxxxxxxxxxx" sentbyte=11 rcvdbyte=111 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=50 catdesc="Information and Computer Security"