Added decoder for UFW logs

wazuh · Jun 5, 2020 · 9099c74 · 9099c74
1 parent 82a527b
commit 9099c74
Showing 1 changed file with 36 additions and 1 deletion.
diff --git a/decoders/0140-kernel_decoders.xml b/decoders/0140-kernel_decoders.xml
@@ -97,7 +97,7 @@ Example:
 <decoder name="iptables-OpenWRT">
    <parent>kernel</parent>
    <type>firewall</type>
-   <prematch>^[\d+.\d+] \S+\.*IN=</prematch>
+   <prematch>^[\d+.\d+] \S+\(\.*IN=</prematch>
    <regex>^[\d+.\d+] (\S*)\(</regex>
    <order>action</order>
 </decoder>
@@ -123,6 +123,41 @@ Example:
    <order>srcport,dstport</order>
 </decoder>
 
+<!-- UFW firewall
+Example:
+ - Nov 18 13:39:49 UFW kernel: [10051.313745] [UFW BLOCK] IN=eth0 OUT= MAC=c2:56:27:73:33:cf:c4:f0:81:b0:93:24:08:00 SRC=205.205.205.205 DST=192.168.8.100 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=43131 PROTO=UDP SPT=40952 DPT=23 LEN=194
+ - Nov 18 13:39:49 UFW kernel: [10051.313745] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:17:08:ae:7a:40:08:00 SRC=205.205.205.205 DST=192.168.8.100 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=4949 PROTO=2
+-->
+
+<decoder name="iptables-UFW">
+   <parent>kernel</parent>
+   <type>firewall</type>
+   <prematch>^[\d+.\d+] [UFW \S+] IN=</prematch>
+   <regex>^[\d+.\d+] [UFW (\S+)]</regex>
+   <order>action</order>
+</decoder>
+
+<decoder name="iptables-UFW">
+   <parent>kernel</parent>
+   <type>firewall</type>
+   <regex offset="after_regex">SRC=(\S+) DST=(\S+)</regex>
+   <order>srcip,dstip</order>
+</decoder>
+
+<decoder name="iptables-UFW">
+   <parent>kernel</parent>
+   <type>firewall</type>
+   <regex offset="after_regex">PROTO=(\w+)</regex>
+   <order>protocol</order>
+</decoder>
+
+<decoder name="iptables-UFW">
+   <parent>kernel</parent>
+   <type>firewall</type>
+   <regex offset="after_regex">SPT=(\d+) DPT=(\d+) </regex>
+   <order>srcport,dstport</order>
+</decoder>
+
 <!-- apparmor
   - Jun 24 10:35:29 hostname kernel: [49787.970285] audit: type=1400 audit(1403598929.839:88986): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/dovecot//null-1//null-2//null-4a6" name="/home/admin/mails/new/" pid=19973 comm="imap" requested_mask="r" denied_mask="r" fsuid=1003 ouid=1003
   - Jul 14 11:03:47 hostname kernel: [ 8665.951930] type=1400 audit(1405328627.702:54): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/etc/xfce4/defaults.list" pid=16418 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0