Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fortigate issue 137 - (PR for v3.12) #552

Draft
wants to merge 11 commits into
base: master
Choose a base branch
from
Draft

Fortigate issue 137 - (PR for v3.12) #552

wants to merge 11 commits into from

Conversation

h0rv4th
Copy link

@h0rv4th h0rv4th commented Jan 30, 2020

Fortigate decoders and rules are fixed and improved to fit Fortigate's new logging format, maintaining backward compatibility with previous versions. Also, new kind of logs (like UTM-Virus) has been added.

2018 Jun 21 00:00:35 XXX->127.0.0.1 date=2018-06-21 time=03:00:35 devname="xxx" devid="FG123341414414" logid="111111111" type="traffic" subtype="forward" level="notice" vd="xxx" eventtime=111111111 srcip=127.0.0.1 srcport=11111 srcintf="port111" srcintfrole="undefined" dstip=127.0.0.1 dstport=1111 dstintf="xxxxx" dstintfrole="undefined" sessionid=122111221 proto=6 action="deny" policyid=1 policytype="policy" service="tcp/11111" dstcountry="xxxxx" srccountry="xxxx" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=111 craction=11111 crlevel="high"

**Phase 1: Completed pre-decoding.
       full event: '2018 Jun 21 00:00:35 XXX->127.0.0.1 date=2018-06-21 time=03:00:35 devname="xxx" devid="FG123341414414" logid="111111111" type="traffic" subtype="forward" level="notice" vd="xxx" eventtime=111111111 srcip=127.0.0.1 srcport=11111 srcintf="port111" srcintfrole="undefined" dstip=127.0.0.1 dstport=1111 dstintf="xxxxx" dstintfrole="undefined" sessionid=122111221 proto=6 action="deny" policyid=1 policytype="policy" service="tcp/11111" dstcountry="xxxxx" srccountry="xxxx" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=111 craction=11111 crlevel="high"'
       timestamp: '2018 Jun 21 00:00:35'
       hostname: 'manager1'
       program_name: '(null)'
       log: 'XXX->127.0.0.1 date=2018-06-21 time=03:00:35 devname="xxx" devid="FG123341414414" logid="111111111" type="traffic" subtype="forward" level="notice" vd="xxx" eventtime=111111111 srcip=127.0.0.1 srcport=11111 srcintf="port111" srcintfrole="undefined" dstip=127.0.0.1 dstport=1111 dstintf="xxxxx" dstintfrole="undefined" sessionid=122111221 proto=6 action="deny" policyid=1 policytype="policy" service="tcp/11111" dstcountry="xxxxx" srccountry="xxxx" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=111 craction=11111 crlevel="high"'

**Phase 2: Completed decoding.
       decoder: 'fortigate-firewall-v5'
       srcip: '127.0.0.1'
       srcport: '11111'
       dstip: '127.0.0.1'
       dstport: '1111'
       protocol: 'unscanned'

**Phase 3: Completed filtering (rules).
       Rule id: '81618'
       Level: '3'
       Description: 'Fortigate: Traffic to be aware of.'
**Alert to be generated.

2018 Jun 21 00:11:50 XXX->127.0.0.1 date=2018-06-21 time=03:11:49 devname="xxx" devid="FG123341414414" logid="111111111" type="utm" subtype="virus" eventtype="analytics" level="information" vd="xxx" eventtime=111111111 msg="File submitted to Sandbox." action="analytics" service="XXX" sessionid=11111111 srcip=127.0.0.1 dstip=127.0.0.1 srcport=111111 dstport=111 srcintf="port1" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" policyid=111 proto=1 direction="incoming" filename="xxx.xx" url="wwww.test.com/xxx.xx" profile="XXXX" agent="XXXX" analyticscksum="12k3jljfi1ljfo1jokfjko1ofk1jf" analyticssubmit="true"

**Phase 1: Completed pre-decoding.
       full event: '2018 Jun 21 00:11:50 XXX->127.0.0.1 date=2018-06-21 time=03:11:49 devname="xxx" devid="FG123341414414" logid="111111111" type="utm" subtype="virus" eventtype="analytics" level="information" vd="xxx" eventtime=111111111 msg="File submitted to Sandbox." action="analytics" service="XXX" sessionid=11111111 srcip=127.0.0.1 dstip=127.0.0.1 srcport=111111 dstport=111 srcintf="port1" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" policyid=111 proto=1 direction="incoming" filename="xxx.xx" url="wwww.test.com/xxx.xx" profile="XXXX" agent="XXXX" analyticscksum="12k3jljfi1ljfo1jokfjko1ofk1jf" analyticssubmit="true"'
       timestamp: '2018 Jun 21 00:11:50'
       hostname: 'manager1'
       program_name: '(null)'
       log: 'XXX->127.0.0.1 date=2018-06-21 time=03:11:49 devname="xxx" devid="FG123341414414" logid="111111111" type="utm" subtype="virus" eventtype="analytics" level="information" vd="xxx" eventtime=111111111 msg="File submitted to Sandbox." action="analytics" service="XXX" sessionid=11111111 srcip=127.0.0.1 dstip=127.0.0.1 srcport=111111 dstport=111 srcintf="port1" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" policyid=111 proto=1 direction="incoming" filename="xxx.xx" url="wwww.test.com/xxx.xx" profile="XXXX" agent="XXXX" analyticscksum="12k3jljfi1ljfo1jokfjko1ofk1jf" analyticssubmit="true"'

**Phase 2: Completed decoding.
       decoder: 'fortigate-firewall-v5'
       protocol: 'analytics'
       status: 'information'
       action: 'analytics'
       srcip: '127.0.0.1'
       dstip: '127.0.0.1'
       srcport: '111111'
       dstport: '111'
       fortigate.file_infected: 'xxx.xx'
       url: 'wwww.test.com/xxx.xx'

**Phase 3: Completed filtering (rules).
       Rule id: '81638'
       Level: '5'
       Description: 'Fortigate: Virus detected.'
**Alert to be generated.

2018 Jun 21 00:00:35 XXX->127.0.0.1 date=2018-06-21 time=03:00:35 devname="xxx" devid="FG123341414414" logid="111111111" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="xxx" eventtime=111111111 policyid=111 sessionid=111111111 srcip=127.0.0.1 srcport=11111 srcintf="port1" srcintfrole="undefined" dstip=127.0.0.1 dstport=111 dstintf="port111" dstintfrole="undefined" proto=1 service="XXX" hostname="xxxxx.com" profile="xx" action="passthrough" reqtype="direct" url="/xxxxxxxxxxxx" sentbyte=11 rcvdbyte=111 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=50 catdesc="Information and Computer Security"

**Phase 1: Completed pre-decoding.
       full event: '2018 Jun 21 00:00:35 XXX->127.0.0.1 date=2018-06-21 time=03:00:35 devname="xxx" devid="FG123341414414" logid="111111111" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="xxx" eventtime=111111111 policyid=111 sessionid=111111111 srcip=127.0.0.1 srcport=11111 srcintf="port1" srcintfrole="undefined" dstip=127.0.0.1 dstport=111 dstintf="port111" dstintfrole="undefined" proto=1 service="XXX" hostname="xxxxx.com" profile="xx" action="passthrough" reqtype="direct" url="/xxxxxxxxxxxx" sentbyte=11 rcvdbyte=111 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=50 catdesc="Information and Computer Security"'
       timestamp: '2018 Jun 21 00:00:35'
       hostname: 'manager1'
       program_name: '(null)'
       log: 'XXX->127.0.0.1 date=2018-06-21 time=03:00:35 devname="xxx" devid="FG123341414414" logid="111111111" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="xxx" eventtime=111111111 policyid=111 sessionid=111111111 srcip=127.0.0.1 srcport=11111 srcintf="port1" srcintfrole="undefined" dstip=127.0.0.1 dstport=111 dstintf="port111" dstintfrole="undefined" proto=1 service="XXX" hostname="xxxxx.com" profile="xx" action="passthrough" reqtype="direct" url="/xxxxxxxxxxxx" sentbyte=11 rcvdbyte=111 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=50 catdesc="Information and Computer Security"'

**Phase 2: Completed decoding.
       decoder: 'fortigate-firewall-v5'
       status: 'notice'
       srcip: '127.0.0.1'
       srcport: '11111'
       dstip: '127.0.0.1'
       dstport: '111'
       url: 'xxxxx.com'
       action: 'passthrough'

**Phase 3: Completed filtering (rules).
       Rule id: '81640'
       Level: '1'
       Description: 'Fortigate: URL belongs to an allowed category.'

Original PR: #147
Author: @frgv

SitoRBJ and others added 11 commits June 22, 2018 17:08
@SitoRBJ
fix the issue #137
9401842 
We've adjusted the fortigate decoders so you can generate alerts when you receive events in a new format.
@frgv
Fortigate - Decoders and rules fixed
2aa2fc7 
Fixed fortigate decoders and rules to decode new fortigate format. GPDR tagging still needed.
@frgv
Added passthrough rule (Fortigate)
9b0d3c1
@SitoRBJ
GDPR groups added
e8f9c9c 
GDPR groups added to the new rules.
@SitoRBJ
Update 0390-fortigate_rules.xml
01b6394 
Typos fixed
@SitoRBJ
Update 0100-fortigate_decoders.xml
73dbb74 
We have added two traffic decoders to obtain the action and level fields.
Merge branch 'master' of https://github.com/wazuh/wazuh-ruleset into …
f6bec0d 
…fortigate-issue-137
@Lopuiz
corrected typos
1c55c30
@Lopuiz
resolved conflicts
15ac060
@Lopuiz
adds HIPAA and NIST standards to the label groups
42bd67a
@Lopuiz
adds HIPAA and NIST standards to the label groups
d701628
@vikman90 vikman90 changed the base branch from 3.12 to develop July 31, 2020 12:06
@vikman90 vikman90 changed the base branch from develop to master September 25, 2020 08:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@h0rv4th @SitoRBJ @frgv @Lopuiz