Jeff Marugg
2018-11-05 16:32:05 UTC
I had troubles with the default decoder and rule-set. I was able to work
through the issue. I will forward on my decoder and rule-set in hope of
saving time for others.
Log Example:
2018 Nov 02 11:17:22 192.77.77.1 id=firewall sn=0123456789 time="2018-11-02
10:17:22" fw=24.117.241.38 pri=6 c=16 m=32 msg="User login denied due to
bad credentials" sess=Web n=3 usr="administrator" src=192.168.33.58:0:X0
dst=192.168.33.1:443:X0 proto=tcp/https
./etc/decoders/local_decoder.xml
decoder name="sonicwall">
<type>firewall</type>
<prematch>^id=\w+ sn=\w+ time=\S+ \S+ fw=\d+.\d+.\d+.\d+ pri=\d c=\d+
m=\d+</prematch>
<plugin_decoder>SonicWall_Decoder</plugin_decoder>
</decoder>
./etc/rules/local_rules.xml
<group name="syslog,sonicwall,">
<rule id="4812" level="9">
<if_sid>4806</if_sid>
<id>^30$|^32$</id>
<description>SonicWall: Firewall user authentication
failure.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_3.6,gdpr_I$
</rule>
</group>
Hope this helps.
through the issue. I will forward on my decoder and rule-set in hope of
saving time for others.
Log Example:
2018 Nov 02 11:17:22 192.77.77.1 id=firewall sn=0123456789 time="2018-11-02
10:17:22" fw=24.117.241.38 pri=6 c=16 m=32 msg="User login denied due to
bad credentials" sess=Web n=3 usr="administrator" src=192.168.33.58:0:X0
dst=192.168.33.1:443:X0 proto=tcp/https
./etc/decoders/local_decoder.xml
decoder name="sonicwall">
<type>firewall</type>
<prematch>^id=\w+ sn=\w+ time=\S+ \S+ fw=\d+.\d+.\d+.\d+ pri=\d c=\d+
m=\d+</prematch>
<plugin_decoder>SonicWall_Decoder</plugin_decoder>
</decoder>
./etc/rules/local_rules.xml
<group name="syslog,sonicwall,">
<rule id="4812" level="9">
<if_sid>4806</if_sid>
<id>^30$|^32$</id>
<description>SonicWall: Firewall user authentication
failure.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_3.6,gdpr_I$
</rule>
</group>
Hope this helps.
Does anyone have any rules they have, and are willing to share in
terms of monitoring SonicWall Pro series firewalls?
Thank you.
terms of monitoring SonicWall Pro series firewalls?
Thank you.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.