Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fortigate issue 137 #147

Closed
wants to merge 11 commits into from
Closed

Fortigate issue 137 #147

wants to merge 11 commits into from

Conversation

frgv
Copy link
Contributor

@frgv frgv commented Jun 25, 2018

Fortigate decoders and rules are fixed and improved to fit Fortigate's new logging format, maintaining backward compatibility with previous versions. Also, new kind of logs (like UTM-Virus) has been added.

2018 Jun 21 00:00:35 XXX->127.0.0.1 date=2018-06-21 time=03:00:35 devname="xxx" devid="FG123341414414" logid="111111111" type="traffic" subtype="forward" level="notice" vd="xxx" eventtime=111111111 srcip=127.0.0.1 srcport=11111 srcintf="port111" srcintfrole="undefined" dstip=127.0.0.1 dstport=1111 dstintf="xxxxx" dstintfrole="undefined" sessionid=122111221 proto=6 action="deny" policyid=1 policytype="policy" service="tcp/11111" dstcountry="xxxxx" srccountry="xxxx" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=111 craction=11111 crlevel="high"

**Phase 1: Completed pre-decoding.
       full event: '2018 Jun 21 00:00:35 XXX->127.0.0.1 date=2018-06-21 time=03:00:35 devname="xxx" devid="FG123341414414" logid="111111111" type="traffic" subtype="forward" level="notice" vd="xxx" eventtime=111111111 srcip=127.0.0.1 srcport=11111 srcintf="port111" srcintfrole="undefined" dstip=127.0.0.1 dstport=1111 dstintf="xxxxx" dstintfrole="undefined" sessionid=122111221 proto=6 action="deny" policyid=1 policytype="policy" service="tcp/11111" dstcountry="xxxxx" srccountry="xxxx" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=111 craction=11111 crlevel="high"'
       timestamp: '2018 Jun 21 00:00:35'
       hostname: 'manager1'
       program_name: '(null)'
       log: 'XXX->127.0.0.1 date=2018-06-21 time=03:00:35 devname="xxx" devid="FG123341414414" logid="111111111" type="traffic" subtype="forward" level="notice" vd="xxx" eventtime=111111111 srcip=127.0.0.1 srcport=11111 srcintf="port111" srcintfrole="undefined" dstip=127.0.0.1 dstport=1111 dstintf="xxxxx" dstintfrole="undefined" sessionid=122111221 proto=6 action="deny" policyid=1 policytype="policy" service="tcp/11111" dstcountry="xxxxx" srccountry="xxxx" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=111 craction=11111 crlevel="high"'

**Phase 2: Completed decoding.
       decoder: 'fortigate-firewall-v5'
       srcip: '127.0.0.1'
       srcport: '11111'
       dstip: '127.0.0.1'
       dstport: '1111'
       protocol: 'unscanned'

**Phase 3: Completed filtering (rules).
       Rule id: '81618'
       Level: '3'
       Description: 'Fortigate: Traffic to be aware of.'
**Alert to be generated.

2018 Jun 21 00:11:50 XXX->127.0.0.1 date=2018-06-21 time=03:11:49 devname="xxx" devid="FG123341414414" logid="111111111" type="utm" subtype="virus" eventtype="analytics" level="information" vd="xxx" eventtime=111111111 msg="File submitted to Sandbox." action="analytics" service="XXX" sessionid=11111111 srcip=127.0.0.1 dstip=127.0.0.1 srcport=111111 dstport=111 srcintf="port1" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" policyid=111 proto=1 direction="incoming" filename="xxx.xx" url="wwww.test.com/xxx.xx" profile="XXXX" agent="XXXX" analyticscksum="12k3jljfi1ljfo1jokfjko1ofk1jf" analyticssubmit="true"

**Phase 1: Completed pre-decoding.
       full event: '2018 Jun 21 00:11:50 XXX->127.0.0.1 date=2018-06-21 time=03:11:49 devname="xxx" devid="FG123341414414" logid="111111111" type="utm" subtype="virus" eventtype="analytics" level="information" vd="xxx" eventtime=111111111 msg="File submitted to Sandbox." action="analytics" service="XXX" sessionid=11111111 srcip=127.0.0.1 dstip=127.0.0.1 srcport=111111 dstport=111 srcintf="port1" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" policyid=111 proto=1 direction="incoming" filename="xxx.xx" url="wwww.test.com/xxx.xx" profile="XXXX" agent="XXXX" analyticscksum="12k3jljfi1ljfo1jokfjko1ofk1jf" analyticssubmit="true"'
       timestamp: '2018 Jun 21 00:11:50'
       hostname: 'manager1'
       program_name: '(null)'
       log: 'XXX->127.0.0.1 date=2018-06-21 time=03:11:49 devname="xxx" devid="FG123341414414" logid="111111111" type="utm" subtype="virus" eventtype="analytics" level="information" vd="xxx" eventtime=111111111 msg="File submitted to Sandbox." action="analytics" service="XXX" sessionid=11111111 srcip=127.0.0.1 dstip=127.0.0.1 srcport=111111 dstport=111 srcintf="port1" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" policyid=111 proto=1 direction="incoming" filename="xxx.xx" url="wwww.test.com/xxx.xx" profile="XXXX" agent="XXXX" analyticscksum="12k3jljfi1ljfo1jokfjko1ofk1jf" analyticssubmit="true"'

**Phase 2: Completed decoding.
       decoder: 'fortigate-firewall-v5'
       protocol: 'analytics'
       status: 'information'
       action: 'analytics'
       srcip: '127.0.0.1'
       dstip: '127.0.0.1'
       srcport: '111111'
       dstport: '111'
       fortigate.file_infected: 'xxx.xx'
       url: 'wwww.test.com/xxx.xx'

**Phase 3: Completed filtering (rules).
       Rule id: '81638'
       Level: '5'
       Description: 'Fortigate: Virus detected.'
**Alert to be generated.

2018 Jun 21 00:00:35 XXX->127.0.0.1 date=2018-06-21 time=03:00:35 devname="xxx" devid="FG123341414414" logid="111111111" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="xxx" eventtime=111111111 policyid=111 sessionid=111111111 srcip=127.0.0.1 srcport=11111 srcintf="port1" srcintfrole="undefined" dstip=127.0.0.1 dstport=111 dstintf="port111" dstintfrole="undefined" proto=1 service="XXX" hostname="xxxxx.com" profile="xx" action="passthrough" reqtype="direct" url="/xxxxxxxxxxxx" sentbyte=11 rcvdbyte=111 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=50 catdesc="Information and Computer Security"

**Phase 1: Completed pre-decoding.
       full event: '2018 Jun 21 00:00:35 XXX->127.0.0.1 date=2018-06-21 time=03:00:35 devname="xxx" devid="FG123341414414" logid="111111111" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="xxx" eventtime=111111111 policyid=111 sessionid=111111111 srcip=127.0.0.1 srcport=11111 srcintf="port1" srcintfrole="undefined" dstip=127.0.0.1 dstport=111 dstintf="port111" dstintfrole="undefined" proto=1 service="XXX" hostname="xxxxx.com" profile="xx" action="passthrough" reqtype="direct" url="/xxxxxxxxxxxx" sentbyte=11 rcvdbyte=111 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=50 catdesc="Information and Computer Security"'
       timestamp: '2018 Jun 21 00:00:35'
       hostname: 'manager1'
       program_name: '(null)'
       log: 'XXX->127.0.0.1 date=2018-06-21 time=03:00:35 devname="xxx" devid="FG123341414414" logid="111111111" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="xxx" eventtime=111111111 policyid=111 sessionid=111111111 srcip=127.0.0.1 srcport=11111 srcintf="port1" srcintfrole="undefined" dstip=127.0.0.1 dstport=111 dstintf="port111" dstintfrole="undefined" proto=1 service="XXX" hostname="xxxxx.com" profile="xx" action="passthrough" reqtype="direct" url="/xxxxxxxxxxxx" sentbyte=11 rcvdbyte=111 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=50 catdesc="Information and Computer Security"'

**Phase 2: Completed decoding.
       decoder: 'fortigate-firewall-v5'
       status: 'notice'
       srcip: '127.0.0.1'
       srcport: '11111'
       dstip: '127.0.0.1'
       dstport: '111'
       url: 'xxxxx.com'
       action: 'passthrough'

**Phase 3: Completed filtering (rules).
       Rule id: '81640'
       Level: '1'
       Description: 'Fortigate: URL belongs to an allowed category.'

SitoRBJ and others added 3 commits June 22, 2018 17:08
@SitoRBJ
fix the issue #137
9401842 
We've adjusted the fortigate decoders so you can generate alerts when you receive events in a new format.
@frgv
Fortigate - Decoders and rules fixed
2aa2fc7 
Fixed fortigate decoders and rules to decode new fortigate format. GPDR tagging still needed.
@frgv
Added passthrough rule (Fortigate)
9b0d3c1
This was referenced Jun 25, 2018
Closed
Closed
@SitoRBJ SitoRBJ self-requested a review June 25, 2018 15:09
@SitoRBJ
GDPR groups added
e8f9c9c 
GDPR groups added to the new rules.
@SitoRBJ
Update 0390-fortigate_rules.xml
01b6394 
Typos fixed
SitoRBJ
SitoRBJ approved these changes Jun 25, 2018
View reviewed changes
Copy link
Contributor

@SitoRBJ SitoRBJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All new event formats have been tested and the corresponding rules have been triggered correctly.

Great job by frgv.

Kind regards,

Alfonso Ruiz-Bravo

@SitoRBJ SitoRBJ mentioned this pull request Aug 22, 2018
Closed
@SitoRBJ
Update 0100-fortigate_decoders.xml
73dbb74 
We have added two traffic decoders to obtain the action and level fields.
@SitoRBJ
Copy link
Contributor

SitoRBJ commented Aug 28, 2018

Hello team,

We have added two traffic decoders to get the action and level fields, according to the issue #168 :

<decoder name="fortigate-firewall-v5-traffic">
    <parent>fortigate-firewall-v5</parent>
    <prematch offset="after_parent">type=traffic|type="traffic"</prematch>
    <regex offset="after_prematch">\.*level="(\S+)"|\.*level=(\S+),|\.*level=(\S+) </regex>
    <order>level</order>
</decoder>
. . . 
<decoder name="fortigate-firewall-v5-traffic">
    <parent>fortigate-firewall-v5</parent>
    <regex offset="after_regex">\.*action="(\S+)"|\.*action=(\S+),|\.*action=(\S+) </regex>
    <order>action</order>
</decoder>
  • Logtest
date=2016-06-16 time=10:49:08 devname=Device_Name devid=FGTXXXX9999999999 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=4.3.5.161 srcport=51082 srcintf="internal1" dstip=54.192.197.185 dstport=80 dstintf="wan1" poluuid=d6217c58-8c42-51e5-c3a6-c7766895cbfd sessionid=199618 proto=6 action=deny policyid=8 dstcountry="United States" srccountry="Reserved" trandisp=snat transip=160.242.8.82 transport=51082 service="HTTP" appid=6 app="BitTorrent" appcat="P2P" apprisk=high applist="default" appact=drop-session duration=3 sentbyte=60 rcvdbyte=3050 sentpkt=1 utmaction=block countapp=1 crscore=5 craction=1048576


**Phase 1: Completed pre-decoding.
       full event: 'date=2016-06-16 time=10:49:08 devname=Device_Name devid=FGTXXXX9999999999 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=4.3.5.161 srcport=51082 srcintf="internal1" dstip=54.192.197.185 dstport=80 dstintf="wan1" poluuid=d6217c58-8c42-51e5-c3a6-c7766895cbfd sessionid=199618 proto=6 action=deny policyid=8 dstcountry="United States" srccountry="Reserved" trandisp=snat transip=160.242.8.82 transport=51082 service="HTTP" appid=6 app="BitTorrent" appcat="P2P" apprisk=high applist="default" appact=drop-session duration=3 sentbyte=60 rcvdbyte=3050 sentpkt=1 utmaction=block countapp=1 crscore=5 craction=1048576'
       timestamp: '(null)'
       hostname: 'manager'
       program_name: '(null)'
       log: 'date=2016-06-16 time=10:49:08 devname=Device_Name devid=FGTXXXX9999999999 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=4.3.5.161 srcport=51082 srcintf="internal1" dstip=54.192.197.185 dstport=80 dstintf="wan1" poluuid=d6217c58-8c42-51e5-c3a6-c7766895cbfd sessionid=199618 proto=6 action=deny policyid=8 dstcountry="United States" srccountry="Reserved" trandisp=snat transip=160.242.8.82 transport=51082 service="HTTP" appid=6 app="BitTorrent" appcat="P2P" apprisk=high applist="default" appact=drop-session duration=3 sentbyte=60 rcvdbyte=3050 sentpkt=1 utmaction=block countapp=1 crscore=5 craction=1048576'

**Phase 2: Completed decoding.
       decoder: 'fortigate-firewall-v5'
       level: 'notice'
       srcip: '4.3.5.161'
       srcport: '51082'
       dstip: '54.192.197.185'
       dstport: '80'
       action: 'deny'
       protocol: 'P2P'
       status: 'high'

**Phase 3: Completed filtering (rules).
       Rule id: '81618'
       Level: '3'
       Description: 'Fortigate: Traffic to be aware of.'
**Alert to be generated.

Kind regards,

Alfonso Ruiz-Bravo

@SitoRBJ SitoRBJ changed the base branch from 3.3 to 3.7 September 12, 2018 09:40
@jesuslinares jesuslinares requested review from migruiz4, SitoRBJ and jesuslinares and removed request for SitoRBJ October 16, 2018 12:56
@migruiz4 migruiz4 changed the base branch from 3.7 to master October 16, 2018 18:08
@fillipejs
Copy link

On my Fortigate with firmware 6 worked like a charm !!

Has this been committed yet? I pulled the code from master but these changes seem not to be present... push it ASAP if you can, will help a lot of people.

Thank you very much!

@migruiz4 migruiz4 changed the base branch from master to 3.8 January 25, 2019 18:53
@migruiz4 migruiz4 changed the base branch from 3.8 to master January 25, 2019 18:55
@Enaxadrel
Copy link

Hello,

I use Wazuh and, after each update, I must to rewrite this files to decode logs for Fortigate 5.6.
The new decoder isn't update in the Wazuh master branch.
There are problems with the new code ?

Thank you in advance for your anwsers ^^

@LFBernardo
Copy link

@Enaxadrel you can add it to your custom decoder, it will remain even after update.

@Enaxadrel
Copy link

Thank you for your answer.
I use the modified decoder of this issue and there was a problem when I used it with the local_decoder file (conflict) but I have solved this and all my logs are decoded now.

Sorry if I have used the wrong place for this problem, this my first use of github.

@Lopuiz Lopuiz changed the base branch from master to 3.10 July 30, 2019 06:47
@Lopuiz Lopuiz removed the request for review from migruiz4 July 30, 2019 06:49
@Lopuiz Lopuiz removed the request for review from jesuslinares July 30, 2019 06:49
@Lopuiz Lopuiz mentioned this pull request Jul 30, 2019
Closed
@Lopuiz Lopuiz self-requested a review July 30, 2019 07:30
Lopuiz
Lopuiz approved these changes Jul 30, 2019
View reviewed changes
Copy link
Contributor

@Lopuiz Lopuiz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello team!

I've tested and it seems works fine. Rules and decoders work correctly:

lopezziur-S551LN ossec # bin/ossec-logtest 
2019/07/30 09:05:26 ossec-testrule: INFO: Started (pid: 10338).
ossec-testrule: Type one log per line.

2019 Jul 25 14:53:17 log01->XXX.XXX.XXX.XXX date=2019-07-25 time=13:53:16 devname="MyFortinetDevice" devid="FG800C3913801163" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1564080796 srcip=XXX.XXX.XXX.XXX srcname="SOME-PC" srcport=64306 srcintf="netprt_office" srcintfrole="lan" dstip=XXX.XXX.XXX.XXX dstport=443 dstintf="netprt_inscope" dstintfrole="lan" poluuid="d4dc65a0-6a43-51e4-c73d-71cf9316c554" sessionid=2209333306 proto=6 action="close" user="FAKEUSER" policyid=153 policytype="policy" service="HTTPS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=55 sentbyte=132 rcvdbyte=132 sentpkt=3 rcvdpkt=3 appcat="unscanned" devtype="Windows PC" osname="Windows" osversion="7 or 8" mastersrcmac="00:de:ad:be:ef:de:00" srcmac="00:de:ad:be:ef:de:00" srcserver=0 dstdevtype="Linux PC" dstosname="Linux" dstosversion="(x64)" masterdstmac="00:de:ad:be:ef:de:00" dstmac="00:de:ad:be:ef:de:00" dstserver=1


**Phase 1: Completed pre-decoding.
       full event: '2019 Jul 25 14:53:17 log01->XXX.XXX.XXX.XXX date=2019-07-25 time=13:53:16 devname="MyFortinetDevice" devid="FG800C3913801163" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1564080796 srcip=XXX.XXX.XXX.XXX srcname="SOME-PC" srcport=64306 srcintf="netprt_office" srcintfrole="lan" dstip=XXX.XXX.XXX.XXX dstport=443 dstintf="netprt_inscope" dstintfrole="lan" poluuid="d4dc65a0-6a43-51e4-c73d-71cf9316c554" sessionid=2209333306 proto=6 action="close" user="FAKEUSER" policyid=153 policytype="policy" service="HTTPS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=55 sentbyte=132 rcvdbyte=132 sentpkt=3 rcvdpkt=3 appcat="unscanned" devtype="Windows PC" osname="Windows" osversion="7 or 8" mastersrcmac="00:de:ad:be:ef:de:00" srcmac="00:de:ad:be:ef:de:00" srcserver=0 dstdevtype="Linux PC" dstosname="Linux" dstosversion="(x64)" masterdstmac="00:de:ad:be:ef:de:00" dstmac="00:de:ad:be:ef:de:00" dstserver=1'
       timestamp: '2019 Jul 25 14:53:17'
       hostname: 'lopezziur-S551LN'
       program_name: '(null)'
       log: 'log01->XXX.XXX.XXX.XXX date=2019-07-25 time=13:53:16 devname="MyFortinetDevice" devid="FG800C3913801163" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1564080796 srcip=XXX.XXX.XXX.XXX srcname="SOME-PC" srcport=64306 srcintf="netprt_office" srcintfrole="lan" dstip=XXX.XXX.XXX.XXX dstport=443 dstintf="netprt_inscope" dstintfrole="lan" poluuid="d4dc65a0-6a43-51e4-c73d-71cf9316c554" sessionid=2209333306 proto=6 action="close" user="FAKEUSER" policyid=153 policytype="policy" service="HTTPS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=55 sentbyte=132 rcvdbyte=132 sentpkt=3 rcvdpkt=3 appcat="unscanned" devtype="Windows PC" osname="Windows" osversion="7 or 8" mastersrcmac="00:de:ad:be:ef:de:00" srcmac="00:de:ad:be:ef:de:00" srcserver=0 dstdevtype="Linux PC" dstosname="Linux" dstosversion="(x64)" masterdstmac="00:de:ad:be:ef:de:00" dstmac="00:de:ad:be:ef:de:00" dstserver=1'

**Phase 2: Completed decoding.
       decoder: 'fortigate-firewall-v5'
       level: 'notice'
       srcip: 'XXX.XXX.XXX.XXX'
       srcport: '64306'
       dstip: 'XXX.XXX.XXX.XXX'
       dstport: '443'
       action: 'close'
       protocol: 'unscanned'

**Phase 3: Completed filtering (rules).
       Rule id: '81618'
       Level: '3'
       Description: 'Fortigate: Traffic to be aware of.'
**Alert to be generated.



2019 Jul 25 14:53:17 log01->XXX.XXX.XXX.XXX date=2019-07-25 time=13:53:16 devname="MyFortinetDevice" devid="FG800C3913801163" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1564080796 srcip=XXX.XXX.XXX.XXX srcname="SOME-PC" srcport=55105 srcintf="netprt_office" srcintfrole="lan" dstip=XXX.XXX.XXX.XXX dstport=53 dstintf="netprt_cde" dstintfrole="wan" poluuid="86fcb9c6-3dcf-51e8-c853-db98f216b8d8" sessionid=2209322167 proto=17 action="accept" user="FAKEUSER" policyid=374 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=75 rcvdbyte=91 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Windows PC" osname="Windows" osversion="7 or 8" mastersrcmac="00:de:ad:be:ef:de:00" srcmac="00:de:ad:be:ef:de:00" srcserver=0


**Phase 1: Completed pre-decoding.
       full event: '2019 Jul 25 14:53:17 log01->XXX.XXX.XXX.XXX date=2019-07-25 time=13:53:16 devname="MyFortinetDevice" devid="FG800C3913801163" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1564080796 srcip=XXX.XXX.XXX.XXX srcname="SOME-PC" srcport=55105 srcintf="netprt_office" srcintfrole="lan" dstip=XXX.XXX.XXX.XXX dstport=53 dstintf="netprt_cde" dstintfrole="wan" poluuid="86fcb9c6-3dcf-51e8-c853-db98f216b8d8" sessionid=2209322167 proto=17 action="accept" user="FAKEUSER" policyid=374 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=75 rcvdbyte=91 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Windows PC" osname="Windows" osversion="7 or 8" mastersrcmac="00:de:ad:be:ef:de:00" srcmac="00:de:ad:be:ef:de:00" srcserver=0'
       timestamp: '2019 Jul 25 14:53:17'
       hostname: 'lopezziur-S551LN'
       program_name: '(null)'
       log: 'log01->XXX.XXX.XXX.XXX date=2019-07-25 time=13:53:16 devname="MyFortinetDevice" devid="FG800C3913801163" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1564080796 srcip=XXX.XXX.XXX.XXX srcname="SOME-PC" srcport=55105 srcintf="netprt_office" srcintfrole="lan" dstip=XXX.XXX.XXX.XXX dstport=53 dstintf="netprt_cde" dstintfrole="wan" poluuid="86fcb9c6-3dcf-51e8-c853-db98f216b8d8" sessionid=2209322167 proto=17 action="accept" user="FAKEUSER" policyid=374 policytype="policy" service="DNS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=75 rcvdbyte=91 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Windows PC" osname="Windows" osversion="7 or 8" mastersrcmac="00:de:ad:be:ef:de:00" srcmac="00:de:ad:be:ef:de:00" srcserver=0'

**Phase 2: Completed decoding.
       decoder: 'fortigate-firewall-v5'
       level: 'notice'
       srcip: 'XXX.XXX.XXX.XXX'
       srcport: '55105'
       dstip: 'XXX.XXX.XXX.XXX'
       dstport: '53'
       action: 'accept'
       protocol: 'unscanned'

**Phase 3: Completed filtering (rules).
       Rule id: '81618'
       Level: '3'
       Description: 'Fortigate: Traffic to be aware of.'
**Alert to be generated.

And runtest pass:

lopezziur@lopezziur-S551LN ~/repositorios/wazuh-ruleset/tools/rules-testing $ sudo python runtests.py 
[sudo] password for lopezziur: 
- [ File = ./tests/pam.ini ] ---------
.....
- [ File = ./tests/apache.ini ] ---------
............
- [ File = ./tests/rsh.ini ] ---------
..
- [ File = ./tests/systemd.ini ] ---------
.
- [ File = ./tests/mailscanner.ini ] ---------
.
- [ File = ./tests/opensmtpd.ini ] ---------
.......
- [ File = ./tests/modsecurity.ini ] ---------
......
- [ File = ./tests/su.ini ] ---------
.....
- [ File = ./tests/apparmor.ini ] ---------
.....
- [ File = ./tests/netscreen.ini ] ---------
....
- [ File = ./tests/syslog.ini ] ---------
.....
- [ File = ./tests/nginx.ini ] ---------
............
- [ File = ./tests/web_rules.ini ] ---------
.....
- [ File = ./tests/doas.ini ] ---------
....
- [ File = ./tests/oscap.ini ] ---------
................................
- [ File = ./tests/sudo.ini ] ---------
........
- [ File = ./tests/sshd.ini ] ---------
...........................
- [ File = ./tests/samba.ini ] ---------
....
- [ File = ./tests/proftpd.ini ] ---------
.......
- [ File = ./tests/vsftpd.ini ] ---------
....
- [ File = ./tests/cisco_ios.ini ] ---------
.....
- [ File = ./tests/sysmon.ini ] ---------
...
- [ File = ./tests/firewalld.ini ] ---------
..
- [ File = ./tests/cimserver.ini ] ---------
..
- [ File = ./tests/postfix.ini ] ---------
..
- [ File = ./tests/cpanel.ini ] ---------
.......
- [ File = ./tests/named.ini ] ---------
.....
- [ File = ./tests/unbound.ini ] ---------

- [ File = ./tests/exim.ini ] ---------
.....
- [ File = ./tests/ossec.ini ] ---------
.....
- [ File = ./tests/web_appsec.ini ] ---------
...............................
- [ File = ./tests/dovecot.ini ] ---------
...............

Regards, Eva

@Lopuiz Lopuiz requested a review from bah07 July 30, 2019 08:36
@Lopuiz Lopuiz added this to In progress in Wazuh 3.10.0 via automation Aug 13, 2019
@Lopuiz Lopuiz moved this from In progress to Reviewer approved in Wazuh 3.10.0 Aug 13, 2019
@Lopuiz Lopuiz mentioned this pull request Aug 13, 2019
Open
@Lopuiz Lopuiz added this to In progress in Wazuh 3.11.0 via automation Aug 14, 2019
@Lopuiz Lopuiz self-requested a review August 14, 2019 08:46
Lopuiz
Lopuiz reviewed Aug 14, 2019
View reviewed changes
Copy link
Contributor

@Lopuiz Lopuiz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi!

It should be noted what this user reports about it.

Regards, Eva

@chemamartinez chemamartinez moved this from In progress to Under review in Wazuh 3.11.0 Aug 14, 2019
@chemamartinez chemamartinez removed this from Reviewer approved in Wazuh 3.10.0 Aug 14, 2019
@Lopuiz Lopuiz self-requested a review August 14, 2019 08:48
This was referenced Jan 30, 2020
Closed
Draft
@vikman90 vikman90 closed this Jul 31, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SitoRBJ SitoRBJ SitoRBJ approved these changes

@bah07 bah07 Awaiting requested review from bah07

@Lopuiz Lopuiz Awaiting requested review from Lopuiz

Assignees

@bah07 bah07

Labels
None yet
Projects
No open projects
Wazuh 3.11.0
  
Under review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
10 participants
@frgv @SitoRBJ @fillipejs @Enaxadrel @LFBernardo @Lopuiz @jesuslinares @bah07 @vikman90 @migruiz4