Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

0050-checkpoint_decoders.xml updated #156

Closed
wants to merge 1 commit into from
Closed

0050-checkpoint_decoders.xml updated #156

wants to merge 1 commit into from

Conversation

SitoRBJ
Copy link
Contributor

@SitoRBJ SitoRBJ commented Jul 10, 2018
edited

We have fixed two decoders because they do not read well the formats of certain events depending on the blank spaces that could exist.

If we received an event with the following format:

Feb 17 00:01:02 HostWazuh Checkpoint: 21Aug2007 14:49:26 drop 10.10.10.1 >eth4 rule: 102; rule_uid: {00000000-0000-0000-0000-000000000000}; ICMP: Echo Request; src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 & FireWall-1;

Specifically in this section:

Checkpoint: 21Aug2007

In the pre-decoding phase, the blank space after the "program_name" (Checkpoint:) was deleted but the decoder was forced to read it.

<decoder name="checkpoint-syslog">
  <program_name>^Checkpoint</program_name>
  <prematch>^\s+\S+ \d\d:\d\d:\d\d </prematch>
</decoder>

Feb 17 00:01:02 HostWazuh Checkpoint: 21Aug2007 14:49:26 drop   10.10.10.1 >eth4 rule: 102; rule_uid: {00000000-0000-0000-0000-000000000000}; ICMP: Echo Request; src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 & FireWall-1;


**Phase 1: Completed pre-decoding.
       full event: 'Feb 17 00:01:02 HostWazuh Checkpoint: 21Aug2007 14:49:26 drop   10.10.10.1 >eth4 rule: 102; rule_uid: {00000000-0000-0000-0000-000000000000}; ICMP: Echo Request; src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 & FireWall-1;'
       timestamp: 'Feb 17 00:01:02'
       hostname: 'HostWazuh'
       program_name: 'Checkpoint'
       log: '21Aug2007 14:49:26 drop   10.10.10.1 >eth4 rule: 102; rule_uid: {00000000-0000-0000-0000-000000000000}; ICMP: Echo Request; src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 & FireWall-1;'

**Phase 2: Completed decoding.
       No decoder matched.

We have changed the decoder so it doesn't have to read the blank space:

<decoder name="checkpoint-syslog">
  <program_name>^Checkpoint</program_name>
  <prematch>^\s*\S+ \d\d:\d\d:\d\d </prematch>
</decoder>

Feb 17 00:01:02 HostWazuh Checkpoint: 21Aug2007 14:49:26 drop   10.10.10.1 >eth4 rule: 102; rule_uid: {00000000-0000-0000-0000-000000000000}; ICMP: Echo Request; src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 & FireWall-1


**Phase 1: Completed pre-decoding.
       full event: 'Feb 17 00:01:02 HostWazuh Checkpoint: 21Aug2007 14:49:26 drop   10.10.10.1 >eth4 rule: 102; rule_uid: {00000000-0000-0000-0000-000000000000}; ICMP: Echo Request; src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 & FireWall-1'
       timestamp: 'Feb 17 00:01:02'
       hostname: 'HostWazuh'
       program_name: 'Checkpoint'
       log: '21Aug2007 14:49:26 drop   10.10.10.1 >eth4 rule: 102; rule_uid: {00000000-0000-0000-0000-000000000000}; ICMP: Echo Request; src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 & FireWall-1'

**Phase 2: Completed decoding.
       decoder: 'checkpoint-syslog'
       action: 'drop'
       srcip: '10.10.10.2'
       dstip: '10.10.10.3'
       protocol: 'icmp'

**Phase 3: Completed filtering (rules).
       Rule id: '4100'
       Level: '0'
       Description: 'Firewall rules grouped.'

Additionally, we have adapted a second decoder so that it can read events with a different format, where there may be blank spaces in the body of the event.

For example:

Apr 10 20:43:34 ngman Checkpoint: 10Apr2018 20:43:33 monitor 10.10.1.12 <bond0 Protection Name:Header Rejection;Severity:4;Confidence Level:4;protection_id:HttpHeaderRejection;SmartDefense Profile:SU2_Protection;Performance Impact:2;Industry Reference:CVE-2002-0032, CAN-2003-0237, CAN-2002-0254, CVE-2002-0155, CAN-2003-0397, CAN-2002-0314;Protection Type:protection;Signature Info:^User-Agent[^I ]*:[^I ]*.*esb|ESB;Update Version:634182243;rule:26;rule_uid:{405CB782-3274-4D7F-8AAA-4FB24CE726A0};resource:http://dnl-02.geo.kaspersky.com/bases/av/kdb/i386/kdb-i386-1211g.xml.klz;reject_id:5accf7c4-10053-c00080a-c0000003;web_client_type:Other: *BcfBAAAAgCCAAEFBAAwQfKXVzrzGvyfPESboPxow0mHhxRLAXAQAAIAAKAA=;Attack Info:WSE0100001 header rejection pattern found in request;attack:Header Rejection;src:10.36.52.125;dst:94.75.236.122;proto:6;proxy_src_ip:10.36.52.125;product:SmartDefense;service:80;s_port:51642;FollowUp:Not Followed;product_family:Network
In this case, the resulting decoder is:

<decoder name="checkpoint-syslog-ids">
  <parent>checkpoint-syslog</parent>
  <type>ids</type>
  <prematch offset="after_parent">^monitor|^drop</prematch>
  <regex offset="after_prematch">attack:\s*(\.+);\s*</regex>
  <regex>src:\s*(\S+);\s*dst:\s*(\S+);\s*</regex>
  <regex>proto:\s*(\S+);</regex>
  <order>extra_data, srcip, dstip, protocol</order>
  <fts>name, extra_data, srcip, dstip</fts>
  <ftscomment>First time Checkpoint rule fired.</ftscomment>
</decoder>


Apr 10 20:43:34 ngman Checkpoint: 10Apr2018 20:43:33 monitor 10.10.1.12  <bond0 Protection Name:Header Rejection;Severity:4;Confidence Level:4;protection_id:HttpHeaderRejection;SmartDefense Profile:SU2_Protection;Performance Impact:2;Industry Reference:CVE-2002-0032, CAN-2003-0237, CAN-2002-0254, CVE-2002-0155, CAN-2003-0397, CAN-2002-0314;Protection Type:protection;Signature Info:^User-Agent[^I ]*:[^I ]*.*esb|ESB;Update Version:634182243;rule:26;rule_uid:{405CB782-3274-4D7F-8AAA-4FB24CE726A0};resource:http://dnl-02.geo.kaspersky.com/bases/av/kdb/i386/kdb-i386-1211g.xml.klz;reject_id:5accf7c4-10053-c00080a-c0000003;web_client_type:Other: *BcfBAAAAgCCAAEFBAAwQfKXVzrzGvyfPESboPxow0mHhxRLAXAQAAIAAKAA=;Attack Info:WSE0100001 header rejection pattern found in request;attack:Header Rejection;src:10.36.52.125;dst:94.75.236.122;proto:6;proxy_src_ip:10.36.52.125;product:SmartDefense;service:80;s_port:51642;FollowUp:Not Followed;product_family:Network


**Phase 1: Completed pre-decoding.
       full event: 'Apr 10 20:43:34 ngman Checkpoint: 10Apr2018 20:43:33 monitor 10.10.1.12  <bond0 Protection Name:Header Rejection;Severity:4;Confidence Level:4;protection_id:HttpHeaderRejection;SmartDefense Profile:SU2_Protection;Performance Impact:2;Industry Reference:CVE-2002-0032, CAN-2003-0237, CAN-2002-0254, CVE-2002-0155, CAN-2003-0397, CAN-2002-0314;Protection Type:protection;Signature Info:^User-Agent[^I ]*:[^I ]*.*esb|ESB;Update Version:634182243;rule:26;rule_uid:{405CB782-3274-4D7F-8AAA-4FB24CE726A0};resource:http://dnl-02.geo.kaspersky.com/bases/av/kdb/i386/kdb-i386-1211g.xml.klz;reject_id:5accf7c4-10053-c00080a-c0000003;web_client_type:Other: *BcfBAAAAgCCAAEFBAAwQfKXVzrzGvyfPESboPxow0mHhxRLAXAQAAIAAKAA=;Attack Info:WSE0100001 header rejection pattern found in request;attack:Header Rejection;src:10.36.52.125;dst:94.75.236.122;proto:6;proxy_src_ip:10.36.52.125;product:SmartDefense;service:80;s_port:51642;FollowUp:Not Followed;product_family:Network'
       timestamp: 'Apr 10 20:43:34'
       hostname: 'ngman'
       program_name: 'Checkpoint'
       log: '10Apr2018 20:43:33 monitor 10.10.1.12  <bond0 Protection Name:Header Rejection;Severity:4;Confidence Level:4;protection_id:HttpHeaderRejection;SmartDefense Profile:SU2_Protection;Performance Impact:2;Industry Reference:CVE-2002-0032, CAN-2003-0237, CAN-2002-0254, CVE-2002-0155, CAN-2003-0397, CAN-2002-0314;Protection Type:protection;Signature Info:^User-Agent[^I ]*:[^I ]*.*esb|ESB;Update Version:634182243;rule:26;rule_uid:{405CB782-3274-4D7F-8AAA-4FB24CE726A0};resource:http://dnl-02.geo.kaspersky.com/bases/av/kdb/i386/kdb-i386-1211g.xml.klz;reject_id:5accf7c4-10053-c00080a-c0000003;web_client_type:Other: *BcfBAAAAgCCAAEFBAAwQfKXVzrzGvyfPESboPxow0mHhxRLAXAQAAIAAKAA=;Attack Info:WSE0100001 header rejection pattern found in request;attack:Header Rejection;src:10.36.52.125;dst:94.75.236.122;proto:6;proxy_src_ip:10.36.52.125;product:SmartDefense;service:80;s_port:51642;FollowUp:Not Followed;product_family:Network'

**Phase 2: Completed decoding.
       decoder: 'checkpoint-syslog'
       extra_data: 'Header Rejection'
       srcip: '10.36.52.125'
       dstip: '94.75.236.122'
       protocol: '6'

**Phase 3: Completed filtering (rules).
       Rule id: '20100'
       Level: '8'
       Description: 'First time this IDS alert is generated.'
**Alert to be generated.

Kind regards,

Alfonso Ruiz-Bravo

@SitoRBJ
0050-checkpoint_decoders.xml updated
f35039a 
We have fixed two decoders, because they do not read well the formats of certain events depending on the blank spaces that could exist.
@SitoRBJ SitoRBJ mentioned this pull request Jul 10, 2018
Closed
@SitoRBJ SitoRBJ changed the base branch from master to 3.4 July 10, 2018 09:18
@SitoRBJ SitoRBJ changed the base branch from 3.4 to 3.7 September 12, 2018 09:38
This was referenced Mar 12, 2020
Closed
Merged
Closed
@joselopezrio joselopezrio mentioned this pull request Mar 12, 2020
Merged
@MiguelCasaresRobles
Copy link
Member

Hello @SitoRBJ ,

We made this PR to include your changes: #570

We are going to close this one.

Thank you for your collaboration.

@jcruzlp jcruzlp deleted the fix-issue-126 branch September 24, 2021 06:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jesuslinares jesuslinares Awaiting requested review from jesuslinares

@migruiz4 migruiz4 Awaiting requested review from migruiz4

Assignees

@migruiz4 migruiz4

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@SitoRBJ @MiguelCasaresRobles @migruiz4