Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add decoder support for ufw firewall #7100

Merged
merged 2 commits into from Jan 15, 2021
Merged

Add decoder support for ufw firewall #7100

merged 2 commits into from Jan 15, 2021

Conversation

jnasselle
Copy link
Member

Related issue
Closes #7061

Description

Hi team!

This PR aims to add decoder support for UFW - Uncomplicated Firewall (Ubuntu default firewall) and their log format.

Logs/Alerts example

/var/ossec/bin/wazuh-logtest                                                                                                                                                      130 ↵
Starting wazuh-logtest v4.2.0
Type one log per line

Feb  4 23:33:37 hostname kernel: [ 3529.289825] [UFW BLOCK] IN=eth0 OUT= MAC=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd SRC=444.333.222.111 DST=111.222.333.444 LEN=103 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=53 DPT=36427 LEN=83

**Phase 1: Completed pre-decoding.
        full event: 'Feb  4 23:33:37 hostname kernel: [ 3529.289825] [UFW BLOCK] IN=eth0 OUT= MAC=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd SRC=444.333.222.111 DST=111.222.333.444 LEN=103 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=53 DPT=36427 LEN=83'
        timestamp: 'Feb  4 23:33:37'
        hostname: 'hostname'
        program_name: 'kernel'

**Phase 2: Completed decoding.
        name: 'kernel'
        parent: 'kernel'
        action: 'UFW BLOCK'
        dstip: '111.222.333.444'
        dstport: '36427'
        protocol: 'UDP'
        srcip: '444.333.222.111'
        srcport: '53'

**Phase 3: Completed filtering (rules).
        id: '4100'
        level: '0'
        description: 'Firewall rules grouped.'
        groups: '['firewall']'
        firedtimes: '1'

Tests

  • Ruleset unit test (runtest.py)

Regards,
Nico

@jnasselle jnasselle added the feed label Jan 5, 2021
@jnasselle jnasselle self-assigned this Jan 5, 2021
@jnasselle jnasselle force-pushed the 7061-ruleset-kernel-ufw-support branch from c8f891e to b84113f Compare January 5, 2021 13:54
@juliancnn
Copy link
Member

LGTM!

@juliancnn
Copy link
Member

Maybe add more log of examples, such as the audit log:

Sep 20 15:52:00 managerHost kernel: [ 2870.303541] [UFW AUDIT] IN= OUT=ppp0 SRC=117.197.243.67 DST=218.248.255.163 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=52751 DF PROTO=UDP SPT=57548 DPT=53 LEN=42

@Lopuiz Lopuiz self-requested a review January 11, 2021 15:48
@JcabreraC JcabreraC self-requested a review January 11, 2021 16:12
@jnasselle
Copy link
Member Author

Testing

./runtests.py
- [ File = ./tests/sudo.ini ] ---------
........

- [ File = ./tests/nextcloud.ini ] ---------
.......

- [ File = ./tests/su.ini ] ---------
.....

- [ File = ./tests/openvpn_ldap.ini ] ---------
..

- [ File = ./tests/apache.ini ] ---------
............

- [ File = ./tests/syslog.ini ] ---------
......

- [ File = ./tests/postfix.ini ] ---------
..

- [ File = ./tests/pam.ini ] ---------
.....

- [ File = ./tests/checkpoint_smart1.ini ] ---------
..................

- [ File = ./tests/SonicWall.ini ] ---------
........

- [ File = ./tests/firewalld.ini ] ---------
..

- [ File = ./tests/mcafee_epo.ini ] ---------
.

- [ File = ./tests/cisco_ios.ini ] ---------
.....

- [ File = ./tests/iptables.ini ] ---------
........

- [ File = ./tests/apparmor.ini ] ---------
.....

- [ File = ./tests/squid_rules.ini ] ---------
..

- [ File = ./tests/oscap.ini ] ---------
................................

- [ File = ./tests/macos-sshd.ini ] ---------
.....................

- [ File = ./tests/exim.ini ] ---------
.....

- [ File = ./tests/panda_paps.ini ] ---------
........

- [ File = ./tests/sysmon.ini ] ---------
...

- [ File = ./tests/systemd.ini ] ---------
..

- [ File = ./tests/opensmtpd.ini ] ---------
.......

- [ File = ./tests/cimserver.ini ] ---------
..

- [ File = ./tests/cpanel.ini ] ---------
.......

- [ File = ./tests/netscreen.ini ] ---------
....

- [ File = ./tests/web_rules.ini ] ---------
.....

- [ File = ./tests/sshd.ini ] ---------
...........................

- [ File = ./tests/paloalto.ini ] ---------
....

- [ File = ./tests/owlh.ini ] ---------
....

- [ File = ./tests/nginx.ini ] ---------
............

- [ File = ./tests/modsecurity.ini ] ---------
......

- [ File = ./tests/vsftpd.ini ] ---------
....

- [ File = ./tests/cisco_asa.ini ] ---------
.......................................................................................

- [ File = ./tests/rsh.ini ] ---------
..

- [ File = ./tests/dovecot.ini ] ---------
...............

- [ File = ./tests/ossec.ini ] ---------
.....

- [ File = ./tests/unbound.ini ] ---------


- [ File = ./tests/mailscanner.ini ] ---------
.

- [ File = ./tests/junos.ini ] ---------
...

- [ File = ./tests/samba.ini ] ---------
....

- [ File = ./tests/named.ini ] ---------
.....

- [ File = ./tests/web_appsec.ini ] ---------
...............................

- [ File = ./tests/proftpd.ini ] ---------
.......

- [ File = ./tests/doas.ini ] ---------
....

@vikman90 vikman90 merged commit a7bda99 into master Jan 15, 2021
@vikman90 vikman90 deleted the 7061-ruleset-kernel-ufw-support branch January 15, 2021 11:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juliancnn juliancnn juliancnn approved these changes

@Lopuiz Lopuiz Lopuiz approved these changes

@JcabreraC JcabreraC JcabreraC approved these changes

@abohorqu abohorqu Awaiting requested review from abohorqu

@vikman90 vikman90 Awaiting requested review from vikman90

Assignees

@jnasselle jnasselle

Labels
feed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Kernel decoders defect
5 participants
@jnasselle @juliancnn @Lopuiz @JcabreraC @vikman90