watchguard firebox support

[deajan]

Description

I've written a fairly complex decoder & ruleset for Watchguard firewalls, according to the watchguard log catalog available here

Was tested on a couple of firewalls, and should:

• Decode almost any log message (thanks watchguard for creating non standard logs)
• Have rules for firewall traffic
• Have rules for proxy traffic
• Have rules for any IPS related events, including DoS, portscan, blocked lists...
• Have rules for APT related events
• Correlate on too many bigger than usual ICMP, NTP and DNS packets
• Catch all security related logs
• Catch all licensing related logs

All provided example logs are anonymized. Please note that until Wazuh 4.2.1 is released, the 'NO_VERBOSE' variable won't work because of https://github.com/wazuh/wazuh/issues/9276

Note this is my first ruleset for Wazuh, so I have chosen an arbitrary ID range that isn't in use. Comments are welcome ;)

Greetz.

Tests

• Decoder/Rule tests
  • [X] Added unit testing files ".ini"
  • [X] runtests.py executed without errors

[deajan]

Anyone ?

[deajan]

Any news ? Something to improve on my side ?

[deajan]

It's been roughly a year I made this PR, which is in production at multiple wazuh instances. Is there anything I did not do correctly for it not to be merged since then ?

[deajan]

Can ANYBODY tell me perhaps why TF this PR didn't get any attention please ?

[allexBR]

Hi friend, In the last version of Wazuh (4.3.8) already exist a rule with the same code '0925' (0925-eset-remote-rules.xml).

The file with the custom rule for WatchGuard that you created has the name 0925-watchguard-firebox-rules.xml. I changed the file name to code '0930' such as 0930-watchguard-firebox-rules.xml. Can this cause any conflict?

Best regards, Allex.

[allexBR]

Hi,

Could you advice me where should I put this. I mainly copy the decoder in /var/ossec/etc/decoders/local_decoder.xml and /var/ossec/etc/rules/local_rules.xml

but still did not appear di wazuh discover

Hi guy,

You will need to make the following changes in Wazuh-manager side.

File Path: the files should be created here

/var/ossec/ruleset/decoders/0570-watchguard-firebox_decoders.xml

/var/ossec/ruleset/rules/0925-watchguard-firebox-rules.xml

NOTE: I renamed the file '0925-watchguard-firebox-rules.xml' to 0930-watchguard-firebox-rules.xml But, I don't know if this is necessary.

Permissions: this is also necessary

chown root:wazuh /var/ossec/ruleset/decoders/0570-watchguard-firebox_decoders.xml chmod 640 /var/ossec/ruleset/decoders/0570-watchguard-firebox_decoders.xml

chown root:wazuh /var/ossec/ruleset/decoders/0570-watchguard-firebox_decoders.xml chmod 640 /var/ossec/ruleset/rules/0930-watchguard-firebox-rules.xml

ossec.conf: /var/ossec/etc/ossec.conf

Restart Wazuh

sudo systemctl restart wazuh-manager

---

Best regards, Allex.

[deajan]

@allexBR The numbering scheme of the rule files isn't important, as long as they don't overlap. I've updated the numbering scheme from this since ESET ruleset has been added since I made this PR.

[deajan]

Just checked, rule IDs of this ruleset still look unique, so no need to refactor here.

[deajan]

@allexBR @k4lek Did you suceed using the rules ?

[allexBR]

Hi @deajan, Right now, I'm waiting for the log sending setup to finish in the WatchGuard box on the client side. I bring news soon.

[k4lek]

@allexBR @k4lek Did you suceed using the rules ?

Hi Deajan,

Apologize, I didn't notice your email. I'm not sure whether my configuration are correct. Because I'm using an agent as middle men to collect the watchguard log (using logstash in windows machine). So far I didn't get any logs in wazuh discover.

[deajan]

@k4lek Why don't you configure your watchguard by adding another SYSLOG server, being wazuh itself ?

[k4lek]

isn't important, as long as they don't overlap. I've updated the numbering scheme from this since ESET ruleset has been added sin

Hi Deajan,

Apologize foor late reply. I was using one of my agent to collect the syslog. it is a windows machine and I'm using logstash to forward the syslog into wazuh manager. I don't how to check the watchguard log because from the wazuh manager

this is setting from my agent

syslog C:\logstash\logs\watchguard.log

where should I proceed after this?

[deajan]

@k4lek Sorry, I really don't understand what you mean here @allexBR Any news ?

[allexBR]

Hi @deajan , sorry for the delay to respond. The client's Watchguard firewall has been successfully configured to send syslog to Wazuh. I looked in the file /var/ossec/logs/archives/archives.json and saw that the logs are coming. However, so far I can not see anything inside the Wazuh webGUI.

[deajan]

@allexBR Thanks for the feedback. Have you searched for the rules ID, or keyword watchguard in the UI ?

I'd still need a couple of log lines in order to see if the decoder regex catch them. I'm pretty confident since I've used that decoder on both FireboxV and physical units. Also, can you give me the system info of the Watchguard box that produces those logs ?

[allexBR]

Hi @deajan, I bring great news about your Wazuh decoder. Right now the decoder and rules is working fine and the WatchGuard device information is being displayed in the Wazuh-UI, but some changes needed to be made:

1. If device name is out of standard, prematch decoder error will be displayed.
2. It was necessary to add support for " and \" in the decoder msg_id field. Example: msg_id="XXXX-XXXX" and msg_id=\"XXXX-XXXX\"
3. It was necessary to change the ID of the rules in ruleset/rules/0930-watchguard-firebox-rules.xml because it was conflicting with existing rules ID in Wazuh.

Best regards, Allex.

[deajan]

Hi Allex, great news. Would you mind sharing the regex mods you made ?

[deajan]

@allexBR: So can you share your improvements so I update this PR ?

[allexBR]

Hi @deajan , sorry it took me so long to reply.

So, here are the changes that were made in the files:

I hope I've helped.

Best regards, Allex.

[deajan]

@allexBR Thank you, although a diff would have been nice ;) I don't understand why you added 'XXXXXX' as possible device identitication since I'm pretty sure Watchguard would use a 3 letter code instead. Can you confirm?

Wazuh team, it's been a long time since I created that ruleset. Rule filenames and rule ids already have been changed once. I am willing to change them again so this can be merged again, but is there at least a chance to get this PR merged ?

@davidjiglesias sorry if I tag you here, but I'd love to know whether this can be merged, if so I pledge to update rule ids once again for them not to overlap with existing ones.

[jcolaco82]

Hi @deajan great job! But as @allexBR said before, I'm having some issues and maybe it's related to the backslashes "\".

In my case I am getting the Watchguard logs but they are not showing up in the Wazuh dashboard.

As you can see, phase 3 never works.

Log entry:

Jan 19 16:34:14 FW-001 D0F0000000000 firewall: msg_id=\"3000-0148\" Allow CONV Net 60 tcp 20 63 192.168.2.18 69.13.51.98 49068 443 offset 10 S 2774911737 win 65535 geo_dst=\"USA\" src_user=\"iu16q1\" route_type=\"SD-WAN\" (Allow Hotspot-Users-00)

I've tried modifying the code, but still haven't found the solution.

[deajan]

@jcolaco82 What I see is only a couple of data missing, being geo_dst, src_user and route_type. Can you modifiy the decoder to add \\? before and after those fields, in order to allow to decode them properly in phase 2 ?

[jcolaco82]

Hi @deajan a found the problem. In my case the rules where conflicting with existing rules.

_0910-ms-exchange-proxylogonrules.xml -> Microsoft exchange ID: 91000 - 91008

Since I don't use this service, I just removed this file, but it might be better to change the IDs.

[deajan]

@jcolaco82 Thanks for reporting back. I've already changed the rule ids, and I'm quite fed up of doing so to be fair. I will update once more, in hope this finally gets merged after all.

[kabutosan]

Looks great... but, I'm having issues with a more recent appliance - T80:

2023 Mar 21 11:55:28 F4CK-FW->10.0.1.1 Mar 21 11:55:28 F4CK-FW firewall: msg_id="3000-0151" Allow External External tcp 192.168.114.1 13.107.138.8 56841 443 geo_dst="USA" src_user="myuser@Firebox-DB" duration="66" sent_bytes="2169" rcvd_bytes="6486" (Allow IKEv2-Users)

Doesn't work...

[havanaRock]

Hi Fellas, I hope you can help me, have a WG T35 logs are coming in wazuh server ( I can see logs in archive.log), I installed the decoder and the rules you are writing for WG ( change ID to 100000-100500) but still not working, I also modified wazuh config file like

1 12

Now I can see logs when I search in "discover" but decoder/rules are not working Another issue I have is when the rules are in etc/rules then if you try to search for rules in the manager it pops this error Error: 3013 - Wazuh Internal Error at createError (https://10.1.254.X/44101/bundles/plugin/wazuh/wazuh.plugin.js:2:28658) at settle (https://10.1.254.X/44101/bundles/plugin/wazuh/wazuh.plugin.js:8:19613) at XMLHttpRequest.onloadend (https://10.1.254.X/44101/bundles/plugin/wazuh/wazuh.plugin.js:2:26451)

any advice pls

[crossmxn]

@allexBR

I'm trying to forward the logs of a Firebox M470 to Wazuh...

I just added the decoder and the rules applying the permissions you mentioned... I also deleted the 0750-github_rules and 0910-ms-exchange-proxylogon_rules which were causing trouble by duplicated id's but I'm not seeing the Firewall events on my Wazuh dashboard, neither on the /var/ossec/logs/archives/archives.json file...

If I do a tcpdump on the Wazuh Server I see that syslog traffic is coming in:

is there anything I am missing? should I disable the timestamps and serial number info from the Watchguard syslog options?

or do I need to install an agent to the wazuh server for the logs to be ingested?

thanks to everyone for the work being done here

[WildArne]

Hello guys,

Does someone have a solutions for the problem? I also got data from the firebox in archives.json file but nothing in the webui..

Also when I have the rule loaded in the folder I get the same error as @havanaRock on the rules page.

[deajan]

I've done this PR in 2021 when I used watchguard firewalls. I don't use them anymore in my workplace. To be honest, I've asked for more than one year a review or even a simple comment by wazuh team, without any response. Since then, there were probably some changes in wazuh/watchguard, and the PR probably will need a bit of love again.

I've decided to not contribute anymore to this, since I never got any answer from wazuh team, and don't have the nerves to lose more time.

[havanaRock]

understand, and agree with your decision

peace and love jc

---

From: Orsiris de Jong @.> Sent: Thursday, October 12, 2023 3:29 PM To: wazuh/wazuh @.> Cc: Juan Ricardo @.>; Mention @.> Subject: Re: [wazuh/wazuh] watchguard firebox support (#10122)

I've done this PR in 2021 when I used watchguard firewalls. I don't use them anymore in my workplace. To be honest, I've asked for more than one year a review or even a simple comment by wazuh team, without any response. Since then, there were probably some changes in wazuh/watchguard, and the PR probably will need a bit of love again.

I've decided to not contribute anymore to this, since I never got any answer from wazuh team, and don't have the nerves to lose more time.

— Reply to this email directly, view it on GitHubhttps://github.com/wazuh/wazuh/pull/10122#issuecomment-1760322689, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A5W4P7RHVGWQ6QXWA5ZT3ITX7BHJFAVCNFSM5D72P44KU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCNZWGAZTEMRWHA4Q. You are receiving this because you were mentioned.Message ID: @.***>

[supremesyntax]

@deajan thank you for your continuous effort and shame on wazuh for not even commenting this in over 2 years. I had to add another serial prefix for a newer model in the decoder and change the rule id range because we are using this range somewhere else apparently. Other than that works like a charm!

[deajan]

@supremesyntax Thanks for the kind words. Maybe you could fork my work and make a new PR. Since I made this one, the wazuh workflow changed and now there is a "Ready for review" button which I obviously won't press since the PR now requires updates.

Best regards.