Wrong field value from checkpoint-smart1 decoder

Question

Wrong field value from checkpoint-smart1 decoder

kai-hier opened this issue 7 months ago · 1 comments

The wazuh decoder in .../decoders/0051-checkpoint-smart1_decoders.xml has a bug which leads to the capturing of superfluous characters at the end of the data.src field in firewall alerts

example log:

1 2024-02-29T10:00:11Z exmpl1 CheckPoint 16550 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth2"; logid:"0"; loguid:"{0x65e055ab,0x31,0x5a309d0a,0x205e40a6}"; origin:"10.153.80.232"; originsicname:"CN=gate12,O=exmpl1.exmpl.org"; sequencenum:"309"; time:"1709200811"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={F3273ADD-7286-9B43-AD60-1F4A66B9D489};mgmt=exmpl1;date=1708535299;policy_name=Firewall_Policy\]"; dst:"66.216.44.97"; inzone:"Internal"; layer_name:"Firewall_Policy Network"; layer_name:"DMZ1-Layer"; layer_uuid:"c31c259a-5772-888-9f1e-512857272be"; layer_uuid:"XXXXX-XXXX-XXXX-XXXXXXXXXX"; match_id:"36"; match_id:"33554540"; parent_rule:"0"; parent_rule:"36"; rule_action:"Inline"; rule_action:"Drop"; rule_name:"DMZ1"; rule_name:"DMZ1:BLOCKALL"; rule_uid:"10aa164e-30ec-4f51-8849-2b5ea44271dd"; rule_uid:"af93e949-86af-4b53-b23f-cbb21fbc0990"; outzone:"External"; product:"VPN & FireWall-1"; proto:"6"; s_port:"10099"; service:"443"; service_id:"https"; src:"10.10.10.10"]

decoder:

<decoder name="checkpoint-smart1">
  <parent>checkpoint-smart1</parent>
  <regex>src:"(\d*.\d*.\d*.\d*)";|(\.*)$</regex>
  <order>src</order>
</decoder>

becomes

field.name	field.value
data.src	"10.10.10.10"]

Solution

I am by no means an expert concerning regex so the solution, I provide should be handled with care, but at a glance it seems pretty trivial.

change to:

  <regex>src:"(\d*.\d*.\d*.\d*)";|(\.*)"]$</regex>

Wazuh-manager 4.7.2	Ubuntu 22.04	Bug in default Ruleset

Answer 1 · 2024-02-29T12:25:23.000Z

edit typo 🤷