Wrong field value from checkpoint-smart1 decoder
kai-hier opened this issue · 1 comments
kai-hier commented
The wazuh decoder in .../decoders/0051-checkpoint-smart1_decoders.xml has a bug which leads to the capturing of superfluous characters at the end of the data.src field in firewall alerts
example log:
1 2024-02-29T10:00:11Z exmpl1 CheckPoint 16550 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth2"; logid:"0"; loguid:"{0x65e055ab,0x31,0x5a309d0a,0x205e40a6}"; origin:"10.153.80.232"; originsicname:"CN=gate12,O=exmpl1.exmpl.org"; sequencenum:"309"; time:"1709200811"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={F3273ADD-7286-9B43-AD60-1F4A66B9D489};mgmt=exmpl1;date=1708535299;policy_name=Firewall_Policy\]"; dst:"66.216.44.97"; inzone:"Internal"; layer_name:"Firewall_Policy Network"; layer_name:"DMZ1-Layer"; layer_uuid:"c31c259a-5772-888-9f1e-512857272be"; layer_uuid:"XXXXX-XXXX-XXXX-XXXXXXXXXX"; match_id:"36"; match_id:"33554540"; parent_rule:"0"; parent_rule:"36"; rule_action:"Inline"; rule_action:"Drop"; rule_name:"DMZ1"; rule_name:"DMZ1:BLOCKALL"; rule_uid:"10aa164e-30ec-4f51-8849-2b5ea44271dd"; rule_uid:"af93e949-86af-4b53-b23f-cbb21fbc0990"; outzone:"External"; product:"VPN & FireWall-1"; proto:"6"; s_port:"10099"; service:"443"; service_id:"https"; src:"10.10.10.10"]
decoder:
<decoder name="checkpoint-smart1">
<parent>checkpoint-smart1</parent>
<regex>src:"(\d*.\d*.\d*.\d*)";|(\.*)$</regex>
<order>src</order>
</decoder>
becomes
field.name | field.value |
---|---|
data.src | "10.10.10.10"] |
Solution
I am by no means an expert concerning regex so the solution, I provide should be handled with care, but at a glance it seems pretty trivial.
change to:
<regex>src:"(\d*.\d*.\d*.\d*)";|(\.*)"]$</regex>
Wazuh-manager 4.7.2 | Ubuntu 22.04 | Bug in default Ruleset |
---|
kai-hier commented
edit typo 🤷