From 6a1073b616a81b8e649d92aabedc8e37d2a663af Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 18 Dec 2023 12:57:40 -0500 Subject: [PATCH 1/3] FIX: Update dashboard and hunt query for firewall logs #12021 --- salt/elasticsearch/files/ingest/filterlog | 35 ++++++++++++++--------- salt/soc/defaults.yaml | 12 -------- 2 files changed, 22 insertions(+), 25 deletions(-) diff --git a/salt/elasticsearch/files/ingest/filterlog b/salt/elasticsearch/files/ingest/filterlog index 52d83dd0ad..13369e1517 100644 --- a/salt/elasticsearch/files/ingest/filterlog +++ b/salt/elasticsearch/files/ingest/filterlog @@ -4,15 +4,15 @@ { "dissect": { "field": "real_message", - "pattern" : "%{rule.uuid},%{rule.sub_uuid},%{firewall.anchor},%{firewall.tracker_id},%{interface.name},%{rule.reason},%{rule.action},%{network.direction},%{ip.version},%{firewall.sub_message}", + "pattern" : "%{rule.uuid},%{rule.sub_uuid},%{firewall.anchor},%{rule.id},%{observer.ingress.interface.name},%{event.reason},%{event.action},%{network.direction},%{ip.version},%{firewall.sub_message}", "on_failure" : [ {"set" : {"field" : "error.message","value" : "{{ _ingest.on_failure_message }}"}}] } }, { "dissect": { - "if": "ctx.ip.version == '4'", + "if": "ctx.ip?.version == '4'", "field": "firewall.sub_message", - "pattern" : "%{ip.tos},%{ip.ecn},%{ip.ttl},%{ip.id},%{ip.offset},%{ip.flags},%{network.transport_id},%{network.transport},%{data.length},%{source.ip},%{destination.ip},%{ip_sub_msg}", + "pattern" : "%{pfsense.ip.tos},%{pfsense.ip.ecn},%{pfsense.ip.ttl},%{pfsense.ip.id},%{pfsense.ip.offset},%{pfsense.ip.flags},%{network.iana_number},%{network.transport},%{network.bytes},%{source.address},%{destination.address},%{ip_sub_msg}", "on_failure" : [ {"set" : {"field" : "error.message","value" : "{{ _ingest.on_failure_message }}"}}] } }, @@ -20,7 +20,7 @@ "dissect": { "if": "ctx.ip?.version == '6'", "field": "firewall.sub_message", - "pattern" : "%{network.class},%{network.flow_label},%{network.hop_limit},%{network.transport},%{network.transport_id},%{data.length},%{source.ip},%{destination.ip},%{ip_sub_msg}", + "pattern" : "%{pfsense.ip.tos},%{pfsense.ip.flow_label},%{network.hop_limit},%{network.transport},%{network.iana_number},%{network.bytes},%{source.address},%{destination.address},%{ip_sub_msg}", "on_failure" : [ {"set" : {"field" : "error.message","value" : "{{ _ingest.on_failure_message }}"}}] } }, @@ -28,7 +28,7 @@ "dissect": { "if": "ctx.network?.transport == 'tcp'", "field": "ip_sub_msg", - "pattern" : "%{source.port},%{destination.port},%{data.length},%{tcp.flags},", + "pattern" : "%{source.port},%{destination.port},%{pfsense.tcp.length},%{pfsense.tcp.flags},", "on_failure" : [ {"set" : {"field" : "error.message","value" : "{{ _ingest.on_failure_message }}"}}] } }, @@ -36,24 +36,33 @@ "dissect": { "if": "ctx.network?.transport == 'udp'", "field": "ip_sub_msg", - "pattern" : "%{source.port},%{destination.port},%{data.length}", + "pattern" : "%{source.port},%{destination.port},%{pfsense.udp.length}", "on_failure" : [ {"set" : {"field" : "error.message","value" : "{{ _ingest.on_failure_message }}"}}] } }, { "split": { - "if": "ctx.ip.version =='6' && ctx.network?.transport == 'Options'", + "if": "ctx.ip?.version =='6' && ctx.network?.transport == 'Options'", "field": "ip_sub_msg", "target_field": "ip.options", "separator" : ",", "on_failure" : [ {"set" : {"field" : "error.message","value" : "{{ _ingest.on_failure_message }}"}}] } }, - { "set": { "if": "ctx.network?.transport_id == '0'", "field": "network.transport", "value": "icmp", "override": true } }, - { "community_id": {} }, - { "set": { "field": "event.module", "value": "pfsense", "override": true } }, - { "set": { "field": "event.dataset", "value": "firewall", "override": true } }, - { "set": { "field": "category", "value": "network", "override": true } }, - { "remove": { "field": ["real_message", "ip_sub_msg", "firewall.sub_message"], "ignore_failure": true } } + { "lowercase": { "field": "network.transport", "ignore_failure": true } }, + { "set": { "field": "destination.ip", "value": "{{{destination.address}}}", "override": true } }, + { "set": { "field": "source.ip", "value": "{{{source.address}}}", "override": true } }, + { "set": { "if": "ctx.ip?.version == '4'", "field": "network.type", "value": "ipv4", "override": true} }, + { "set": { "if": "ctx.ip?.version == '6'", "field": "network.type", "value": "ipv6", "override": true} }, + { "set": { "if": "ctx.network?.direction == 'in'", "field": "network.direction", "value": "inbound", "override": true} }, + { "set": { "if": "ctx.network?.direction == 'out'", "field": "network.direction", "value": "outbound", "override": true} }, + { "set": { "field": "category", "value": "network", "override": true } }, + { "set": { "field": "event.dataset", "value": "firewall", "override": true } }, + { "set": { "field": "event.kind", "value": "event", "override": true } }, + { "set": { "field": "event.module", "value": "pfsense", "override": true } }, + { "set": { "field": "event.provider", "value": "filterlog", "override": true } }, + { "set": { "field": "observer.type", "value": "firewall", "override": true } }, + { "community_id":{ } }, + { "remove": { "field": ["real_message", "ip_sub_msg", "firewall.sub_message"], "ignore_failure": true } } ] } diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index f440bd57b6..8c71f63336 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -459,18 +459,6 @@ soc: - x509.certificate.issuer - log.id.fuid '::firewall': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.transport - - network.direction - - interface.name - - rule.action - - rule.reason - - network.community_id - ':pfsense:': - soc_timestamp - source.ip - source.port From 4d8661d2e09231e48dc52f7cf4555c9dad8af30b Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 18 Dec 2023 13:38:04 -0500 Subject: [PATCH 2/3] FIX: Update dashboard and hunt query for firewall logs #12021 --- salt/soc/defaults.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 8c71f63336..371a9f2e0b 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -465,10 +465,9 @@ soc: - destination.ip - destination.port - network.transport - - network.direction + - network.type - observer.ingress.interface.name - event.action - - event.reason - network.community_id ':osquery:': - soc_timestamp From ab5de4c1048a27021ecf6ad486f2d27b74448a04 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 19 Dec 2023 07:27:07 -0500 Subject: [PATCH 3/3] update soc defaults.yaml --- salt/soc/defaults.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 371a9f2e0b..a73c8884d0 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -469,6 +469,17 @@ soc: - observer.ingress.interface.name - event.action - network.community_id + ':pfsense:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - network.type + - observer.ingress.interface.name + - event.action + - network.community_id ':osquery:': - soc_timestamp - source.ip