Wazuh

Wazuh is an open-source security solution designed to help organizations detect and respond to security threats. It provides real-time threat detection, analysis, and response capabilities, allowing organizations to enhance their overall security posture. Wazuh can monitor network and system activity, detect anomalies and attacks, and generate alerts when suspicious events occur.

Sangfor Firewall

Sangfor Firewall or Next Generation Firewall (NGFW) is a network security solution designed to protect networks from various types of attacks. It provides features such as intrusion prevention, application control, web filtering, and antivirus, among others. Sangfor Firewall generates logs that can be used to monitor network activity and detect potential security threats.

In this blog post, we will explore how to integrate Sangfor Firewall logs into Wazuh for monitoring traffic and threats. We have provided the step, decoder and rules required for the Wazuh.

Bringing Sangfor firewall logs into Wazuh through Syslog

In order to monitor traffic and threats via Sangfor firewall, first we have to bring the Sangfor firewall logs to Wazuh. First we have to enable Wazuh Manager to listen for logs. Following is the documentation to enable syslog log. https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog

Once Wazuh Manager is capable of listening to syslogs then configure Sangfor firewall to send its logs to this Wazuh via syslog. For this please follow the documentation from Sangfor. There are multiple resources available on the internet to guide you on that.

Confirm once logs are received on the Wazuh using the archives. Following is a sample for the Sangfor firewall log

Apr 12 12:59:39 localhost fwlog: Log type: application control, policy name: QUIC, user:(null), Src IP:0.0.0.0, Src port:00000, Dst IP:0.0.0.0, Dst port: 000, App category: net, application: WhatsApp, action: allow

The log entry provides information such as the log type, policy name source and destination IP addresses and as well as ports, The action of log type, and also the application with users.

Sangfor Firewall Decoders and Rules

Wazuh uses rules and decoders to parse and analyze log data. Rules define the criteria for generating alerts, while decoders extract relevant information from log entries.

Decoders

Add the following decoder in custom decodes in Wazuh manager.

<decoder name="sangfor-fw">
<program_name>fwlog</program_name>
<type>syslog</type>
</decoder>

<decoder name="sangfor-fw">
<parent>sangfor-fw</parent>
<regex>Log type: (\.+),</regex>
<order>log_type</order>
</decoder>

<decoder name="sangfor-fw">
<parent>sangfor-fw</parent>
<regex>action:(\w+)</regex>
<order>action</order>
</decoder>

<decoder name="sangfor-fw">
<parent>sangfor-fw</parent>
<regex>IP:(\d+.\d+.\d+.\d+),</regex>
<order>srcip</order>
</decoder>

To create the decoders use the custom decoders with the file name custom-sangfor-decoder.xml.

This decoder extracts the relevant information from a Sangfor Firewall log entry and maps it to the corresponding fields in Wazuh.

Rules

<group name="sangfor-fw,">
<rule id="110101" level="3">
<decoded_as>sangfor-fw</decoded_as>
<program_name>fwlog</program_name>
<field name="log_type">IPS</field>
<description>Firewall PS: Attack denied</description>
<group>attack</group>
</rule>

To create the rules use the custom decoders with the file name custom-sangfor-rules.xml.

This rule generates an alert when a Firewall PS: Attack denied by Sangfor Firewall. There can be several such rules which can be created as per your use case.

Conclusion

Integrating Sangfor Firewall logs with Wazuh can enhance an organization’s security posture. By following the above steps, we can integrate Sangfor Firewall logs with Wazuh and leverage its powerful security capabilities.

If you have an trouble integration Sangfor or any other firewall logs into Wazuh, please feel free to reach us. We provide consultancy and implementation for Wazhu to organization look to enhance their security posture.