Sonicwall: TZ470 running SonicOS 7.01
Input type: Sylog/UDP
Rule summary:
Stage 0: Primary rule uses the “key_value” function to parse the delimited message using the default delimiter of space.
Stage 1: Four rules to split the port from the IP address, as Sonicwall sends as XXX.XXX.XXX.XXX:YYYY and sometimes as XXX.XXX.XXX.XXX:YYYY:INTERFACENAME
State 2: GeoIP Lookups on Source and Destination, as well as removing some of the redundant fields caused by Stage 1 rules.
Stage 3: Whois Lookups on Source and Destination.
Rules
Stage 0:
rule "Extract: Sonicwall Extraction"
when
has_field("source") AND contains(to_string($message.source), "10.0.0.1", true)
then
set_fields(
fields:key_value(
value:to_string($message.message),
//remove double quotes from keys and values
trim_value_chars:"\"",
trim_key_chars:"\""
)
);
end
Stage 1:
rule "Sonicwall Split IP Port Interface for dst"
when
has_field("dst")
then
set_fields(
fields:
grok(
pattern:"%{IPV4:DstIP}:%{INT:DstPort}:%{GREEDYDATA:DstInterface}",
value: to_string($message.dst)
)
);
end
rule "Sonicwall Split IP Port Interface for natDst"
when
has_field("natDst")
then
set_fields(
fields:
grok(
pattern:"%{IPV4:NatDstIP}:%{INT:NatDstPort}",
value: to_string($message.natDst)
)
);
end
rule "Sonicwall Split IP Port Interface for natSrc"
when
has_field("natSrc")
then
set_fields(
fields:
grok(
pattern:"%{IPV4:NatSrcIP}:%{INT:NatSrcPort}",
value: to_string($message.natSrc)
)
);
end
rule "Sonicwall Split IP Port Interface for src"
when
has_field("src")
then
set_fields(
fields:
grok(
pattern:"%{IPV4:SrcIP}:%{INT:SrcPort}:%{GREEDYDATA:SrcInterface}",
value: to_string($message.src)
)
);
end
rule "Sonicwall Split Protocol Service for proto"
when
has_field("proto") and contains(to_string($message.proto),"/")
then
set_fields(
fields:
grok(
pattern:"%{DATA:Protocol}/%{GREEDYDATA:Service}",
value: to_string($message.proto)
)
);
end
rule "Sonicwall Split Protocol Service for proto-icmp"
when
has_field("proto") and contains(to_string($message.proto),"icmp")
then
set_field("Protocol",to_string($message.proto));
end
Stage 2:
rule "GeoIP lookup: DstIP"
when
has_field("DstIP")
then
let geo = lookup("geoip", to_string($message.DstIP));
set_field("DstIP_GeoLocation", geo["coordinates"]);
set_field("DstIP_GeoCountryIsoCode", geo["country"].iso_code);
set_field("DstIP_GeoCountryName", geo["country"].names.en);
set_field("DstIP_GeoCityName", geo["city"].names.en);
end
rule "GeoIP lookup: SrcIP"
when
has_field("SrcIP")
then
let geo = lookup("geoip", to_string($message.SrcIP));
set_field("SrcIP_GeoLocation", geo["coordinates"]);
set_field("SrcIP_GeoCountryIsoCode", geo["country"].iso_code);
set_field("SrcIP_GeoCountryName", geo["country"].names.en);
set_field("SrcIP_GeoCityName", geo["city"].names.en);
end
rule "Remove Redundant Fields-Sonicwall"
when
has_field("id") and contains(to_string($message.id),"firewall")
then
remove_field("dst",$message);
remove_field("natDst",$message);
remove_field("natSrc",$message);
remove_field("proto",$message);
remove_field("src",$message);
end
Stage 3:
rule "Whois lookup: DstIP"
when
has_field("DstIP") &&
is_ip(to_ip($message.DstIP)) &&
//Above is set to diagnose why whois lookups sometimes fail for me.
!in_private_net(to_string($message.DstIP)) &&
//Above is set to avoid whois lookups on internal addresses
!cidr_match("/24",to_ip("1.1.1.0")) &&
//Above is set to avoid whois lookups on frequently used DNS service.
to_string($message.DstPort) != "43"
//Above is set to avoid whois lookups on whois lookup messages.
then
let whoislookup = whois_lookup_ip(to_string($message.DstIP),"DstIP");
set_fields(whoislookup);
//set_field("Whois_DstIP_Lookup","True");
end
rule "Whois lookup: SrcIP"
when
has_field("SrcIP") &&
is_ip(to_ip($message.SrcIP)) &&
!in_private_net(to_string($message.SrcIP)) &&
!cidr_match("/24",to_ip("1.1.1.0")) &&
to_string($message.SrcPort) != "43"
then
let whoislookup = whois_lookup_ip(to_string($message.SrcIP),"SrcIP");
set_fields(whoislookup);
//set_field("Whois_SrcIP_Lookup","True");
end
END OF RULES
Happy to answer questions or accept feedback on any of this. Hope it helps someone!