Update: grok regex update for firewall attack

manan-crest · manan-crest · commit 1dac143cabf0 · 2025-11-14T14:00:11.000+05:30
diff --git a/watchguard_firebox/assets/logs/watchguard-firebox.yaml b/watchguard_firebox/assets/logs/watchguard-firebox.yaml
@@ -296,26 +296,25 @@ pipeline:
           enabled: true
           source: message
           samples:
-            - SYN flood attack against 10.10.10.10 from 10.10.10.10 detected.
-              500 SYN packets dropped since last alarm.
+            - UDP flood attack against 10.10.10.10 from 10.10.10.10 detected.
+              500 UDP flood packets dropped since last alarm. (udp_flood_dos)
             - IPv4 source route attack from 10.10.10.10 detected.
             - IP scan attack against 10.10.10.10 from 10.10.10.10 detected.
-            - "DDOS against server 10.10.10.10 detected. "
+            - DDOS against server 10.10.10.10 detected. (ddos_attack_dest_dos)
             - DDOS from client 10.10.10.10 detected.
           grok:
             supportRules: ""
-            matchRules: >
+            matchRules: >-
               parse_rule_30000152_to_30000159_30000162_to_30000166
               %{regex(".*(?= attack)"):attack_type} attack (against
               %{ip:network.destination.ip} )?from %{ip:network.client.ip}
               detected.( %{integer:drop_packet_count} %{regex(".*(?=
-              packets)"):drop_packet_type} packets dropped since last alarm.)?
-
-
-              parse_rule_30000161 %{regex(".*(?= from)"):attack_type} from client %{ip:network.client.ip} detected.
+              packets)"):drop_packet_type} packets dropped since last alarm.)?(
+              (%{notSpace}))?
 
+              parse_rule_30000161 %{regex(".*(?= from)"):attack_type} from client %{ip:network.client.ip} detected.( (%{notSpace}))?
 
-              parse_rule_30000160 %{regex(".*(?= against)"):attack_type} against server %{ip:network.destination.ip} detected.
+              parse_rule_30000160 %{regex(".*(?= against)"):attack_type} against server %{ip:network.destination.ip} detected.( (%{notSpace}))?
     - type: pipeline
       name: Processing of firewall alarm events
       enabled: true
diff --git a/watchguard_firebox/assets/logs/watchguard-firebox_tests.yaml b/watchguard_firebox/assets/logs/watchguard-firebox_tests.yaml
@@ -115,7 +115,7 @@ tests:
       - "source:LOGS_SOURCE"
       timestamp: 1744104397000
   - 
-    sample: "<142>Apr  2 18:47:10 WatchGuard-Firebox TEST (2025-04-08T09:26:37) test: msg_id=\"3000-0160\" DDOS against server 10.0.1.34 detected."
+    sample: "<142>Apr  2 18:47:10 WatchGuard-Firebox TEST (2025-04-08T09:26:37) test: msg_id=\"3000-0160\" DDOS against server 10.10.10.10 detected. (ddos_attack_dest_dos)"
     result:
       custom:
         attack_type: "DDOS"
@@ -130,7 +130,7 @@ tests:
           hostname: "WatchGuard-Firebox"
           prival: 142
         timestamp: 1744104397000
-      message: "DDOS against server 10.0.1.34 detected."
+      message: "DDOS against server 10.10.10.10 detected. (ddos_attack_dest_dos)"
       service: "firewall"
       tags:
       - "source:LOGS_SOURCE"
