From 1dac143cabf0f98771c5954c97bac26b1d030eb6 Mon Sep 17 00:00:00 2001 From: manan-crest Date: Fri, 14 Nov 2025 13:42:56 +0530 Subject: [PATCH 1/2] Update: grok regex update for firewall attack --- .../assets/logs/watchguard-firebox.yaml | 17 ++++++++--------- .../assets/logs/watchguard-firebox_tests.yaml | 4 ++-- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/watchguard_firebox/assets/logs/watchguard-firebox.yaml b/watchguard_firebox/assets/logs/watchguard-firebox.yaml index 0e4e3341f47d7..36df58434ab3b 100644 --- a/watchguard_firebox/assets/logs/watchguard-firebox.yaml +++ b/watchguard_firebox/assets/logs/watchguard-firebox.yaml @@ -296,26 +296,25 @@ pipeline: enabled: true source: message samples: - - SYN flood attack against 10.10.10.10 from 10.10.10.10 detected. - 500 SYN packets dropped since last alarm. + - UDP flood attack against 10.10.10.10 from 10.10.10.10 detected. + 500 UDP flood packets dropped since last alarm. (udp_flood_dos) - IPv4 source route attack from 10.10.10.10 detected. - IP scan attack against 10.10.10.10 from 10.10.10.10 detected. - - "DDOS against server 10.10.10.10 detected. " + - DDOS against server 10.10.10.10 detected. (ddos_attack_dest_dos) - DDOS from client 10.10.10.10 detected. grok: supportRules: "" - matchRules: > + matchRules: >- parse_rule_30000152_to_30000159_30000162_to_30000166 %{regex(".*(?= attack)"):attack_type} attack (against %{ip:network.destination.ip} )?from %{ip:network.client.ip} detected.( %{integer:drop_packet_count} %{regex(".*(?= - packets)"):drop_packet_type} packets dropped since last alarm.)? - - - parse_rule_30000161 %{regex(".*(?= from)"):attack_type} from client %{ip:network.client.ip} detected. + packets)"):drop_packet_type} packets dropped since last alarm.)?( + (%{notSpace}))? + parse_rule_30000161 %{regex(".*(?= from)"):attack_type} from client %{ip:network.client.ip} detected.( (%{notSpace}))? - parse_rule_30000160 %{regex(".*(?= against)"):attack_type} against server %{ip:network.destination.ip} detected. + parse_rule_30000160 %{regex(".*(?= against)"):attack_type} against server %{ip:network.destination.ip} detected.( (%{notSpace}))? - type: pipeline name: Processing of firewall alarm events enabled: true diff --git a/watchguard_firebox/assets/logs/watchguard-firebox_tests.yaml b/watchguard_firebox/assets/logs/watchguard-firebox_tests.yaml index f7e448ce1ea92..4bf7700675c61 100644 --- a/watchguard_firebox/assets/logs/watchguard-firebox_tests.yaml +++ b/watchguard_firebox/assets/logs/watchguard-firebox_tests.yaml @@ -115,7 +115,7 @@ tests: - "source:LOGS_SOURCE" timestamp: 1744104397000 - - sample: "<142>Apr 2 18:47:10 WatchGuard-Firebox TEST (2025-04-08T09:26:37) test: msg_id=\"3000-0160\" DDOS against server 10.0.1.34 detected." + sample: "<142>Apr 2 18:47:10 WatchGuard-Firebox TEST (2025-04-08T09:26:37) test: msg_id=\"3000-0160\" DDOS against server 10.10.10.10 detected. (ddos_attack_dest_dos)" result: custom: attack_type: "DDOS" @@ -130,7 +130,7 @@ tests: hostname: "WatchGuard-Firebox" prival: 142 timestamp: 1744104397000 - message: "DDOS against server 10.0.1.34 detected." + message: "DDOS against server 10.10.10.10 detected. (ddos_attack_dest_dos)" service: "firewall" tags: - "source:LOGS_SOURCE" From 15192855a6e62b8e55637afdbc1d8f5204fc4d15 Mon Sep 17 00:00:00 2001 From: manan-crest Date: Fri, 14 Nov 2025 14:12:43 +0530 Subject: [PATCH 2/2] Update test results --- watchguard_firebox/assets/logs/watchguard-firebox_tests.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/watchguard_firebox/assets/logs/watchguard-firebox_tests.yaml b/watchguard_firebox/assets/logs/watchguard-firebox_tests.yaml index 4bf7700675c61..cc0c5d253da37 100644 --- a/watchguard_firebox/assets/logs/watchguard-firebox_tests.yaml +++ b/watchguard_firebox/assets/logs/watchguard-firebox_tests.yaml @@ -114,7 +114,7 @@ tests: tags: - "source:LOGS_SOURCE" timestamp: 1744104397000 - - + - sample: "<142>Apr 2 18:47:10 WatchGuard-Firebox TEST (2025-04-08T09:26:37) test: msg_id=\"3000-0160\" DDOS against server 10.10.10.10 detected. (ddos_attack_dest_dos)" result: custom: @@ -125,7 +125,7 @@ tests: network: destination: geoip: {} - ip: "10.0.1.34" + ip: "10.10.10.10" syslog: hostname: "WatchGuard-Firebox" prival: 142