Cisco rules and decoders improvements

[rossengeorgiev]

Hi Wazuh, in this PR I have addressed a number of issues with the Cisco rules and decoders:

1. Various decoder improvements. Cisco ios doesn't match logs with seq. number and no timezone #207, Cisco Accesslog and firewall rules doesn't match #208, Cisco logs match syslog rules #379, Improve cisco-ios decoders #380, #205, Fixed Cisco-ios acl decoder and prematch #206, Fix firewall rules - Cisco Devices #209, Improve cisco decoders #330
2. I've split the Cisco header into separate fields: cisco.facility, cisco.severity, cisco.mnemonic. This makes sense for the rules and when searching in Kibana
3. Reordered the pix decoder. PIX/ASA decoder disabled by Cisco IOS decoder #269, Add detection of ASA access list events #270
4. Updated rule levels in the Cisco rules. Cisco ios doesn't match logs with seq. number and no timezone #207, Cisco IOS rules level #210 Change level rule cisco ios #337
5. Updated GPG13 mappings on the existing Cisco rules
6. Generic severity rules now include cisco.mnemonic

Auto closes all related issues and PRs:
Closes #207
Closes #208
Closes #379
Closes #380
Closes #205
Closes #206
Closes #209
Closes #330
Closes #269
Closes #270
Closes #207
Closes #210
Closes #337

[rossengeorgiev]

Hi @albertomn86, @Zenidd, could you triage this one? Thanks

[Lopuiz]

Hello @rossengeorgiev

Thank you so much for your contribution to the Ruleset project. It's a fantastic job.
We will merge it as soon as possible.

Kind regards, Eva

[chemamartinez]

Hi @rossengeorgiev,

First of all thanks for your contribution, it is an amazing job.

Unfortunately, we cannot merge your pull request yet. It is needed to review all the issues you say this PR is closing. Some of them have related pull requests opened, so we have to review both solutions (e.g. #270).

Thanks for your patient.

Regards.

[chemamartinez]

See #402 (comment)

[rossengeorgiev]

Hi all, I've add some additional changes and rebased the PR against the 3.10 branch to avoid merge conflicts. There are still permutations of the logging settings that this decoder doesn't handle, but its unlikely they'll ever be used.

[rossengeorgiev]

Any update on this?

[72nomada]

Hi @rossengeorgiev, sorry for delay, just a ping to verify whether this is still alive and waiting for us to do our work.

Thanks

[rossengeorgiev]

Hi @72nomada, PR is from 1.5y ago. It was ready to go back then, but now I have no idea. Feel free to try and resolve it if you want. My rulesets have long diverged.

[72nomada]

Thanks @rossengeorgiev, Thanks for your feedback. You are right, too old PR, sorry for that. Any chance we can have a feedback from/about your diverged rulesets?

Thanks again and sorry for this as you did a great job here.

[rossengeorgiev]

A wide set of devices, and configurations, ware being fed through wazuh. The default decoders and rules often lacked. We maintain our own version of the default rules/decoders that includes many changes to achieve our use cases. Let me tell you, its not fun trying to rebase the changes on top of a new version of wazuh. This patch addresses the many variations of the cisco based syslogs, which is an issue in environments where the devices do not have identical logging configuration. Unfortunately, getting changes push upstream is difficult.

[juanrricci]

Hello team, we close this PR without applying the changes in this repository, but these were applied in the last Wazuh version repository with some modifications. They are detailed in the following issue: wazuh/wazuh#7278.