Sophos Firewall

Overview

Sophos firewalls offer an integrated software solution that provides superior performance in an all-in-one firewall. Its hardened operating system, stateful packet inspection, content filtering (virus & surf protection), application proxies and IPsec based VPN provides powerful solutions to today's security issues. It is designed to maximise networks security without compromising its performance enabling telecommuters, branch offices, customers and suppliers to safely share critical business information.

Event Categories

The following table lists the data source offered by this integration.

Data Source	Description
`Network device logs`	IPS logs and firewall logs are examined in detail
`Network protocol analysis`	ICMP, TCP and UDP packets are fully analyzed

In details, the following table denotes the type of events produced by this integration.

Name	Values
Kind	`event`
Category	`network`
Type	``

Event Samples

Find below few samples of events and how they are normalized by SEKOIA.IO.

url.jsonutm_accept.jsonutm_dns.jsonutm_drop.jsonxg_allow.json

{
    "event": {
        "category": "network",
        "kind": "event"
    },
    "action": {
        "name": "allow"
    },
    "destination": {
        "bytes": 4563,
        "domain": "www.google.com",
        "ip": "216.58.203.100",
        "port": 80
    },
    "log": {
        "level": "Information"
    },
    "network": {
        "transport": "TCP"
    },
    "observer": {
        "name": "SG330"
    },
    "sophos": {
        "log_subtype": "Allowed"
    },
    "source": {
        "address": "10.0.5.23",
        "bytes": 310,
        "ip": "10.0.5.23",
        "port": 56332
    },
    "url": {
        "original": "http://www.google.com/dl/release2/TnV3rQKAz82ODPFMuxq1wQ_1089/f9YORelAF3Z1VnI84ysPJA"
    },
    "user": {
        "name": "b.orowi@cci.adds"
    }
}

{
    "sophos": {
        "action": "accept",
        "sub": "packetfilter"
    },
    "event": {
        "category": "network",
        "kind": "event"
    },
    "destination": {
        "address": "8.8.8.8",
        "ip": "8.8.8.8",
        "mac": "00:1a:8c:f0:3f:a4",
        "port": 53
    },
    "source": {
        "address": "10.1.0.10",
        "ip": "10.1.0.10",
        "mac": "f8:0f:6f:9c:5e:2d",
        "port": 51208
    }
}

{
    "event": {
        "category": "network",
        "kind": "event",
        "outcome": "success"
    },
    "sophos": {
        "action": "DNS request",
        "sub": "packetfilter"
    },
    "destination": {
        "ip": "8.8.8.8",
        "mac": "00:1a:8c:f0:3f:a4",
        "port": 53
    },
    "source": {
        "ip": "10.1.0.10",
        "mac": "f8:0f:6f:9c:5e:2d",
        "port": 51208
    }
}

{
    "event": {
        "category": "network",
        "kind": "event",
        "outcome": "success",
        "type": "drop"
    },
    "destination": {
        "ip": "133.222.233.233",
        "mac": "00:1a:8c:g0:62:69",
        "port": 52938
    },
    "sophos": {
        "action": "drop",
        "sub": "packetfilter"
    },
    "source": {
        "ip": "103.188.113.55",
        "mac": "d8:94:03:g6:cd:27",
        "port": 54040
    }
}

{
    "destination": {
        "address": "195.35.245.30",
        "bytes": 0,
        "ip": "195.35.245.30",
        "nat": {
            "port": 0
        },
        "packets": 0,
        "port": 62384
    },
    "log": {
        "level": "Information"
    },
    "event": {
        "category": "network",
        "kind": "event"
    },
    "action": {
        "name": "allow"
    },
    "network": {
        "transport": "UDP"
    },
    "observer": {
        "name": "SG330"
    },
    "sophos": {
        "log_subtype": "Allowed",
        "status": "Allow"
    },
    "source": {
        "address": "10.0.215.3",
        "bytes": 0,
        "ip": "10.0.215.3",
        "mac": "00:00:00:00:00:00",
        "nat": {
            "ip": "61.5.213.97",
            "port": 0
        },
        "packets": 0,
        "port": 38413
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name	Type	Description
`destination.bytes`	`long`	Bytes sent from the destination to the source.
`destination.domain`	`keyword`	The domain name of the destination.
`destination.ip`	`ip`	IP address of the destination.
`destination.mac`	`keyword`	MAC address of the destination.
`destination.nat.ip`	`ip`	Destination NAT ip
`destination.nat.port`	`long`	Destination NAT Port
`destination.packets`	`long`	Packets sent from the destination to the source.
`destination.port`	`long`	Port of the destination.
`event.category`	`keyword`	Event category. The second categorization field in the hierarchy.
`event.kind`	`keyword`	The kind of the event. The highest categorization field in the hierarchy.
`http.request.method`	`keyword`	HTTP request method.
`http.request.referrer`	`keyword`	Referrer for this HTTP request.
`http.response.status_code`	`long`	HTTP response status code.
`log.level`	`keyword`	Log level of the log event.
`network.transport`	`keyword`	Protocol Name corresponding to the field `iana_number`.
`observer.name`	`keyword`	Custom name of the observer.
`sophos.action`	`keyword`	None
`sophos.log_subtype`	`keyword`	None
`sophos.status`	`keyword`	None
`sophos.sub`	`keyword`	None
`source.bytes`	`long`	Bytes sent from the source to the destination.
`source.ip`	`ip`	IP address of the source.
`source.mac`	`keyword`	MAC address of the source.
`source.nat.ip`	`ip`	Source NAT ip
`source.nat.port`	`long`	Source NAT port
`source.packets`	`long`	Packets sent from the source to the destination.
`source.port`	`long`	Port of the source.
`url.original`	`wildcard`	Unmodified original url as seen in the event source.
`url.query`	`keyword`	Query string of the request.
`user.group.name`	`keyword`	Name of the group.
`user.name`	`keyword`	Short name or login of the user.
`user_agent.original`	`keyword`	Unparsed user_agent string.

Configure

This setup guide will show you how to forward your Sophos logs to SEKOIA.IO by means of an Rsyslog transport channel.

Configure Sophos Firewall

You can configure a syslog server in Sophos Firewall by following the instructions below (Which is appropriate for an XG Firewall, please refer to your documentation in other cases).

Go to System Services > Log Settings and click Add to configure a syslog server.
Enter a name for the syslog server.
Enter the IP Address of the syslog server. Messages from the device will be sent to the entered IP address.
Enter a Port number that the device will use for communicating with the syslog server. Device will send messages using the selected port.
Select the Facility from the available options. Note: Facility informs the syslog server of the log message's source. It is defined by the syslog protocol. You can configure the facility to distinguish log messages from different devices. This parameter helps you identify the device that recorded a specific log file.
Select the Severity Level from the available options.
Click Save to save the configuration.

Configure the Rsyslog server

You can configure your Rsyslog server to forward your Sophos logs to SEKOIA.IO. Please consult the Rsyslog Transport documentation to forward these logs to SEKOIA.IO.