Skip to content

Stormshield SNS

Overview

Stormshield Network Security firewalls provides comprehensive security and high performance network protection. In addition, they offer a high degree of scalability to support the evolution of IT and OT networks

In this documentation we will explain how to collect and send Stormshield Network Security logs to SEKOIA.IO.

Benefit from SEKOIA.IO built-in rules and upgrade Stormshield SNS with the following detection capabilities out-of-the-box.

SEKOIA.IO x Stormshield SNS on ATT&CK Navigator

SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary
TOR Usage

Detects TOR usage, based on the IP address and the destination port (filtered on NTP). TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.

  • Effort: master

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Network device logs Stormshield Network Security can record traffic events flowing through their firewall.
Network protocol analysis Stormshield Network Security firewall does traffic analysis at physical/data/transport layers.
SSL/TLS inspection Stormshield Network Security firewall can perform SSL/TLS inspection to protect company network.
Anti-virus Stormshield firewall can be configured to perfom malware analysis.

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind event
Category network
Type connection

Event Samples

Find below few samples of events and how they are normalized by SEKOIA.IO.

{
    "message": "time=\"2022-03-17 14:49:51\" fw=\"SN12345678912345\" tz=+0100 startime=\"2022-03-17 14:49:51\" pri=5 confid=01 slotlevel=5 ruleid=48 srcif=\"Ethernet3\" srcifname=\"in\" ipproto=tcp dstif=\"Ethernet2\" dstifname=\"out\" proto=https src=55.66.77.88 srcport=39618 srcportname=ephemeral_fw_tcp srcname=MGDFS-Proxy-02 srcmac=00:00:00:00:00:00 dst=11.22.33.44 dstport=443 dstportname=https dstcontinent=\"na\" dstcountry=\"us\" ipv=4 sent=0 rcvd=0 duration=0.00 logtype=\"filter\"",
    "event": {
        "start": "2022-03-17T13:49:51.000000Z",
        "kind": "event",
        "category": [
            "network"
        ],
        "type": [
            "connection"
        ],
        "timezone": "+0100",
        "risk_score": 5,
        "duration": 0.0
    },
    "stormshield": {
        "logtype": "filter",
        "dstportname": "https",
        "srcportname": "ephemeral_fw_tcp",
        "slotlevel": 5,
        "confid": 1
    },
    "@timestamp": "2022-03-17T13:49:51.000000Z",
    "observer": {
        "serial_number": "SN12345678912345",
        "ingress": {
            "interface": {
                "name": "Ethernet3",
                "alias": "in"
            }
        },
        "egress": {
            "interface": {
                "name": "Ethernet2",
                "alias": "out"
            }
        }
    },
    "network": {
        "transport": "tcp",
        "bytes": 0,
        "protocol": "https",
        "type": "4"
    },
    "source": {
        "ip": "55.66.77.88",
        "port": 39618,
        "mac": "00:00:00:00:00:00",
        "address": "55.66.77.88"
    },
    "destination": {
        "ip": "11.22.33.44",
        "port": 443,
        "geo": {
            "continent_name": "na",
            "country_iso_code": "us"
        },
        "address": "11.22.33.44"
    },
    "host": {
        "network": {
            "ingress": {
                "bytes": 0
            },
            "egress": {
                "bytes": 0
            }
        }
    },
    "rule": {
        "id": "48",
        "category": "5"
    },
    "related": {
        "ip": [
            "11.22.33.44",
            "55.66.77.88"
        ]
    }
}
{
    "message": "time=\"2022-03-03 14:21:10\" fw=\"SN12345678912345\" tz=+0100 startime=\"2022-03-03 14:21:10\" pri=5 confid=01 slotlevel=2 ruleid=100 srcif=\"Ethernet3\" srcifname=\"in\" ipproto=tcp dstif=\"Ethernet2\" dstifname=\"out\" proto=https src=42.123.123.123 srcport=60355 srcportname=ad2009-dyn_tcp srcname=DLEM-AMPD02 srcmac=00:00:00:00:00:00 dst=11.11.11.11 dstport=443 dstportname=https dstname=example_dest dstcontinent=\"na\" dstcountry=\"us\" ipv=4 sent=0 rcvd=0 duration=2.00 action=pass logtype=\"filter\"",
    "event": {
        "start": "2022-03-03T13:21:10.000000Z",
        "kind": "event",
        "category": [
            "network"
        ],
        "type": [
            "connection"
        ],
        "timezone": "+0100",
        "risk_score": 5,
        "duration": 2000000000.0
    },
    "stormshield": {
        "logtype": "filter",
        "dstname": "example_dest",
        "dstportname": "https",
        "srcportname": "ad2009-dyn_tcp",
        "slotlevel": 2,
        "confid": 1,
        "filter": {
            "action": "pass"
        }
    },
    "@timestamp": "2022-03-03T13:21:10.000000Z",
    "observer": {
        "serial_number": "SN12345678912345",
        "ingress": {
            "interface": {
                "name": "Ethernet3",
                "alias": "in"
            }
        },
        "egress": {
            "interface": {
                "name": "Ethernet2",
                "alias": "out"
            }
        }
    },
    "network": {
        "transport": "tcp",
        "bytes": 0,
        "protocol": "https",
        "type": "4"
    },
    "source": {
        "ip": "42.123.123.123",
        "port": 60355,
        "mac": "00:00:00:00:00:00",
        "address": "42.123.123.123"
    },
    "destination": {
        "ip": "11.11.11.11",
        "port": 443,
        "geo": {
            "continent_name": "na",
            "country_iso_code": "us"
        },
        "address": "11.11.11.11"
    },
    "host": {
        "network": {
            "ingress": {
                "bytes": 0
            },
            "egress": {
                "bytes": 0
            }
        }
    },
    "rule": {
        "id": "100",
        "category": "2"
    },
    "related": {
        "ip": [
            "11.11.11.11",
            "42.123.123.123"
        ]
    }
}
{
    "message": "time=\"2022-03-16 19:36:03\" fw=\"SN12345678912345\" tz=+0100 startime=\"\" pri=5 confid=01 slotlevel=2 ruleid=103 srcif=\"Ethernet3\" srcifname=\"in\" ipproto=tcp dstif=\"Ethernet2\" dstifname=\"out\" proto=https src=11.11.11.11 srcport=49586 srcportname=ephemeral_fw_tcp srcname=foo_bar srcmac=00:00:00:00:00:00 srccontinent=\"na\" srccountry=\"us\" dst=22.22.22.22 dstport=443 dstportname=https dstcontinent=\"eu\" dstcountry=\"be\" modsrc=11.11.11.11 modsrcport=49586 origdst=22.22.22.22 origdstport=443 ipv=4 sent=2827291 rcvd=2728401 duration=107331.18 action=pass logtype=\"connection\"",
    "event": {
        "kind": "event",
        "category": [
            "network"
        ],
        "type": [
            "connection"
        ],
        "timezone": "+0100",
        "risk_score": 5,
        "duration": 107331180000000.0
    },
    "stormshield": {
        "logtype": "connection",
        "dstportname": "https",
        "srcportname": "ephemeral_fw_tcp",
        "slotlevel": 2,
        "confid": 1,
        "filter": {
            "action": "pass"
        }
    },
    "@timestamp": "2022-03-16T18:36:03.000000Z",
    "observer": {
        "serial_number": "SN12345678912345",
        "ingress": {
            "interface": {
                "name": "Ethernet3",
                "alias": "in"
            }
        },
        "egress": {
            "interface": {
                "name": "Ethernet2",
                "alias": "out"
            }
        }
    },
    "network": {
        "transport": "tcp",
        "bytes": 5555692,
        "protocol": "https",
        "type": "4"
    },
    "source": {
        "ip": "11.11.11.11",
        "port": 49586,
        "mac": "00:00:00:00:00:00",
        "geo": {
            "continent_name": "na",
            "country_iso_code": "us"
        },
        "address": "11.11.11.11"
    },
    "destination": {
        "ip": "22.22.22.22",
        "port": 443,
        "geo": {
            "continent_name": "eu",
            "country_iso_code": "be"
        },
        "address": "22.22.22.22"
    },
    "host": {
        "network": {
            "ingress": {
                "bytes": 2728401
            },
            "egress": {
                "bytes": 2827291
            }
        }
    },
    "rule": {
        "id": "103",
        "category": "2"
    },
    "related": {
        "ip": [
            "11.11.11.11",
            "22.22.22.22"
        ]
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
destination.geo.continent_name keyword Name of the continent.
destination.geo.country_iso_code keyword Country ISO code.
destination.ip ip IP address of the destination.
destination.port long Port of the destination.
event.category keyword Event category. The second categorization field in the hierarchy.
event.duration long Duration of the event in nanoseconds.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.risk_score float Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
event.start date event.start contains the date when the event started or when the activity was first observed.
event.timezone keyword Event time zone.
event.type keyword Event type. The third categorization field in the hierarchy.
host.network.egress.bytes long The number of bytes sent on all network interfaces.
host.network.ingress.bytes long The number of bytes received on all network interfaces.
network.bytes long Total bytes transferred in both directions.
network.protocol keyword Application protocol name.
network.transport keyword Protocol Name corresponding to the field iana_number.
network.type keyword In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
observer.egress.interface.alias keyword Interface alias
observer.egress.interface.name keyword Interface name
observer.ingress.interface.alias keyword Interface alias
observer.ingress.interface.name keyword Interface name
observer.serial_number keyword Observer serial number.
rule.category keyword Rule category
rule.id keyword Rule ID
source.geo.continent_name keyword Name of the continent.
source.geo.country_iso_code keyword Country ISO code.
source.ip ip IP address of the source.
source.mac keyword MAC address of the source.
source.port long Port of the source.
stormshield.filter.action keyword The action asociated to the filter rule

Configure

Sending logs to syslog server

You need to set some parameters to send your logs via Syslog. It is necessary to create a profile using the specific tab named "Syslog" within your Stormshield interface.

Note that you can configure up to 4 different profiles.

You need to specify the following information:

  • Name
  • Comments
  • Syslog server
  • Protocol
  • Certification authority
  • Server certificate
  • Client certificate
  • Format

You can find more information using this documentation provided by Stormshield.

Generate the intake_key

You have to go on your SEKOIA.IO instance to generate an "intake key". Everything you need to do for this part of the configuration is described here.

Finally, to push logs, you have to configure some filters and rewrite rules in Syslog that will add the proper “intake key” considering your logs.