Stormshield Firewall Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

The Stormshield firewall is a security solution that provides real-time protection, control, and supervision and content filtering via IPS, application control, AV, URL filtering, vulnerability detection, anti-spam, etc. This technology pack processes Stormshield log messages, providing normalization and enrichment of common events of interest.

Supported Versions

  • Stormshield Network Security (SNS) version 2+

Requirements

  • Graylog Server with a valid Enterprise license, running Graylog version 4.3.0+.

  • Stormshield Firewall running Stormshield Network Security (SNS) version 2+ configured to transmit syslog to your Graylog server syslog input.

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:Stormshield Firewall Messages"

Hint: If this stream does not exist prior to the activation of this pack then it is created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "Stormshield Firewall Logs"

Hint: If this index set is already defined, then nothing is changed. If this index set does not exist, then it is created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

Configure Stormshield Firewall to transmit Syslog to your Graylog server Syslog input.

Log Format Example

id=firewall time="2022-11-25 16:30:33" fw="SN710_ABCD" tz=+0100 startime="2022-11-25 16:30:32" pri=5 confid=01 slotlevel=2 ruleid=208 srcif="vlan4" srcifname="20_SOMETHING" ipproto=tcp dstif="vlan3" dstifname="1000_XYZ" proto=http_proxy src=10.10.20.13 srcport=42006 srcportname=ephemeral_fw_tcp srcname=SOMENAME srcmac=xx:6b:8d:9a:da:13 dst=192.168.1.1 dstport=8080 dstportname=http_proxy dstname=Protect-DMZ ipv=4 sent=0 rcvd=0 duration=0.00 action=pass logtype="filter"

What is Provided

  • Rules to normalize and enrich Stormshield firewall log messages.

  • Field extraction, normalization, and message enrichment for Stormshield Firewall log messages.

  • GIM Categorization for filter, connection, and alarm message types.

  • A Stormshield Spotlight content pack (dashboard and saved search).

GIM Categorization

GIM event type categorization is provided for the following messages:

Stormshield Firewall Logtype GIM Category GIM Subcategory
filter network network.open
connection network network.open
alarm network network.open
alarm detection detection.network_detection
smtp messaging messaging.email
web http http.proxied
xvpn (SSL tunnel created) authentication authentication.logon
xvpn (SSL tunnel destroyed) authentication authentication.logoff

Stormshield Firewall Spotlight Content Pack

The Stormshield Firewall Spotlight content pack contains a dashboard (Stormshield Network Firewall Overview) and a saved search (Stormshield Firewall Log Viewer).

Stormshield Overview

Alerts

Saved Search: Stormshield Firewall Log Viewer