#!/usr/bin/env bash set -euo pipefail MODEL="${1:-all}" COUNT="${2:-1}" DELAY="${3:-0.3}" FOREVER="false" for arg in "${@:4}"; do case "${arg}" in --forever) FOREVER="true" ;; *) echo "error: unexpected argument '${arg}'" echo "usage: scripts/send-wazuh-fortigate-test-events.sh [model] [count] [delay_seconds] [--forever]" exit 1 ;; esac done WAZUH_SYSLOG_HOST="${WAZUH_SYSLOG_HOST:-127.0.0.1}" WAZUH_SYSLOG_PORT="${WAZUH_SYSLOG_PORT:-514}" FGT_SRC_IP="${FGT_SRC_IP:-10.10.20.55}" FGT_DST_IP="${FGT_DST_IP:-172.217.14.238}" FGT_DOMAIN="${FGT_DOMAIN:-malicious.example}" FGT_USER="${FGT_USER:-guest.user}" if ! [[ "${COUNT}" =~ ^[0-9]+$ ]] || [[ "${COUNT}" -lt 1 ]]; then echo "error: count must be a positive integer" exit 1 fi if ! [[ "${DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then echo "error: delay must be numeric (example: 0.5)" exit 1 fi emit_syslog() { local msg="$1" local sent="false" if command -v nc >/dev/null 2>&1; then if printf "%s\n" "${msg}" | nc -u -w1 "${WAZUH_SYSLOG_HOST}" "${WAZUH_SYSLOG_PORT}"; then sent="true" fi fi if [[ "${sent}" != "true" ]]; then if printf "%s\n" "${msg}" >"/dev/udp/${WAZUH_SYSLOG_HOST}/${WAZUH_SYSLOG_PORT}" 2>/dev/null; then sent="true" fi fi if [[ "${sent}" != "true" ]]; then echo "error: failed to send syslog event to ${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp" echo "hint: install netcat or run with bash UDP support (/dev/udp)" return 1 fi echo "[$(date -u +'%Y-%m-%dT%H:%M:%SZ')] sent: ${msg}" } random_id() { printf "%s" "fgt-evt-$(date +%s)-$RANDOM-$RANDOM" } send_fgt_501e() { local eid eid="$(random_id)" emit_syslog "<189>date=$(date '+%Y-%m-%d') time=$(date '+%H:%M:%S') devname=\"FGT501E-HQ\" devid=\"FGT501E12345678\" eventtime=$(date +%s) logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=${FGT_SRC_IP} srcport=51522 srcintf=\"lan\" dstip=${FGT_DST_IP} dstport=443 dstintf=\"wan1\" proto=6 service=\"HTTPS\" policyid=12 action=\"accept\" sentbyte=1428 rcvdbyte=9821 duration=22 soc_mvp_test=true vendor=fortinet product=fortigate model=501E event_id=${eid} event_type=fortigate_traffic_allow severity=low" } send_fgt_80f() { local eid eid="$(random_id)" emit_syslog "<190>date=$(date '+%Y-%m-%d') time=$(date '+%H:%M:%S') devname=\"FGT80F-Branch01\" devid=\"FGT80FTK20000001\" eventtime=$(date +%s) logid=\"0419016384\" type=\"utm\" subtype=\"webfilter\" level=\"warning\" vd=\"root\" srcip=${FGT_SRC_IP} srcintf=\"internal\" dstip=104.18.21.123 dstport=80 hostname=\"${FGT_DOMAIN}\" url=\"/payload\" action=\"blocked\" cat=52 profile=\"WF-Strict\" policyid=3 soc_mvp_test=true vendor=fortinet product=fortigate model=80F event_id=${eid} event_type=fortigate_webfilter_block severity=medium" } send_fgt_60f() { local eid eid="$(random_id)" emit_syslog "<190>date=$(date '+%Y-%m-%d') time=$(date '+%H:%M:%S') devname=\"FGT60F-Store12\" devid=\"FGT60FTK21001234\" eventtime=$(date +%s) logid=\"0720018432\" type=\"utm\" subtype=\"ips\" level=\"alert\" vd=\"root\" srcip=${FGT_SRC_IP} dstip=45.155.205.233 srcport=51992 dstport=445 sessionid=9044333 action=\"blocked\" attack=\"MS.SMB.Server.Service.Remote.Code.Execution\" severity=\"critical\" policyid=8 soc_mvp_test=true vendor=fortinet product=fortigate model=60F event_id=${eid} event_type=fortigate_ips_block severity=high" } send_fgt_40f() { local eid eid="$(random_id)" emit_syslog "<191>date=$(date '+%Y-%m-%d') time=$(date '+%H:%M:%S') devname=\"FGT40F-SMB01\" devid=\"FGT40FTK22004567\" eventtime=$(date +%s) logid=\"0104044546\" type=\"event\" subtype=\"vpn\" level=\"warning\" vd=\"root\" user=\"${FGT_USER}\" tunneltype=\"ipsec\" remip=${FGT_SRC_IP} locip=198.51.100.27 action=\"tunnel-down\" reason=\"peer-not-responding\" msg=\"IPsec tunnel Branch-HQ is down\" soc_mvp_test=true vendor=fortinet product=fortigate model=40F event_id=${eid} event_type=fortigate_vpn_down severity=high" } send_once() { case "${MODEL}" in 501E|501e) send_fgt_501e ;; 80F|80f) send_fgt_80f ;; 60F|60f) send_fgt_60f ;; 40F|40f) send_fgt_40f ;; all) send_fgt_501e send_fgt_80f send_fgt_60f send_fgt_40f ;; *) echo "error: unknown model '${MODEL}'" echo "valid: 501E | 80F | 60F | 40F | all" exit 1 ;; esac } if [[ "${FOREVER}" == "true" ]]; then echo "running forever with interval ${DELAY}s (Ctrl+C to stop)" trap 'echo; echo "stopped"; exit 0' INT TERM while true; do send_once sleep "${DELAY}" done else for ((i=1; i<=COUNT; i++)); do send_once if [[ "${i}" -lt "${COUNT}" ]]; then sleep "${DELAY}" fi done fi