tum
/
soc


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136
							#!/usr/bin/env bash
set -euo pipefail

MODEL="${1:-all}"
COUNT="${2:-1}"
DELAY="${3:-0.3}"
FOREVER="false"

for arg in "${@:4}"; do
  case "${arg}" in
    --forever)
      FOREVER="true"
      ;;
    *)
      echo "error: unexpected argument '${arg}'"
      echo "usage: scripts/send-wazuh-fortigate-test-events.sh [model] [count] [delay_seconds] [--forever]"
      exit 1
      ;;
  esac
done

WAZUH_SYSLOG_HOST="${WAZUH_SYSLOG_HOST:-127.0.0.1}"
WAZUH_SYSLOG_PORT="${WAZUH_SYSLOG_PORT:-514}"

FGT_SRC_IP="${FGT_SRC_IP:-10.10.20.55}"
FGT_DST_IP="${FGT_DST_IP:-172.217.14.238}"
FGT_DOMAIN="${FGT_DOMAIN:-malicious.example}"
FGT_USER="${FGT_USER:-guest.user}"

if ! [[ "${COUNT}" =~ ^[0-9]+$ ]] || [[ "${COUNT}" -lt 1 ]]; then
  echo "error: count must be a positive integer"
  exit 1
fi

if ! [[ "${DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
  echo "error: delay must be numeric (example: 0.5)"
  exit 1
fi

emit_syslog() {
  local msg="$1"
  local sent="false"

  if command -v nc >/dev/null 2>&1; then
    if printf "%s\n" "${msg}" | nc -u -w1 "${WAZUH_SYSLOG_HOST}" "${WAZUH_SYSLOG_PORT}"; then
      sent="true"
    fi
  fi

  if [[ "${sent}" != "true" ]]; then
    if printf "%s\n" "${msg}" >"/dev/udp/${WAZUH_SYSLOG_HOST}/${WAZUH_SYSLOG_PORT}" 2>/dev/null; then
      sent="true"
    fi
  fi

  if [[ "${sent}" != "true" ]]; then
    echo "error: failed to send syslog event to ${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
    echo "hint: install netcat or run with bash UDP support (/dev/udp)"
    return 1
  fi

  echo "[$(date -u +'%Y-%m-%dT%H:%M:%SZ')] sent: ${msg}"
}

random_id() {
  printf "%s" "fgt-evt-$(date +%s)-$RANDOM-$RANDOM"
}

send_fgt_501e() {
  local eid
  eid="$(random_id)"
  emit_syslog "<189>date=$(date '+%Y-%m-%d') time=$(date '+%H:%M:%S') devname=\"FGT501E-HQ\" devid=\"FGT501E12345678\" eventtime=$(date +%s) logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=${FGT_SRC_IP} srcport=51522 srcintf=\"lan\" dstip=${FGT_DST_IP} dstport=443 dstintf=\"wan1\" proto=6 service=\"HTTPS\" policyid=12 action=\"accept\" sentbyte=1428 rcvdbyte=9821 duration=22 soc_mvp_test=true vendor=fortinet product=fortigate model=501E event_id=${eid} event_type=fortigate_traffic_allow severity=low"
}

send_fgt_80f() {
  local eid
  eid="$(random_id)"
  emit_syslog "<190>date=$(date '+%Y-%m-%d') time=$(date '+%H:%M:%S') devname=\"FGT80F-Branch01\" devid=\"FGT80FTK20000001\" eventtime=$(date +%s) logid=\"0419016384\" type=\"utm\" subtype=\"webfilter\" level=\"warning\" vd=\"root\" srcip=${FGT_SRC_IP} srcintf=\"internal\" dstip=104.18.21.123 dstport=80 hostname=\"${FGT_DOMAIN}\" url=\"/payload\" action=\"blocked\" cat=52 profile=\"WF-Strict\" policyid=3 soc_mvp_test=true vendor=fortinet product=fortigate model=80F event_id=${eid} event_type=fortigate_webfilter_block severity=medium"
}

send_fgt_60f() {
  local eid
  eid="$(random_id)"
  emit_syslog "<190>date=$(date '+%Y-%m-%d') time=$(date '+%H:%M:%S') devname=\"FGT60F-Store12\" devid=\"FGT60FTK21001234\" eventtime=$(date +%s) logid=\"0720018432\" type=\"utm\" subtype=\"ips\" level=\"alert\" vd=\"root\" srcip=${FGT_SRC_IP} dstip=45.155.205.233 srcport=51992 dstport=445 sessionid=9044333 action=\"blocked\" attack=\"MS.SMB.Server.Service.Remote.Code.Execution\" severity=\"critical\" policyid=8 soc_mvp_test=true vendor=fortinet product=fortigate model=60F event_id=${eid} event_type=fortigate_ips_block severity=high"
}

send_fgt_40f() {
  local eid
  eid="$(random_id)"
  emit_syslog "<191>date=$(date '+%Y-%m-%d') time=$(date '+%H:%M:%S') devname=\"FGT40F-SMB01\" devid=\"FGT40FTK22004567\" eventtime=$(date +%s) logid=\"0104044546\" type=\"event\" subtype=\"vpn\" level=\"warning\" vd=\"root\" user=\"${FGT_USER}\" tunneltype=\"ipsec\" remip=${FGT_SRC_IP} locip=198.51.100.27 action=\"tunnel-down\" reason=\"peer-not-responding\" msg=\"IPsec tunnel Branch-HQ is down\" soc_mvp_test=true vendor=fortinet product=fortigate model=40F event_id=${eid} event_type=fortigate_vpn_down severity=high"
}

send_once() {
  case "${MODEL}" in
    501E|501e)
      send_fgt_501e
      ;;
    80F|80f)
      send_fgt_80f
      ;;
    60F|60f)
      send_fgt_60f
      ;;
    40F|40f)
      send_fgt_40f
      ;;
    all)
      send_fgt_501e
      send_fgt_80f
      send_fgt_60f
      send_fgt_40f
      ;;
    *)
      echo "error: unknown model '${MODEL}'"
      echo "valid: 501E | 80F | 60F | 40F | all"
      exit 1
      ;;
  esac
}

if [[ "${FOREVER}" == "true" ]]; then
  echo "running forever with interval ${DELAY}s (Ctrl+C to stop)"
  trap 'echo; echo "stopped"; exit 0' INT TERM
  while true; do
    send_once
    sleep "${DELAY}"
  done
else
  for ((i=1; i<=COUNT; i++)); do
    send_once
    if [[ "${i}" -lt "${COUNT}" ]]; then
      sleep "${DELAY}"
    fi
  done
fi