Problem with a rule group
28 views
Skip to first unread message
Carlos Lopez
Sep 24, 2021, 11:43:08 AM9/24/21
to wa...@googlegroups.com
HI all,
I am trying to catch some Zeek events related to Zeek’s dhcp events, but it doesn’t seem to work:
<group name="zeek,ids,">
<rule id="66001" level="0">
<decoded_as>json</decoded_as>
<field name="ts">\.+</field>
<field name="uids">\.+</field>
<description>Zeek messages.</description>
<options>no_full_log</options>
</rule>
<rule id="66002" level=“3">
<if_sid>66001</if_sid>
<field name="host_name">^reykjavik$</field>
<description>Zeek: New IP address assigned to server reykjavik</description>
<options>no_full_log</options>
</rule>
</group>
An example event:
root@wazuh-master:~# wazuh-logtest
Starting wazuh-logtest v4.2.1
Type one log per line
{"ts":"2021-09-24T14:54:44.561249Z","uids":["CozBcK3aIh0y9OxKC2","CgG8oJ3LjU55ZjVEm8","CkQkNW3VbXJdJLFc85","CFs42s2aoKPI1BbHl8"],"client_addr":"172.22.55.4","server_addr":"172.22.55.1","mac":"a0:ce:c8:0a:7e:f4","host_name":"reykjavik","domain":"lab.uxdom.org dmz.uxdom.org msft.uxdom.org","requested_addr":"172.22.55.4","assigned_addr":"172.22.55.4","lease_time":600.0,"msg_types":["OFFER","DISCOVER","OFFER","DISCOVER","REQUEST","REQUEST","ACK","ACK"],"duration":1.0148320198059083}
**Phase 1: Completed pre-decoding.
full event: '{"ts":"2021-09-24T14:54:44.561249Z","uids":["CozBcK3aIh0y9OxKC2","CgG8oJ3LjU55ZjVEm8","CkQkNW3VbXJdJLFc85","CFs42s2aoKPI1BbHl8"],"client_addr":"172.22.55.4","server_addr":"172.22.55.1","mac":"a0:ce:c8:0a:7e:f4","host_name":"reykjavik","domain":"lab.uxdom.org dmz.uxdom.org msft.uxdom.org","requested_addr":"172.22.55.4","assigned_addr":"172.22.55.4","lease_time":600.0,"msg_types":["OFFER","DISCOVER","OFFER","DISCOVER","REQUEST","REQUEST","ACK","ACK"],"duration":1.0148320198059083}'
**Phase 2: Completed decoding.
name: 'json'
assigned_addr: '172.22.55.4'
client_addr: '172.22.55.4'
domain: 'lab.uxdom.org dmz.uxdom.org msft.uxdom.org'
duration: '1.014832'
host_name: 'reykjavik'
lease_time: '600'
mac: 'a0:ce:c8:0a:7e:f4'
msg_types: '['OFFER', 'DISCOVER', 'OFFER', 'DISCOVER', 'REQUEST', 'REQUEST', 'ACK', 'ACK']'
requested_addr: '172.22.55.4'
server_addr: '172.22.55.1'
ts: '2021-09-24T14:54:44.561249Z'
uids: '['CozBcK3aIh0y9OxKC2', 'CgG8oJ3LjU55ZjVEm8', 'CkQkNW3VbXJdJLFc85', 'CFs42s2aoKPI1BbHl8’]'
Where am I doing wrong?
Thanks.
Best regards,
C. L. Martinez
I am trying to catch some Zeek events related to Zeek’s dhcp events, but it doesn’t seem to work:
<group name="zeek,ids,">
<rule id="66001" level="0">
<decoded_as>json</decoded_as>
<field name="ts">\.+</field>
<field name="uids">\.+</field>
<description>Zeek messages.</description>
<options>no_full_log</options>
</rule>
<rule id="66002" level=“3">
<if_sid>66001</if_sid>
<field name="host_name">^reykjavik$</field>
<description>Zeek: New IP address assigned to server reykjavik</description>
<options>no_full_log</options>
</rule>
</group>
An example event:
root@wazuh-master:~# wazuh-logtest
Starting wazuh-logtest v4.2.1
Type one log per line
{"ts":"2021-09-24T14:54:44.561249Z","uids":["CozBcK3aIh0y9OxKC2","CgG8oJ3LjU55ZjVEm8","CkQkNW3VbXJdJLFc85","CFs42s2aoKPI1BbHl8"],"client_addr":"172.22.55.4","server_addr":"172.22.55.1","mac":"a0:ce:c8:0a:7e:f4","host_name":"reykjavik","domain":"lab.uxdom.org dmz.uxdom.org msft.uxdom.org","requested_addr":"172.22.55.4","assigned_addr":"172.22.55.4","lease_time":600.0,"msg_types":["OFFER","DISCOVER","OFFER","DISCOVER","REQUEST","REQUEST","ACK","ACK"],"duration":1.0148320198059083}
**Phase 1: Completed pre-decoding.
full event: '{"ts":"2021-09-24T14:54:44.561249Z","uids":["CozBcK3aIh0y9OxKC2","CgG8oJ3LjU55ZjVEm8","CkQkNW3VbXJdJLFc85","CFs42s2aoKPI1BbHl8"],"client_addr":"172.22.55.4","server_addr":"172.22.55.1","mac":"a0:ce:c8:0a:7e:f4","host_name":"reykjavik","domain":"lab.uxdom.org dmz.uxdom.org msft.uxdom.org","requested_addr":"172.22.55.4","assigned_addr":"172.22.55.4","lease_time":600.0,"msg_types":["OFFER","DISCOVER","OFFER","DISCOVER","REQUEST","REQUEST","ACK","ACK"],"duration":1.0148320198059083}'
**Phase 2: Completed decoding.
name: 'json'
assigned_addr: '172.22.55.4'
client_addr: '172.22.55.4'
domain: 'lab.uxdom.org dmz.uxdom.org msft.uxdom.org'
duration: '1.014832'
host_name: 'reykjavik'
lease_time: '600'
mac: 'a0:ce:c8:0a:7e:f4'
msg_types: '['OFFER', 'DISCOVER', 'OFFER', 'DISCOVER', 'REQUEST', 'REQUEST', 'ACK', 'ACK']'
requested_addr: '172.22.55.4'
server_addr: '172.22.55.1'
ts: '2021-09-24T14:54:44.561249Z'
uids: '['CozBcK3aIh0y9OxKC2', 'CgG8oJ3LjU55ZjVEm8', 'CkQkNW3VbXJdJLFc85', 'CFs42s2aoKPI1BbHl8’]'
Where am I doing wrong?
Thanks.
Best regards,
C. L. Martinez
Jose Antonio Izquierdo
Sep 24, 2021, 12:29:40 PM9/24/21
to Wazuh mailing list
Hi Carlos,
I did try your rules and seems to work on my side.
Just changed rules id to avoid duplicate rules issues.
[root@localhost bin]# ./wazuh-logtest
Starting wazuh-logtest v4.2.1
Type one log per line
{"ts":"2021-09-24T14:54:44.561249Z","uids":["CozBcK3aIh0y9OxKC2","CgG8oJ3LjU55ZjVEm8","CkQkNW3VbXJdJLFc85","CFs42s2aoKPI1BbHl8"],"client_addr":"172.22.55.4","server_addr":"172.22.55.1","mac":"a0:ce:c8:0a:7e:f4","host_name":"reykjavik","domain":"lab.uxdom.org dmz.uxdom.org msft.uxdom.org","requested_addr":"172.22.55.4","assigned_addr":"172.22.55.4","lease_time":600.0,"msg_types":["OFFER","DISCOVER","OFFER","DISCOVER","REQUEST","REQUEST","ACK","ACK"],"duration":1.0148320198059083}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
assigned_addr: '172.22.55.4'
client_addr: '172.22.55.4'
duration: '1.014832'
host_name: 'reykjavik'
lease_time: '600'
mac: 'a0:ce:c8:0a:7e:f4'
msg_types: '['OFFER', 'DISCOVER', 'OFFER', 'DISCOVER', 'REQUEST', 'REQUEST', 'ACK', 'ACK']'
requested_addr: '172.22.55.4'
server_addr: '172.22.55.1'
ts: '2021-09-24T14:54:44.561249Z'
uids: '['CozBcK3aIh0y9OxKC2', 'CgG8oJ3LjU55ZjVEm8', 'CkQkNW3VbXJdJLFc85', 'CFs42s2aoKPI1BbHl8']'
**Phase 3: Completed filtering (rules).
id: '166002'
level: '3'
description: 'Zeek: New IP address assigned to server reykjavik'
groups: '['zeek', 'ids']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Carlos Lopez
Sep 26, 2021, 7:03:27 AM9/26/21
to Jose Antonio Izquierdo, wa...@googlegroups.com
Yep … You are right Jose Antonio …. Problem was with rule id. Fixed.
Best regards,
C. L. Martinez
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/df00774d-8005-42c0-bf22-b7e3b7f06c8bn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages