Need help with a decoder for BIND9.
233 views
Skip to first unread message
ocerna0721
Jan 9, 2024, 8:32:25 PM1/9/24
to Wazuh | Mailing List
Hi, community.
Attached is the logline from BIND9 logs; I've been trying to create a decoder, but it's not working for me.
Jan 9 19:01:53 t-DNS-FW bind_query: 09-Jan-2024 19:01:52.930 rpz: info: client @0x7f2c11c7fd68 192.168.1.145#55296 (hunzanews.net): rpz QNAME NXDOMAIN rewrite hunzanews.net/AAAA/IN via hunzanews.net.blocked.tss
Thank you in advance.
Jan 9 19:01:53 t-DNS-FW bind_query: 09-Jan-2024 19:01:52.930 rpz: info: client @0x7f2c11c7fd68 192.168.1.145#55296 (hunzanews.net): rpz QNAME NXDOMAIN rewrite hunzanews.net/AAAA/IN via hunzanews.net.blocked.tss
Thank you in advance.
Stuti Gupta
Jan 10, 2024, 12:02:19 AM1/10/24
to Wazuh | Mailing List
Hi
ocerna0721
Hope you are doing well and thank you for using wazuh.
To create decoders first run the log at /var/ossec/bin/wazuh-logtest and verify if is pre-decoded, on the basis of pre decoder you need to create a custom decoder for a specific log. In the log that you provided, the program-name field is pre-decoded as you can see in the image. On the basis of that you can create decoders at /var/ossec/etc/decoders/local_decoder.xml like the following. It defines a decoder named "bind_query" and a child decoder named "bind_query_child." The child decoder extracts information such as the client identifier, IP address, port, domain, and message from a log entry.
<decoder name="bind_query">
<program_name>bind_query</program_name>
</decoder>
<decoder name="bind_querychild">
<parent>bind_query</parent>
<prematch>rpz: info: </prematch>
<regex offset="after_prematch">client (\.+) (\.+)#(\.+) \((\.+)\): (\.+)</regex>
<order>client, ipaddress, port, domain, message</order>
</decoder>
After creating the decoders test them in the wazuh-logtest again and see if you are getting the desired result as shown in the image. If you are satisfied with the result restart the wazuh-manager to apply the changes.
To create decoders you can refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
Hope this helps,
Regards.
Hope you are doing well and thank you for using wazuh.
To create decoders first run the log at /var/ossec/bin/wazuh-logtest and verify if is pre-decoded, on the basis of pre decoder you need to create a custom decoder for a specific log. In the log that you provided, the program-name field is pre-decoded as you can see in the image. On the basis of that you can create decoders at /var/ossec/etc/decoders/local_decoder.xml like the following. It defines a decoder named "bind_query" and a child decoder named "bind_query_child." The child decoder extracts information such as the client identifier, IP address, port, domain, and message from a log entry.
<decoder name="bind_query">
<program_name>bind_query</program_name>
</decoder>
<decoder name="bind_querychild">
<parent>bind_query</parent>
<prematch>rpz: info: </prematch>
<regex offset="after_prematch">client (\.+) (\.+)#(\.+) \((\.+)\): (\.+)</regex>
<order>client, ipaddress, port, domain, message</order>
</decoder>
After creating the decoders test them in the wazuh-logtest again and see if you are getting the desired result as shown in the image. If you are satisfied with the result restart the wazuh-manager to apply the changes.
To create decoders you can refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
Hope this helps,
Regards.
ocerna0721
Jan 10, 2024, 10:45:44 AM1/10/24
to Wazuh | Mailing List
Thank you very much for your help, Stuti,
I did what you told me, and it works in tests. However, I started sending logs from my BIND9 server to Wazuh, but I don't see the information in the Discover.
Stuti Gupta
Jan 15, 2024, 11:46:35 PM1/15/24
to Wazuh | Mailing List
Hi ocerna0721
Hope you are doing well,
Please verify that you have restarted wazuh-manager after creating decoders and rules to aplly the changes. The command to restart the wazuh manager is: systemctl restart wazuh-manager.
Hope to hear from you soon.
Regards
Hope you are doing well,
Please verify that you have restarted wazuh-manager after creating decoders and rules to aplly the changes. The command to restart the wazuh manager is: systemctl restart wazuh-manager.
Hope to hear from you soon.
Regards
ocerna0721
Jan 17, 2024, 12:30:10 PM1/17/24
to Wazuh | Mailing List
Hi Stuti,
Everything worked 100%. The only thing I changed was the name of the fields in the <order></order> section.
Regards.
Regards.
Reply all
Reply to author
Forward
0 new messages