Custom decoder for kaspersky

[Caio Oliveira]

Hi guys

I have a little problem to extract some fields for this log:

CEF:0|KasperskyLab|SecurityCenter|13.0.0.11247|GNRL_EV_VIRUS_FOUND_AND_BLOCKED|Link perigoso bloqueado|4|msg=Tipo de evento: Link perigoso bloqueado\r\nNome: chrome.exe\r\nCaminho do aplicativo: C:\\Program Files (x86)\\Google\\Chrome\\Application\r\nID do processo: 13100\r\nUsuário: contoso\\adm_contoso (Usuário ativo)\r\nComponente: Proteção Contra Ameaças da Web\r\nDescrição do resultado: Bloqueado\r\nTipo: Ameaça de perda de dados\r\nNome: https://www.partageparauapebas.com.br/\r\nNível de ameaça: Exatamente\r\nPrecisão: Alto\r\nTipo do objeto: Página da Web\r\nCaminho para o objeto: https://www.partageparauapebas.com.br\r\nMotivo: Análise automática\r\nData da versão do banco de dados: 02/09/2021 06:44:00 rt=1630597658000 cs9=Administrativo cs9Label=GroupName dhost=host1 dst=10.10.1.1 cs2=KES cs2Label=ProductName cs3=11.0.0.0 cs3Label=ProductVersion cs10=Proteção Contra Ameaças da Web cs10Label=TaskName cs5=https://www.partageparauapebas.com.br/ cs5Label=ObjectName 

I need to extract the dhost and dst field

If I ran the parser without this two fields, everything is ok

But if I thy to extract, don't work

I tried a lot of ways.

Anyone has some idea how to solve this?

[Luis González Romero]

Hello! Hope you doing well.

I have been working on decoding those two fields: dhost and dst. You could add two decoders, each one get one field you need.

I used the followings decoders to test it:

<decoder name="Kaspersky">
  <prematch>^CEF:0\|KasperskyLab\|SecurityCenter</prematch>
</decoder>

<decoder name="kaspersky-">
    <parent>Kaspersky</parent>
    <regex>CEF:0\|(\w+)\|(\w+)\|(\d+.\d+.\d+.\d+)\|(\w+)\|(\.+)\|(\d)\.*Usu\S+\s+(\S+)\\\\(\S+) \.*</regex>
    <order>vendor,product,version,ID,status,priority,dominio,user</order>
</decoder>

<decoder name="kaspersky-VirusFoundAndBlocked">
  <parent>Kaspersky</parent>
  <regex>dst=(\d+.\d+.\d+.\d+:\d+)|dst=(\d+.\d+.\d+.\d+)</regex>
  <order>dstip</order>
</decoder>

<decoder name="kaspersky-VirusFoundAndBlocked">
  <parent>Kaspersky</parent>
  <regex>dhost=(\S+)</regex>
  <order>dhost</order>
</decoder>

With these decoders, I got the following output:

Hope this helps you! :D

Have a nice day,

Luis.

[Luis González Romero]

Excuse me, the picture did not load correctly.

[Luis González Romero]

[Luis González Romero]

Sorry, I missed the decoder name when I pasted from my .XML file. Here you have the decoders I was talking about:

<decoder name="Kaspersky">
  <prematch>^CEF:0\|KasperskyLab\|SecurityCenter</prematch>
</decoder>

<decoder name="kaspersky-VirusFoundAndBlocked">
    <parent>Kaspersky</parent>
    <regex>CEF:0\|(\w+)\|(\w+)\|(\d+.\d+.\d+.\d+)\|(\w+)\|(\.+)\|(\d)\.*Usu\S+\s+(\S+)\\\\(\S+) \.*</regex>
    <order>vendor,product,version,ID,status,priority,dominio,user</order>
</decoder>

<decoder name="kaspersky-VirusFoundAndBlocked">
  <parent>Kaspersky</parent>
  <regex>dst=(\d+.\d+.\d+.\d+:\d+)|dst=(\d+.\d+.\d+.\d+)</regex>
  <order>dstip</order>
</decoder>

<decoder name="kaspersky-VirusFoundAndBlocked">
  <parent>Kaspersky</parent>
  <regex>dhost=(\S+)</regex>
  <order>dhost</order>
</decoder>

On Thursday, September 9, 2021 at 8:06:41 PM UTC+2 cai...@gmail.com wrote:

[Caio Oliveira]

Wow,

I have no idea if it is possible to use more than one decoder for the same decoder name.

I will try right now and send feedback to you.

Thanks a lot

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d27aa0a2-342c-422d-9304-f0bb4b3fb1a1n%40googlegroups.com.