Write wazuh decoder to extract url from email logs.
26 views
Skip to first unread message
Vikrant Singh
Oct 8, 2024, 12:45:29 AM10/8/24
to Wazuh | Mailing List
I want to write wazuh decoder in order to detect phishing. Fro that I want to extract url from the email logs. I tried extracting url from multi-line logs but I wasn't able to fetch it so I aggregated the logs into single line but still I am not able to fetch the url. The url that is to be fetched is listed after the Links: keyword. I have provided both the logs. Can someone help with this? Should I try writing wazuh decoder using some other method such as python script instead of traditional xml decoder?
Stuti Gupta
Oct 8, 2024, 3:07:19 AM10/8/24
to Wazuh | Mailing List
Hi Vikrant
The log you shared is from `archives.log`, and the initial part is considered the syslog header, which is not included in the actual log we need to decode. The actual log to be decoded is the bold section:
2024 Oct 01 12:31:13 (mail-server) any->/var/log/roundcube/smtp.log Date: Tue, 01 Oct 2024 18:01:05 +0530 From: example.ac.in To: Mailserver <mails...@texample.ac.in> Subject: sample Message-ID: <de50f98e042d8546...@example.ac.in> X-Sender: example.ac.in Content-Type: multipart/alternative; boundary="=_9984142ed66d615f702a878c3c2d9283" --=_9984142ed66d615f702a878c3c2d9283 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed https://www.youtube.com/watch?v=HwSx_a3qQr0 [1] Links: ------ [1] https://www.flipkart.com/tru-toys-25pcs-mochi-squishy-kawaii-squishies-animals-panda-cat-paw-cute-mini-soft-5-cm/p/itm332df3606e074?pid=STFGJSYGBJTHZK99&amp;otracker=wishlist&amp;lid=LSTSTFGJSYGBJTHZK99MM7TJP&amp;fm=organic&amp;iid=fef1f9f1-9fd8-404d-a79e-491a1cb495a5.STFGJSYGBJTHZK99.PRODUCTSUMMARY&amp;ppt=hp&amp;ppn=homepage&amp;ssid=5i438b87680000001727529950217 --=_9984142ed66d615f702a878c3c2d9283 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8 <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; charset= =3DUTF-8" /></head><body style=3D'font-size: 10pt; font-family: Verdana,Gen= eva,sans-serif'> <div id=3D"editbody1"> <div style=3D"font-size: 10pt; font-family: Verdana,Geneva,sans-serif;"> <p><a href=3D"https://www.flipkart.com/tru-toys-25pcs-mochi-squishy-kawaii-= squishies-animals-panda-cat-paw-cute-mini-soft-5-cm/p/itm332df3606e074?pid= =3DSTFGJSYGBJTHZK99&amp;otracker=3Dwishlist&amp;lid=3DLSTSTFGJSYGBJ= THZK99MM7TJP&amp;fm=3Dorganic&amp;iid=3Dfef1f9f1-9fd8-404d-a79e-491= a1cb495a5.STFGJSYGBJTHZK99.PRODUCTSUMMARY&amp;ppt=3Dhp&amp;ppn=3Dho= mepage&amp;ssid=3D5i438b87680000001727529950217" target=3D"_blank" rel= =3D"noopener noreferrer">https://www.youtube.com/watch?v=3DHwSx_a3qQr0</a><= /p> <p><br /></p> </div> </div> </body></html> --=_9984142ed66d615f702a878c3c2d9283-- [01-Oct-2024 12:31:05 +0000]: <cqoph3cv> Send: . [01-Oct-2024 12:31:05 +0000]: <cqoph3cv> Recv: 250 2.0.0 Ok: queued as DFA0A249A4C [01-Oct-2024 12:31:05 +0000]: <cqoph3cv> Send: QUIT [01-Oct-2024 12:31:05 +0000]: <cqoph3cv> Recv: 221 2.0.0 Bye
The decoder for this log will be like:
<decoder name="Mailserver">
<prematch>Mailserver</prematch>
</decoder>
<decoder name="Mailserver:child">
<parent>Mailserver</parent>
<regex>Links: ------ [1] (\.+) </regex>
<order>link</order>
</decoder>
<decoder name="Mailserver:child">
<parent>Mailserver</parent>
<regex>format=flowed (\.+) </regex>
<order>link2</order>
</decoder>
This decoder will decoder the link given in the provided log
Test results is:
Refer https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
Hope this helps
The log you shared is from `archives.log`, and the initial part is considered the syslog header, which is not included in the actual log we need to decode. The actual log to be decoded is the bold section:
2024 Oct 01 12:31:13 (mail-server) any->/var/log/roundcube/smtp.log Date: Tue, 01 Oct 2024 18:01:05 +0530 From: example.ac.in To: Mailserver <mails...@texample.ac.in> Subject: sample Message-ID: <de50f98e042d8546...@example.ac.in> X-Sender: example.ac.in Content-Type: multipart/alternative; boundary="=_9984142ed66d615f702a878c3c2d9283" --=_9984142ed66d615f702a878c3c2d9283 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed https://www.youtube.com/watch?v=HwSx_a3qQr0 [1] Links: ------ [1] https://www.flipkart.com/tru-toys-25pcs-mochi-squishy-kawaii-squishies-animals-panda-cat-paw-cute-mini-soft-5-cm/p/itm332df3606e074?pid=STFGJSYGBJTHZK99&amp;otracker=wishlist&amp;lid=LSTSTFGJSYGBJTHZK99MM7TJP&amp;fm=organic&amp;iid=fef1f9f1-9fd8-404d-a79e-491a1cb495a5.STFGJSYGBJTHZK99.PRODUCTSUMMARY&amp;ppt=hp&amp;ppn=homepage&amp;ssid=5i438b87680000001727529950217 --=_9984142ed66d615f702a878c3c2d9283 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8 <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; charset= =3DUTF-8" /></head><body style=3D'font-size: 10pt; font-family: Verdana,Gen= eva,sans-serif'> <div id=3D"editbody1"> <div style=3D"font-size: 10pt; font-family: Verdana,Geneva,sans-serif;"> <p><a href=3D"https://www.flipkart.com/tru-toys-25pcs-mochi-squishy-kawaii-= squishies-animals-panda-cat-paw-cute-mini-soft-5-cm/p/itm332df3606e074?pid= =3DSTFGJSYGBJTHZK99&amp;otracker=3Dwishlist&amp;lid=3DLSTSTFGJSYGBJ= THZK99MM7TJP&amp;fm=3Dorganic&amp;iid=3Dfef1f9f1-9fd8-404d-a79e-491= a1cb495a5.STFGJSYGBJTHZK99.PRODUCTSUMMARY&amp;ppt=3Dhp&amp;ppn=3Dho= mepage&amp;ssid=3D5i438b87680000001727529950217" target=3D"_blank" rel= =3D"noopener noreferrer">https://www.youtube.com/watch?v=3DHwSx_a3qQr0</a><= /p> <p><br /></p> </div> </div> </body></html> --=_9984142ed66d615f702a878c3c2d9283-- [01-Oct-2024 12:31:05 +0000]: <cqoph3cv> Send: . [01-Oct-2024 12:31:05 +0000]: <cqoph3cv> Recv: 250 2.0.0 Ok: queued as DFA0A249A4C [01-Oct-2024 12:31:05 +0000]: <cqoph3cv> Send: QUIT [01-Oct-2024 12:31:05 +0000]: <cqoph3cv> Recv: 221 2.0.0 Bye
The decoder for this log will be like:
<decoder name="Mailserver">
<prematch>Mailserver</prematch>
</decoder>
<decoder name="Mailserver:child">
<parent>Mailserver</parent>
<regex>Links: ------ [1] (\.+) </regex>
<order>link</order>
</decoder>
<decoder name="Mailserver:child">
<parent>Mailserver</parent>
<regex>format=flowed (\.+) </regex>
<order>link2</order>
</decoder>
This decoder will decoder the link given in the provided log
Test results is:
Refer https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
Hope this helps
Reply all
Reply to author
Forward
0 new messages