Decoders and Rules - Trend Micro

[Daniel Lima]

Hi Everybody,

I'm receiving these logs in WAZUH server, but I can't see it in Wazuh/Kibana Manager, could you help me to create  Rules and decoders?

Sample:

2022 Apr 18 12:11:36 quality-wazuh->13.89.207.172 Apr 18 2022 12:11:36 rdz2gc.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|Log|Intrusion Prevention|3|devicePayloadId=09003A0DA492-A9DD11EC-BF29-D00F-A66B rt=Apr 18 2022 15:09:39 GMT+00:00 dvchost=CU-13809-2 deviceFacility=Apex One src=10.241.100.253 TMCMLogDetectedIP=10.241.100.253 TMCMLogDetectedHost=QLCWBWI14 dst=10.241.104.5 smac=B8:38:61:AA:10:4B spt=65213 dmac=00:15:5D:00:F4:16 dpt=445 cn2Label=Mode cn2=1 act=Log deviceDirection=Inbound cn3Label=Priority cn3=100 cn4Label=Severity cn4=4 proto=10003 cs2Label=Application_Type cs2=DCERPC Services cn1Label=Rule cn1=1008179 cs1Label=Reason/Rule cs1=1008179 - Restrict File Extensions For Rename Activity Over Network Share cnt=1 ApexCentralHost=Apex Central as a Service deviceNtDomain=N/A dntdom=Grupoquality\\

Thanks;

[Julia Magán Rodríguez]

Hello,

We could create the following decoders to extract info from the events:

<decoder name="trend_micro">
 <prematch>^(\w+ \d+ \d+ \d+:\d+:\d+) (\S+) CEF</prematch>
</decoder>

<decoder name="trend_micro_child">
  <parent>trend_micro</parent>
  <regex>^(\w+ \d+ \d+ \d+:\d+:\d+) (\S+) (\S+):</regex>
  <order>timestamp, hostname, program_name</order>
</decoder>

<decoder name="trend_micro_child">
  <parent>trend_micro</parent>
  <regex>src=(\S+)</regex>
  <order>srcip</order>
</decoder>

And the following rules, for example:

<group name="trend_micro">
  <rule id="100025" level="0">
    <decoded_as>trend_micro</decoded_as>
    <field name="program_name">CEF</field>
    <description>Trend Micro group of alerts</description>
  </rule>

  <rule id="100026" level="10">
   <if_sid>100025</if_sid>
   <regex>Intrusion Prevention</regex>
   <description>Trend Micro - Intrusion Prevention</description>
  </rule>
</group>

If we test them with /var/ossec/bin/wazuh-logtest:

[root@localhost kibana]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.6
Type one log per line

Apr 18 2022 12:11:36 rdz2gc.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|Log|Intrusion Prevention|3|devicePayloadId=09003A0DA492-A9DD11EC-BF29-D00F-A66B rt=Apr 18 2022 15:09:39 GMT+00:00 dvchost=CU-13809-2 deviceFacility=Apex One src=10.241.100.253 TMCMLogDetectedIP=10.241.100.253 TMCMLogDetectedHost=QLCWBWI14 dst=10.241.104.5 smac=B8:38:61:AA:10:4B spt=65213 dmac=00:15:5D:00:F4:16 dpt=445 cn2Label=Mode cn2=1 act=Log deviceDirection=Inbound cn3Label=Priority cn3=100 cn4Label=Severity cn4=4 proto=10003 cs2Label=Application_Type cs2=DCERPC Services cn1Label=Rule cn1=1008179 cs1Label=Reason/Rule cs1=1008179 - Restrict File Extensions For Rename Activity Over Network Share cnt=1 ApexCentralHost=Apex Central as a Service deviceNtDomain=N/A dntdom=Grupoquality\\

**Phase 1: Completed pre-decoding.
    full event: 'Apr 18 2022 12:11:36 rdz2gc.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|Log|Intrusion Prevention|3|devicePayloadId=09003A0DA492-A9DD11EC-BF29-D00F-A66B rt=Apr 18 2022 15:09:39 GMT+00:00 dvchost=CU-13809-2 deviceFacility=Apex One src=10.241.100.253 TMCMLogDetectedIP=10.241.100.253 TMCMLogDetectedHost=QLCWBWI14 dst=10.241.104.5 smac=B8:38:61:AA:10:4B spt=65213 dmac=00:15:5D:00:F4:16 dpt=445 cn2Label=Mode cn2=1 act=Log deviceDirection=Inbound cn3Label=Priority cn3=100 cn4Label=Severity cn4=4 proto=10003 cs2Label=Application_Type cs2=DCERPC Services cn1Label=Rule cn1=1008179 cs1Label=Reason/Rule cs1=1008179 - Restrict File Extensions For Rename Activity Over Network Share cnt=1 ApexCentralHost=Apex Central as a Service deviceNtDomain=N/A dntdom=Grupoquality\\'

**Phase 2: Completed decoding.
    name: 'trend_micro'
    hostname: 'rdz2gc.manage.trendmicro.com'
    program_name: 'CEF'
    srcip: '10.241.100.253'
    timestamp: 'Apr 18 2022 12:11:36'

**Phase 3: Completed filtering (rules).
    id: '100026'
    level: '10'
    description: 'Trend Micro - Intrusion Prevention'
    groups: '['trend_micro']'
    firedtimes: '1'
    mail: 'False'
**Alert to be generated.

However, the date format is not supported by Filebeat, so the alerts are not available in Kibana.

I will keep working on this and look into an alternative and update you tomorrow. If it is also possible for you to send me more examples of logs received, these will help me to find a solution.

​

[Julia Magán Rodríguez]

Hello,

After some research, I have found a possible solution for your use case.

• Store the logs in a plaintext file. I simulated this step but you can follow this guide about forwarding syslog events to a file.

• Monitor that file using a localfile block in your ossec.conf file. You’ll need to add <out_format>, so now it has the syslog timestamp, rdz2gc.manage.trendmicro.com as hostname, and CEF as program_name:

  <localfile>
    <log_format>syslog</log_format>
    <location>/tmp/test.log</location>
    <out_format>$(timestamp) rdz2gc.manage.trendmicro.com CEF: $(log)</out_format>
  </localfile>

Now, we would see the following event:

2022 Apr 19 12:23:36 rdz2gc.manage.trendmicro.com->/tmp/test.log Apr 19 12:23:36 rdz2gc.manage.trendmicro.com CEF: Apr 18 2022 12:11:36 rdz2gc.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|Log|Intrusion Prevention|3|devicePayloadId=09003A0DA492-A9DD11EC-BF29-D00F-A66B rt=Apr 18 2022 15:09:39 GMT+00:00 dvchost=CU-13809-2 deviceFacility=Apex One src=10.241.100.253 TMCMLogDetectedIP=10.241.100.253 TMCMLogDetectedHost=QLCWBWI14 dst=10.241.104.5 smac=B8:38:61:AA:10:4B spt=65213 dmac=00:15:5D:00:F4:16 dpt=445 cn2Label=Mode cn2=1 act=Log deviceDirection=Inbound cn3Label=Priority cn3=100 cn4Label=Severity cn4=4 proto=10003 cs2Label=Application_Type cs2=DCERPC Services cn1Label=Rule cn1=1008179 cs1Label=Reason/Rule cs1=1008179 - Restrict File Extensions For Rename Activity Over Network Share cnt=1 ApexCentralHost=Apex Central as a Service deviceNtDomain=N/A dntdom=Grupoquality\

We have created the following decoders and rules as an example:

• /var/ossec/etc/decoders/local_decoder.xml:

<decoder name="trend_micro">
  <program_name>CEF</program_name>
</decoder>

<decoder name="trend_micro_child">
  <parent>trend_micro</parent>
  <regex>src=(\S+)</regex>
  <order>srcip</order>
</decoder>

• /var/ossec/etc/rules/local_rules.xml:

<group name="trend_micro">
  <rule id="100025" level="0">
    <decoded_as>trend_micro</decoded_as>
    <program_name>CEF</program_name>
    <description>Trend Micro group of alerts</description>
  </rule>

  <rule id="100026" level="10">
   <if_sid>100025</if_sid>
   <regex>Intrusion Prevention</regex>
   <description>Trend Micro - Intrusion Prevention</description>
  </rule>
</group>

If we test the received event with /var/ossec/bin/wazuh-logtest:

[root@localhost vagrant]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.6
Type one log per line

Apr 19 12:23:36 rdz2gc.manage.trendmicro.com CEF: Apr 18 2022 12:11:36 rdz2gc.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|Log|Intrusion Prevention|3|devicePayloadId=09003A0DA492-A9DD11EC-BF29-D00F-A66B rt=Apr 18 2022 15:09:39 GMT+00:00 dvchost=CU-13809-2 deviceFacility=Apex One src=10.241.100.253 TMCMLogDetectedIP=10.241.100.253 TMCMLogDetectedHost=QLCWBWI14 dst=10.241.104.5 smac=B8:38:61:AA:10:4B spt=65213 dmac=00:15:5D:00:F4:16 dpt=445 cn2Label=Mode cn2=1 act=Log deviceDirection=Inbound cn3Label=Priority cn3=100 cn4Label=Severity cn4=4 proto=10003 cs2Label=Application_Type cs2=DCERPC Services cn1Label=Rule cn1=1008179 cs1Label=Reason/Rule cs1=1008179 - Restrict File Extensions For Rename Activity Over Network Share cnt=1 ApexCentralHost=Apex Central as a Service deviceNtDomain=N/A dntdom=Grupoquality\

**Phase 1: Completed pre-decoding.
    full event: 'Apr 19 12:23:36 rdz2gc.manage.trendmicro.com CEF: Apr 18 2022 12:11:36 rdz2gc.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|Log|Intrusion Prevention|3|devicePayloadId=09003A0DA492-A9DD11EC-BF29-D00F-A66B rt=Apr 18 2022 15:09:39 GMT+00:00 dvchost=CU-13809-2 deviceFacility=Apex One src=10.241.100.253 TMCMLogDetectedIP=10.241.100.253 TMCMLogDetectedHost=QLCWBWI14 dst=10.241.104.5 smac=B8:38:61:AA:10:4B spt=65213 dmac=00:15:5D:00:F4:16 dpt=445 cn2Label=Mode cn2=1 act=Log deviceDirection=Inbound cn3Label=Priority cn3=100 cn4Label=Severity cn4=4 proto=10003 cs2Label=Application_Type cs2=DCERPC Services cn1Label=Rule cn1=1008179 cs1Label=Reason/Rule cs1=1008179 - Restrict File Extensions For Rename Activity Over Network Share cnt=1 ApexCentralHost=Apex Central as a Service deviceNtDomain=N/A dntdom=Grupoquality\'
    timestamp: 'Apr 19 12:23:36'
    hostname: 'rdz2gc.manage.trendmicro.com'
    program_name: 'CEF'

**Phase 2: Completed decoding.
    name: 'trend_micro'
    srcip: '10.241.100.253'

**Phase 3: Completed filtering (rules).
    id: '100026'
    level: '10'
    description: 'Trend Micro - Intrusion Prevention'
    groups: '['trend_micro']'
    firedtimes: '1'
    mail: 'False'
**Alert to be generated.

Take in mind that we need to remove the header to test the correct event with wazuh-logtest, so the real event would be:

Apr 19 12:23:36 rdz2gc.manage.trendmicro.com CEF: Apr 18 2022 12:11:36 rdz2gc.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|Log|Intrusion Prevention|3|devicePayloadId=09003A0DA492-A9DD11EC-BF29-D00F-A66B rt=Apr 18 2022 15:09:39 GMT+00:00 dvchost=CU-13809-2 deviceFacility=Apex One src=10.241.100.253 TMCMLogDetectedIP=10.241.100.253 TMCMLogDetectedHost=QLCWBWI14 dst=10.241.104.5 smac=B8:38:61:AA:10:4B spt=65213 dmac=00:15:5D:00:F4:16 dpt=445 cn2Label=Mode cn2=1 act=Log deviceDirection=Inbound cn3Label=Priority cn3=100 cn4Label=Severity cn4=4 proto=10003 cs2Label=Application_Type cs2=DCERPC Services cn1Label=Rule cn1=1008179 cs1Label=Reason/Rule cs1=1008179 - Restrict File Extensions For Rename Activity Over Network Share cnt=1 ApexCentralHost=Apex Central as a Service deviceNtDomain=N/A dntdom=Grupoquality\

The header would be:

2022 Apr 19 12:23:36 rdz2gc.manage.trendmicro.com->/tmp/test.log

Finally, if we reproduce the event, we can see that the alert is shown in Kibana (attached image)

​