Assistance with Custom Decoder and Rule
charl...@gmail.com
Msg: 1 2021-03-24T07:46:27.213Z MYESETSERVER ERAServer 66052 - - \0xef\0xbb\0xbf{"event_type":"FirewallAggregated_Event","ipv4":"172.16.1.204","hostname":"mytesthost.test.local","source_uuid":"404e69c7-403f-451b-a742-063b75513ed2","occured":"24-Mar-2021 07:39:56","severity":"Warning","event":"ARP Cache Poisoning attack","source_address":"172.16.0.45","source_address_type":"IPv4","target_address":"172.16.0.45","target_address_type":"IPv4","protocol":"ARP","inbound":true,"aggregate_count":8}\0x0a
**Phase 1: Completed pre-decoding.
full event: 'Msg: 1 2021-03-24T07:46:27.213Z MYESETSERVER ERAServer 66052 - - \0xef\0xbb\0xbf{"event_type":"FirewallAggregated_Event","ipv4":"172.16.1.204","hostname":"mytesthost.test.local","source_uuid":"404e69c7-403f-451b-a742-063b75513ed2","occured":"24-Mar-2021 07:39:56","severity":"Warning","event":"ARP Cache Poisoning attack","source_address":"172.16.0.45","source_address_type":"IPv4","target_address":"172.16.0.45","target_address_type":"IPv4","protocol":"ARP","inbound":true,"aggregate_count":8}\0x0a'
timestamp: '(null)'
hostname: 'ip-10-0-0-118'
program_name: '(null)'
log: 'Msg: 1 2021-03-24T07:46:27.213Z MYESETSERVER ERAServer 66052 - - \0xef\0xbb\0xbf{"event_type":"FirewallAggregated_Event","ipv4":"172.16.1.204","hostname":"mytesthost.test.local","source_uuid":"404e69c7-403f-451b-a742-063b75513ed2","occured":"24-Mar-2021 07:39:56","severity":"Warning","event":"ARP Cache Poisoning attack","source_address":"172.16.0.45","source_address_type":"IPv4","target_address":"172.16.0.45","target_address_type":"IPv4","protocol":"ARP","inbound":true,"aggregate_count":8}\0x0a'
**Phase 2: Completed decoding.
decoder: 'eset-custom'
event_type: 'FirewallAggregated_Event'
ipv4: '172.16.1.204'
hostname: 'mytesthost.test.local'
source_uuid: '404e69c7-403f-451b-a742-063b75513ed2'
occured: '24-Mar-2021'
severity: 'Warning'
event: 'ARP Cache Poisoning attack'
protocol: 'ARP'
inbound: 'true'
aggregate_count: '8'
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched.
*Trying child rules.
Trying rule: 600 - Active Response Messages Grouped
Trying rule: 200 - Grouping of wazuh rules.
Trying rule: 2100 - NFS rules grouped.
Trying rule: 2507 - OpenLDAP group.
Trying rule: 2550 - rshd messages grouped.
Trying rule: 2701 - Ignoring procmail messages.
Trying rule: 2800 - Pre-match rule for smartd.
Trying rule: 5100 - Pre-match rule for kernel messages.
Trying rule: 5200 - Ignoring hpiod for producing useless logs.
Trying rule: 2830 - Crontab rule group.
Trying rule: 5300 - Initial grouping for su messages.
Trying rule: 5905 - useradd failed.
Trying rule: 5400 - Initial group for sudo messages.
Trying rule: 9100 - PPTPD messages grouped.
Trying rule: 9200 - Squid syslog messages grouped.
Trying rule: 2900 - Dpkg (Debian Package) log.
Trying rule: 2930 - Yum logs.
Trying rule: 2931 - Yum logs.
Trying rule: 2940 - NetworkManager grouping.
Trying rule: 2943 - nouveau driver grouping.
Trying rule: 2962 - Perdition custom app group.
Trying rule: 3100 - Grouping of the sendmail rules.
Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules.
Trying rule: 3300 - Grouping of the postfix reject rules.
Trying rule: 3320 - Grouping of the postfix rules.
Trying rule: 3390 - Grouping of the clamsmtpd rules.
Trying rule: 3395 - Grouping of the postfix warning rules.
Trying rule: 3500 - Grouping for the spamd rules
Trying rule: 3600 - Grouping of the imapd rules.
Trying rule: 3700 - Grouping of mailscanner rules.
Trying rule: 3800 - Grouping of Exchange rules.
Trying rule: 3900 - Grouping for the courier rules.
Trying rule: 4300 - Grouping of PIX rules
Trying rule: 4500 - Grouping for the Netscreen Firewall rules
Trying rule: 4700 - Grouping of Cisco IOS rules.
Trying rule: 4800 - SonicWall messages grouped.
Trying rule: 5500 - Grouping of the pam_unix rules.
Trying rule: 5556 - unix_chkpwd grouping.
Trying rule: 5600 - Grouping for the telnetd rules
Trying rule: 5700 - SSHD messages grouped.
Trying rule: 5757 - Bad DNS mapping.
Trying rule: 6100 - Solaris BSM Auditing messages grouped.
Trying rule: 6200 - Asterisk messages grouped.
Trying rule: 6300 - Grouping for the MS-DHCP ipv4 rules.
Trying rule: 6350 - Grouping for the MS-DHCP ipv6 rules.
Trying rule: 7200 - Arpwatch messages grouped.
Trying rule: 7300 - Grouping of Symantec AV rules.
Trying rule: 7400 - Grouping of Symantec Web Security rules.
Trying rule: 7600 - Grouping of Trend OSCE rules.
Trying rule: 9300 - Grouping for the Horde imp rules.
Trying rule: 9400 - Roundcube messages grouped.
Trying rule: 9500 - Wordpress messages grouped.
Trying rule: 9600 - cimserver messages grouped.
Trying rule: 9700 - Dovecot Messages Grouped.
Trying rule: 9770 - dovecot-info grouping.
Trying rule: 9800 - Grouping for the vm-pop3d rules.
Trying rule: 9900 - Grouping for the vpopmail rules.
Trying rule: 11100 - Grouping for the ftpd rules.
Trying rule: 11200 - Grouping for the proftpd rules.
Trying rule: 11300 - Grouping for the pure-ftpd rules.
Trying rule: 11310 - Rule grouping for pure ftpd transfers.
Trying rule: 11400 - Grouping for the vsftpd rules.
Trying rule: 11500 - Grouping for the Microsoft ftp rules.
Trying rule: 12100 - Grouping of the named rules
Trying rule: 13100 - Grouping for the smbd rules.
Trying rule: 13106 - Grouping for the nmbd rules.
Trying rule: 14100 - Grouping of racoon rules.
Trying rule: 14200 - Grouping of Cisco VPN concentrator rules
Trying rule: 19100 - VMWare messages grouped.
Trying rule: 19101 - VMWare ESX syslog messages grouped.
Trying rule: 30100 - Apache messages grouped.
Trying rule: 31200 - Grouping of Zeus rules.
Trying rule: 31300 - Nginx messages grouped.
Trying rule: 31404 - PHP Warning message.
Trying rule: 31405 - PHP Fatal error.
Trying rule: 31406 - PHP Parse error.
Trying rule: 40700 - Systemd rules
Trying rule: 40900 - firewalld grouping
Trying rule: 50100 - MySQL messages grouped.
Trying rule: 50500 - PostgreSQL messages grouped.
Trying rule: 51000 - Grouping for dropbear rules.
Trying rule: 51500 - Grouping of bsd_kernel alerts
Trying rule: 51521 - Grouping for groupdel rules.
Trying rule: 51523 - No core dumps.
Trying rule: 51525 - ftp-proxy cannot connect to a server.
Trying rule: 51526 - Hard drive is dying.
Trying rule: 51527 - CARP master to backup.
Trying rule: 51528 - Duplicate IPv6 address.
Trying rule: 51529 - Could not load a firmware.
Trying rule: 51530 - hotplugd could not open a file.
Trying rule: 51532 - Bad ntp peer.
Trying rule: 51550 - doas grouping
Trying rule: 52500 - Clamd messages grouped.
Trying rule: 52501 - ClamAV: database update
Trying rule: 53500 - OpenSMTPd grouping.
Trying rule: 500000 - Unbound grouping.
Trying rule: 80000 - Puppet Master messages grouped.
Trying rule: 80001 - Puppet Agent messages grouped.
Trying rule: 80100 - Netscaler messages grouped.
Trying rule: 80200 - AWS alert.
Trying rule: 80500 - Serv-u messages grouped.
Trying rule: 80700 - Audit: messages grouped.
Trying rule: 81100 - USB messages grouped.
Trying rule: 81300 - Redis messages grouped.
Trying rule: 81400 - OpenSCAP messages grouped.
Trying rule: 81600 - Fortigate v3 messages grouped.
Trying rule: 81601 - Fortigate v4 messages grouped.
Trying rule: 81602 - Fortigate v5 messages grouped.
Trying rule: 81700 - HP 5500 EI messages grouped.
Trying rule: 81800 - OpenVPN messages grouped.
Trying rule: 81900 - RSA Authentication Manager messages grouped.
Trying rule: 82000 - Imperva messages grouped.
Trying rule: 82100 - Sophos alerts.
Trying rule: 82200 - FreeIPA syslog.
Trying rule: 82400 - Cisco eStreamer messages grouped.
Trying rule: 85000 - SQL Server messages.
Trying rule: 85500 - Identity Guard Log.
Trying rule: 85750 - MongoDB messages
Trying rule: 86000 - Docker messages
Trying rule: 86250 - Jenkins messages
Trying rule: 86800 - VShell message grouped.
Trying rule: 86600 - Suricata messages.
Trying rule: 86900 - Qualysguard messages grouped.
Trying rule: 87000 - Cylance events messages grouped.
Trying rule: 87050 - Cylance threats messages grouped.
Trying rule: 87100 - VirusTotal integration messages.
Trying rule: 87200 - pvedaemon messages grouped.
Trying rule: 87300 - ownCloud messages grouped.
Trying rule: 87310 - ownCloud messages grouped.
Trying rule: 22401 - Vuls integration event.
Trying rule: 87402 - CIS-CAT events.
Trying rule: 87403 - Old CIS-CAT events.
Trying rule: 87500 - Exim SMTP Messages Grouped.
Trying rule: 87501 - dovecot messages grouped.
Trying rule: 23501 - $(vulnerability.cve) affects $(vulnerability.package.name)
Trying rule: 87600 - OpenVAS (gsad) messages grouped.
Trying rule: 87608 - OpenVAS (openvasmd) messages grouped.
Trying rule: 88000 - Percona Server audit events grouped.
Trying rule: 89050 - McAfee AUDIT Plugin for MySQL events grouped.
Trying rule: 88100 - MariaDB group messages.
Trying rule: 87700 - pfSense firewall rules grouped.
Trying rule: 87900 - Docker alerts: $(docker.Type)
Trying rule: 64000 - Grouping of cisco-ASA rules
Trying rule: 65500 - Mcafee EPO2
Trying rule: 88200 - NextCloud messages grouped.
Trying rule: 88201 - NextCloud messages grouped.
Trying rule: 67100 - Junos IDS
Trying rule: 67102 - Junos RT Flow
Trying rule: 64200 - PANDA Antivirus event.
Trying rule: 64220 - Checkpoint events.
Trying rule: 64250 - Grouping macos sshd rules.
Trying rule: 65000 - GCP alert.
Trying rule: 64500 - SYSTEM Palo Alto logs type
Trying rule: 64507 - TRAFFIC paloalto logs type
Trying rule: 100600 - Checkpoint events.
Trying rule: 100139 - FortiAnalyzer is not configured for Security Fabric service
Trying rule: 100146 - PCI DSS compliance check failed
Trying rule: 100002 - User logged-in Succesfully into Office 365.
Trying rule: 100404 - Threat detected by Sandbox - Low
Trying rule: 40102 - Buffer overflow attack on rpc.statd
Trying rule: 40103 - Buffer overflow on WU-FTPD versions prior to 2.6
Trying rule: 40107 - Heap overflow in the Solaris cachefsd service.
Trying rule: 1003 - Non standard syslog message (size too large).
Trying rule: 40104 - Possible buffer overflow attempt.
Trying rule: 100304 - ESET alerts, $(event)
Trying rule: 40105 - "Null" user changed some information.
Trying rule: 40106 - Buffer overflow attempt (probably on yppasswd).
Trying rule: 40109 - Stack overflow attempt or program exiting with SEGV (Solaris).
Trying rule: 100303 - ESET alerts, $(event)
Trying rule: 100100 - Attack detected by UCP/TCP anomaly
Trying rule: 100101 - Attack detected by ICMP anomaly
Trying rule: 100102 - Attack detected by other anomaly
Trying rule: 100114 - Data leak detected by specified DLP sensor rule
Trying rule: 100123 - Attack detected by a malicious URL
Trying rule: 100124 - Attack detected by UCP/TCP signature - $(severity) Severity
Trying rule: 100125 - Attack detected by ICMP signature
Trying rule: 100126 - Attack detected by other signature
Trying rule: 100403 - Virus/Malware detected
Trying rule: 100407 - Threat detected by Sandbox - High
Trying rule: 100409 - Suspicious file detected
Trying rule: 100410 - Device Control violation
Trying rule: 100414 - Attack Discovered - High
Trying rule: 100416 - Anomalous Behavior - High
Trying rule: 100422 - Web Violations - High
Trying rule: 100431 - C and C Callbacks - High
Trying rule: 2301 - xinetd: Excessive number connections to a service.
Trying rule: 2502 - syslog: User missed the password more than one time
Trying rule: 2504 - syslog: Illegal root login.
Trying rule: 100402 - Virus/Malware detected
Trying rule: 100406 - Threat detected by Sandbox - Medium
Trying rule: 100408 - Threat detected by Sandbox - High
Trying rule: 100411 - Attack Discovered - Medium
Trying rule: 100413 - Attack Discovered - Medium
Trying rule: 100423 - Web Violations - Medium
Trying rule: 100430 - C and C Callbacks - Medium
Trying rule: 7101 - Problems with the tripwire checking.
Trying rule: 5901 - New group added to the system.
Trying rule: 5902 - New user added to the system.
Trying rule: 5904 - Information from the user was changed.
Trying rule: 5758 - Maximum authentication attempts exceeded.
Trying rule: 12110 - Serial number from master is lower than stored.
Trying rule: 12111 - Unable to perform zone transfer.
Trying rule: 18128 - Windows: Group account added/changed/deleted.
Trying rule: 100109 - File reported infected by FortiSandbox
Trying rule: 100112 - File reported infected by FortiSandbox
Trying rule: 100134 - Fortinet admin login failed
Trying rule: 100135 - SSL VPN login fail
Trying rule: 100147 - SSL VPN deny
Trying rule: 100160 - Attack detected by UCP/TCP signature - $(severity) Severity
Trying rule: 1007 - File system full.
Trying rule: 5134 - RNGD failure
Trying rule: 30200 - Modsecurity alert.
Trying rule: 100302 - ESET alerts, $(event)
Trying rule: 100103 - Application control (IPS) (block)
Trying rule: 100104 - Application control IM (SSH) (block)
Trying rule: 100105 - Botnet C and C Communication
Trying rule: 100106 - FortiGate unit blocked a file because it contains a virus
Trying rule: 100107 - MMS content checksum blocked an infected file
Trying rule: 100110 - Infected file detected by the FortiGate unit and blocked
Trying rule: 100111 - MIME header detected to have a virus and blocked
Trying rule: 100117 - Domain blocked by DNS botnet C and C
Trying rule: 100120 - Antispam filter event
Trying rule: 100121 - Antispam filter event
Trying rule: 100122 - Antispam filter event
Trying rule: 100130 - Web application firewall blocked application by address list
Trying rule: 100131 - Web application firewall blocked application by custom signature
Trying rule: 100132 - Web application firewall blocked application by HTTP constraints
Trying rule: 100133 - Web application firewall blocked application by HTTP method
Trying rule: 100401 - Virus/Malware detected
Trying rule: 100405 - Threat detected by Sandbox - Medium
Trying rule: 100412 - Attack Discovered - Medium
Trying rule: 100415 - Anomalous Behavior - Medium
Trying rule: 100417 - Spyware/Grayware detected - Medium
Trying rule: 100418 - Predictive Machine Learning - Medium
Trying rule: 100419 - Application Control violation - Medium
Trying rule: 100420 - Application Control violation - Medium
Trying rule: 100421 - Application Control violation - Medium
Trying rule: 100424 - Web Violations - Medium
Trying rule: 100427 - Network Content Inspection - Medium
Trying rule: 100429 - C and C Callbacks - Medium
Trying rule: 100432 - DLP Event Detected - Medium
Trying rule: 1004 - Syslogd exiting (logging stopped).
Trying rule: 1005 - Syslogd restarted.
Trying rule: 1006 - Syslogd restarted.
Trying rule: 1008 - Process exiting (killed).
Trying rule: 1010 - Process segfaulted.
Trying rule: 2501 - syslog: User authentication failure.
Trying rule: 2503 - syslog: Connection blocked by Tcp Wrappers.
Trying rule: 5604 - telnetd: Reverse lookup error (bad hostname config).
Trying rule: 14101 - racoon: VPN authentication failed.
Trying rule: 66001 - Zeek: SSH Connection
Trying rule: 66002 - Zeek: SSL Connection
Trying rule: 66003 - Zeek: DNS Query
Trying rule: 66004 - Zeek: Connection detail
Trying rule: 100108 - Exectutable file detected
Trying rule: 100115 - DLP fingerprint document source error
Trying rule: 100116 - Domain blocked because it is in the domain-filter list
Trying rule: 100119 - Domain belongs to a denied category in policy
Trying rule: 100127 - SSH command blocked
Trying rule: 100128 - SSH command blocked
Trying rule: 100129 - SSH channel blocked
Trying rule: 100148 - Command blocked
Trying rule: 100149 - Web content banned word found
Trying rule: 100150 - Web content MMS banned word found
Trying rule: 100151 - Blocked by HTTP header content type
Trying rule: 100152 - URL belongs to an blocked category within the firewall policy
Trying rule: 100153 - URL belongs to a category with warnings enabled
Trying rule: 100154 - Rating error occurred
Trying rule: 2103 - Unable to mount the NFS directory.
Trying rule: 2945 - rsyslog may be dropping messages due to rate-limiting.
Trying rule: 5553 - PAM misconfiguration.
Trying rule: 5554 - PAM misconfiguration.
Trying rule: 12112 - Zone transfer error.
Trying rule: 51524 - System was rebooted.
Trying rule: 100138 - IP pool PBA NAT IP exhausted
Trying rule: 100141 - FortiCloud daily quota full
Trying rule: 100142 - Admin login disabled
Trying rule: 100144 - FortiToken mobile push message failed
Trying rule: 100145 - Admin monitor disconnected
Trying rule: 100155 - FortiGuard web filter category quota expired log message
Trying rule: 2505 - syslog: Physical root login.
Trying rule: 2506 - syslog: Pop3 Authentication passed.
Trying rule: 5903 - Group (or user) deleted from the system.
Trying rule: 5555 - PAM: User changed password.
Trying rule: 13112 - Samba: Segfault in gvfs-smb.
Trying rule: 51531 - User account deleted.
Trying rule: 52000 - Apparmor messages grouped.
Trying rule: 24000 - osquery message
Trying rule: 17000 - Kaspersky Endpoint Security - Task $(TaskName) changed to state $(TaskState)
Trying rule: 87801 - Azure: Log analytics
Trying rule: 87802 - Azure: AD $(activity)
Trying rule: 87803 - Azure: Storage
Trying rule: 87804 - Azure: Storage
Trying rule: 61053 - Event created in the application log
Trying rule: 100301 - ESET alerts, $(event)
*Rule 100301 matched.
**Phase 3: Completed filtering (rules).
Rule id: '100301'
Level: '3'
Description: 'ESET alerts, ARP Cache Poisoning attack'
**Alert to be generated.
