ms-dhcp-ipv4 decoder help
45 views
Skip to first unread message
Ricardo Mendonça
Mar 25, 2024, 6:15:52 AM3/25/24
to Wazuh | Mailing List
Hi everyone,
need to make some adjustments to ms-dhcp-ipv4 decoder.
<decoder name="ms-dhcp-ipv4">
<prematch>^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,|</prematch>
<prematch>^\d\d,\d+/\d+/\d\d,\d+:\d+:\d+,</prematch>
<regex>^(\d\d),\d+/\d+/\d\d\d*,\d+:\d+:\d+,(\w+),(\S+)</regex>
<order>id,extra_data,srcip</order>
</decoder>
<prematch>^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,|</prematch>
<prematch>^\d\d,\d+/\d+/\d\d,\d+:\d+:\d+,</prematch>
<regex>^(\d\d),\d+/\d+/\d\d\d*,\d+:\d+:\d+,(\w+),(\S+)</regex>
<order>id,extra_data,srcip</order>
</decoder>
It decodes me id, extra_data with action taken (assign;Nack, etc), and srcip with all information together(ip, hostname, macaddress, etc).
I need a decoder that separates fields id, extra_data, scrip, hostname, macaddress, all other info.
How to achieve this? Been testing different regex, but with no luck.
Greetings
Rolly Davany Mougoue Kakanou
Mar 25, 2024, 7:03:49 AM3/25/24
to Wazuh | Mailing List
Hello Ricardo and thanks for using Wazuh.
If I got you right you are trying to customize the ms-dhcp-ipv4 decoder to seperate all fields in the logs. Could you please share here a sample log you are trying to apply this to and I'll be back with some suggestions.
Best regards,
Rolly Mougoue
Ricardo Mendonça
Mar 25, 2024, 9:44:00 AM3/25/24
to Wazuh | Mailing List
Thanks for replying Rolly
For instance,
After decoded
_index
wazuh-alerts-4.x-2024.03.25
XXX
agent.ip
X.X.X.X
XXXXXX
data.extra_data
Assign
10
data.srcip
192.168.0.21,hostname.domain.NET,006489B4F343,,2988703455,0,,,,0x436973636F2053797374656D732C20496E632E2049502050686F6E652043502D373931314716,,,,,0
ms-dhcp-ipv4
this full log
10,03/22/24,11:05:53,Assign,192.168.0.21,hostname.domain.NET,006489B4F343,,2988703455,0,,,,0x436973636F2053797374656D732C20496E632E2049502050686F6E652043502D373931314716,,,,0
What i need is to parse to:
data.extra_data:Assign
data.srcip:192.168.0.21
data.hostname:hostname.domain.NET
data.macaddress:006489B4F343
Other :2988703455,0,,,,0x436973636F2053797374656D732C20496E632E2049502050686F6E652043502D373931314716,,,,,0
Best regards,
Rolly Davany Mougoue Kakanou
Mar 26, 2024, 7:28:57 AM3/26/24
to Wazuh | Mailing List
Hello Ricardo,
<decoder name="ms-dhcp-ipv4">
<prematch>^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,|</prematch>
<prematch>^\d\d,\d+/\d+/\d\d,\d+:\d+:\d+,</prematch>
Change your decoder as follows to extract your desired fields:
<decoder name="ms-dhcp-ipv4">
<prematch>^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,|</prematch>
<prematch>^\d\d,\d+/\d+/\d\d,\d+:\d+:\d+,</prematch>
<regex type="pcre2">^(\d\d),\d+\/\d+\/\d\d\d*,\d+:\d+:\d+,(\w+),(\d+.\d+.\d+.\d+.),(\w+.\w+.\w+),(\w+),(\S+)</regex>
<order>id,extra_data,srcip,hostname,macaddress,others</order>
</decoder>
<order>id,extra_data,srcip,hostname,macaddress,others</order>
</decoder>
Below is a test ran with the log you provided above:
[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.7.3
Type one log per line
10,03/22/24,11:05:53,Assign,192.168.0.21,hostname.domain.NET,006489B4F343,,2988703455,0,,,,0x436973636F2053797374656D732C20496E632E2049502050686F6E652043502D373931314716,,,,0
**Phase 1: Completed pre-decoding.
full event: '10,03/22/24,11:05:53,Assign,192.168.0.21,hostname.domain.NET,006489B4F343,,2988703455,0,,,,0x436973636F2053797374656D732C20496E632E2049502050686F6E652043502D373931314716,,,,0'
**Phase 2: Completed decoding.
name: 'ms-dhcp-ipv4'
extra_data: 'Assign'
hostname: 'hostname.domain.NET'
id: '10'
macaddress: '006489B4F343'
others: ',2988703455,0,,,,0x436973636F2053797374656D732C20496E632E2049502050686F6E652043502D373931314716,,,,0'
srcip: '192.168.0.21'
**Phase 3: Completed filtering (rules).
id: '6304'
level: '0'
description: 'MS-DHCP: A new IP address was leased to a client.'
groups: '['windows', 'dhcp', 'dhcp_lease_action']'
firedtimes: '1'
mail: 'False'
[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.7.3
Type one log per line
10,03/22/24,11:05:53,Assign,192.168.0.21,hostname.domain.NET,006489B4F343,,2988703455,0,,,,0x436973636F2053797374656D732C20496E632E2049502050686F6E652043502D373931314716,,,,0
**Phase 1: Completed pre-decoding.
full event: '10,03/22/24,11:05:53,Assign,192.168.0.21,hostname.domain.NET,006489B4F343,,2988703455,0,,,,0x436973636F2053797374656D732C20496E632E2049502050686F6E652043502D373931314716,,,,0'
**Phase 2: Completed decoding.
name: 'ms-dhcp-ipv4'
extra_data: 'Assign'
hostname: 'hostname.domain.NET'
id: '10'
macaddress: '006489B4F343'
others: ',2988703455,0,,,,0x436973636F2053797374656D732C20496E632E2049502050686F6E652043502D373931314716,,,,0'
srcip: '192.168.0.21'
**Phase 3: Completed filtering (rules).
id: '6304'
level: '0'
description: 'MS-DHCP: A new IP address was leased to a client.'
groups: '['windows', 'dhcp', 'dhcp_lease_action']'
firedtimes: '1'
mail: 'False'
Hope this answers your question.
Best regards,
Rolly Mougoue
Ricardo Mendonça
Mar 26, 2024, 10:58:22 AM3/26/24
to Wazuh | Mailing List
You're the Man!!! Flawless!
Thank you very much Rolly
Rolly Davany Mougoue Kakanou
Mar 26, 2024, 9:05:09 PM3/26/24
to Wazuh | Mailing List
You are very welcome.
Reply all
Reply to author
Forward
0 new messages