help with my decoder

[brandon echenique garcia]

Hi dear team, 

I've modified the zimbra logs by adding custom headers as subject and attachment, and 

i need help  to decoded this logs,for example

Jun 27 09:36:26 mail postfix/cleanup[2722285]: 85FCE1015056: warning: header Subject: con subject y attachment from mail.cxxa[x.x.x.x]; from=<axx@cxxa> to=<bxxx@rxe> proto=ESMTP helo=<mail.xxx2.xx>
Jun 27 09:36:26 mail postfix/cleanup[2722285]: 85FCE1015056: warning: header Content-Disposition: attachment; filename="report incident ransonware.pdf" from mail.cxxa[x.x.x.x]; from=<axx@cxa> to=<bx@rox> proto=ESMTP helo=<mail.xxx2.xx>

 

I've tried with these decoders :

<decoder name="postfix-subject">
  <program_name>^cleanup</program_name>
</decoder>

<decoder name="postfix-subject1">
  <parent>postfix-subject</parent>
  <regex>85FCE1015056: warning: (\w+) Subject: (\.+) from (\S+)[\S+]; from=\<(\S+)> to=\<(\S+)> proto=(\S+) helo=\<(\S+)></regex>
  <order>header, subject, dominio, postfixfrom, postfixto, postfixproto, postfixelo</order>
</decoder>

<decoder name="postfix-attachment">
  <parent>postfix-subjt</parent>
  <regex>warning: (\w+) \w+-\w+: \w+; filename=(\.+) from (\S+)[\d+.\d+.\d+.\d+]; from=\<(\S+)> to=\<(\S+)> proto=(\S+) helo=\<(\S+)></regex>
  <order>warning, filename, dominio, pxfrom, pxto, postfixproto, postfixelo</order>
</decoder>

but the results are not as expected;

I 've  tested my regex in the wazuh-regex test, as shown below:

/var/ossec/bin/wazuh-regex '85FCE1015056: warning: (\w+) Subject: (\.+) from (\S+)[\d+.\d+.\d+.\d+]; from=\<(\S+)> to=\<(\S+)> proto=(\S+) helo=\<(\S+)>|85FCE1015056: warning: (\w+) \w+-\w+: \w+; filename=(\.+) from (\S+)[\d+.\d+.\d+.\d+]; from=\<(\S+)> to=\<(\S+)> proto=(\S+) helo=\<(\S+)>'
Jun 27 09:36:26 mail postfix/cleanup[2722285]: 85FCE1015056: warning: header Subject: con subject y attachment from mail.cxxa[172.16.20.7]; from=<axx@cxxa> to=<bxe@rxe> proto=ESMTP helo=<mail.cxxa>
+OSRegex_Execute: Jun 27 09:36:26 mail postfix/cleanup[2722285]: 85FCE1015056: warning: header Subject: con subject y attachment from mail.cxxa[172.16.20.7]; from=<axx@cxxa> to=<bxe@rxe> proto=ESMTP helo=<mail.cxxa>
 -Substring: header
 -Substring: con subject y attachment
 -Substring: mail.cxxa
 -Substring: axx@cxxa
 -Substring: bxe@rx
 -Substring: ESMTP
 -Substring: mail.cxxa
+OS_Regex       : Jun 27 09:36:26 mail postfix/cleanup[2722285]: 85FCE1015056: warning: header Subject: con subject y attachment from mail.cxxa[172.16.20.7]; from=<axx@cxxa> to=<bx...@rop.pe> proto=ESMTP helo=<mail.cxxa>

Jun 27 09:36:26 mail postfix/cleanup[2722285]: 85FCE1015056: warning: header Content-Disposition: attachment; filename="report incident ransonware.pdf" from mail.cxxa[172.16.20.7]; from=<axx@cxxa> to=<bxxe@rxe> proto=ESMTP helo=<mail.cxxa>
+OSRegex_Execute: Jun 27 09:36:26 mail postfix/cleanup[2722285]: 85FCE1015056: warning: header Content-Disposition: attachment; filename="report incident ransonware.pdf" from mail.cxxa[172.16.20.7]; from=<axx@cxxa> to=<bxe@rxe> proto=ESMTP helo=<mail.cxa>
 -Substring: header
 -Substring: "report incident ransonware.pdf"
 -Substring: mail.cxxa
 -Substring: araez@cxxa
 -Substring: bxxe@rxe
 -Substring: ESMTP
 -Substring: mail.cxxa
+OS_Regex       : Jun 27 09:36:26 mail postfix/cleanup[2722285]: 85FCE1015056: warning: header Content-Disposition: attachment; filename="report incident ransonware.pdf" from mail.cxxa[172.16.20.7]; from=<axx@cxxa> to=<bxe@rxe> proto=ESMTP helo=<mail.cxxa>


So , what is my mistake?

 

[Javier Medeot]

Hello Brandon.

Let me try to help. Wazuh already implements a decoder to capture postfix logs. I'm sharing two decoders for your specific logs that are child to the postfix logs decoder. Please take a look at them and let me know if it helps and any changes it requires.

<decoder name="custom-header-subj">
  <parent>postfix</parent>
  <use_own_name>true</use_own_name>
  <prematch>^85FCE1015056: warning: header Subject:</prematch>
  <regex>^85FCE1015056: warning: (header Subject: \.+) from (\.+); from=(\.+) to=(\.+) proto=(\.+) helo=(\.+)$</regex>
  <order>custom-warning, dominio, pxfrom, pxto, pxproto, pxhelo</order>
</decoder>

<decoder name="custom-header-cd">
  <parent>postfix</parent>
  <use_own_name>true</use_own_name>
  <prematch>^85FCE1015056: warning: header Content-Disposition:</prematch>
  <regex>^85FCE1015056: warning: (header Content-Disposition: \.+); filename="(\.+)" from (\.+); from=(\.+) to=(\.+) proto=(\.+) helo=(\.+)$</regex>
  <order>custom-warning, dominio, pxfrom, pxto, pxproto, pxhelo</order>
</decoder>

Running a decoders test gives the following output

**Messages:
INFO: (7202): Session initialized with token 'dba42865'

**Phase 1: Completed pre-decoding.
full event: 'Jun 27 09:36:26 mail postfix/cleanup[2722285]: 85FCE1015056: warning: header Subject: con subject y attachment from mail.cxxa[x.x.x.x]; from=<axx@cxxa> to=<bxxx@rxe> proto=ESMTP helo=<mail.xxx2.xx>'
timestamp: 'Jun 27 09:36:26'
hostname: 'mail'
program_name: 'postfix/cleanup'

**Phase 2: Completed decoding.
name: 'custom-header-subj'
parent: 'postfix'
custom-warning: 'header Subject: con subject y attachment'
dominio: 'mail.cxxa[x.x.x.x]'
pxfrom: '<axx@cxxa>'
pxhelo: '<mail.xxx2.xx>'
pxproto: 'ESMTP'
pxto: '<bxxx@rxe>'

**Phase 1: Completed pre-decoding.
full event: 'Jun 27 09:36:26 mail postfix/cleanup[2722285]: 85FCE1015056: warning: header Content-Disposition: attachment; filename="report incident ransonware.pdf" from mail.cxxa[x.x.x.x]; from=<axx@cxa> to=<bx@rox> proto=ESMTP helo=<mail.xxx2.xx>'
timestamp: 'Jun 27 09:36:26'
hostname: 'mail'
program_name: 'postfix/cleanup'

**Phase 2: Completed decoding.
name: 'custom-header-cd'
parent: 'postfix'
custom-warning: 'header Content-Disposition: attachment'
dominio: 'report incident ransonware.pdf'
pxfrom: 'mail.cxxa[x.x.x.x]'
pxhelo: 'ESMTP'
pxproto: '<bx@rox>'
pxto: '<axx@cxa>'

Thank you

[brandon echenique garcia]

Dear Javier,

I tried the decoders that you shared with me, but it still doesn't decode.

I added the decoders in the local_decoder.xml file, does that have anything to do with it?

Now, I have seen that you have added the tag use_own_name, what is the purpose of this tag?
could you give me more details ,  why is it necessary to use it in the decoder made?
thanks for all your support

**Messages: INFO: (7202): Session initialized with token '2e8dc552' **Phase 1: Completed pre-decoding. full event: 'Jun 27 09:36:26 mail postfix/cleanup[2722285]: 85FCE1015056: warning: header Content-Disposition: attachment; filename="report incident ransonware.pdf" from mail.cxxa[x.x.x.x]; from=<axx@cxa> to=<bx@rox> proto=ESMTP helo=<mail.xxx2.xx' timestamp: 'Jun 27 09:36:26' hostname: 'mail' program_name: 'postfix/cleanup' **Phase 2: Completed decoding. name: 'postfix' parent: 'postfix' **Phase 3: Completed filtering (rules). id: '3320' level: '0' description: 'Grouping of the postfix rules.' groups: '["syslog","postfix"]' firedtimes: '1' mail: 'false' **Phase 1: Completed pre-decoding. full event: 'Jun 27 09:36:26 mail postfix/cleanup[2722285]: 85FCE1015056: warning: header Subject: con subject y attachment from mail.cxxa[x.x.x.x]; from=<axx@cxxa> to=<bxxx@rxe> proto=ESMTP helo=<mail.xxx2.xx>' timestamp: 'Jun 27 09:36:26' hostname: 'mail' program_name: 'postfix/cleanup' **Phase 2: Completed decoding. name: 'postfix' parent: 'postfix' **Phase 3: Completed filtering (rules). id: '3320' level: '0' description: 'Grouping of the postfix rules.' groups: '["syslog","postfix"]' firedtimes: '2' mail: 'false'

[Javier Medeot]

Hello Brandon.

You need to define your custom decoders in /var/ossec/etc/decoders/local_decoder.xml as explained in https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Once added and saved the custom decoders, you need to restart the Wazuh manager to apply  the changes. However, if you want to just test them, you don't need to restart the manager for that, but you will still want to clear the session. If testing using the Wazuh dashboard (Tools > Ruleset test) you click Clear session. To learn more and other options for testing check https://documentation.wazuh.com/current/user-manual/ruleset/testing.html

About use_own_name, I set it simply to show it's the custom decoder which is getting triggered. You can learn more about this option in https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html#use-own-name

Please, try again clearing session or restarting the manager. if it didn't work, please share the local_decoder.xml file to allow me to check what could be the issue.

Many thanks.

[brandon echenique garcia]

Dear Javier, 

Sorry for the delay in replying, I have defined my deocders in the path /var/ossec/etc/decoders/local_decoder.xml following the steps https://documentation.wazuh.com/current/user-manual/ruleset/custom.html.
I restarted the Wazuh manager to apply the changes, however, it still does not work the decoders.
I also deleted the session, and it did not work either.

I attach my loca_decoder file, so you can check it.

Waiting for your answer, thanks for your support.

[Javier Medeot]

Hello Brandon.

I can see that your local_decoder.xml file includes decoders other than the ones we've been discussing here. You can run a test removing/commenting out those other decoders and see if your logs get decoded correctly.

Check also that postfix-filter decoder that you have in your file. Try with a different syntax. Use '\p' rather than the '<' and '>' charaters. '\p' is a specific syntax for '<', '>' (and for ()*+,-.:;=?[]!"'#$%&|{} characters as well).

Tell me if this helps. Thank you

[brandon echenique garcia]

Dear Javier,

Sorry for responding late again, I tried what you indicated and it worked, what I finally realized is that the decoders are executed in an order, so that was the problem.
I reordered all my decoders inside my loca_decoders file, testing which ones were generating conflicts and I arranged them, after that everything else worked!