Help me Decoders e Rules - Switch HP
825 views
Skip to first unread message
wesley staenle
Dec 10, 2021, 9:41:37 AM12/10/21
to Wazuh mailing list
Hi .
I changed the format of the log, can you help me to create the decoder and the rule?
root@wazuh:/var/ossec/bin# ./wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line
----
root@wazuh:/var/ossec/bin# ./wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line
Starting wazuh-logtest v4.2.5
Type one log per line
Dec 9 13:10:25 SA-DC-ALL-SSC-01 %%10SHELL/5/SHELL_LOGIN(l): supredes logged in from 10.206.104.43.
**Phase 1: Completed pre-decoding.
full event: 'Dec 9 13:10:25 SA-DC-ALL-SSC-01 %%10SHELL/5/SHELL_LOGIN(l): supredes logged in from 10.206.104.43.'
timestamp: 'Dec 9 13:10:25'
hostname: 'SA-DC-ALL-SSC-01'
**Phase 2: Completed decoding.
name: 'hp_5500'
action: 'SHELL_LOGIN(l)'
id: '5'
srcip: '10.206.104.43'
url: 'SHELL'
**Phase 3: Completed filtering (rules).
id: '81706'
level: '1'
description: 'HP 5500 EI - Notification event'
groups: '['hp', 'hp5500', 'hp-notification']'
firedtimes: '1'
mail: 'False'
###############################
**Phase 1: Completed pre-decoding.
full event: 'Dec 9 13:10:25 SA-DC-ALL-SSC-01 %%10SHELL/5/SHELL_LOGIN(l): supredes logged in from 10.206.104.43.'
timestamp: 'Dec 9 13:10:25'
hostname: 'SA-DC-ALL-SSC-01'
**Phase 2: Completed decoding.
name: 'hp_5500'
action: 'SHELL_LOGIN(l)'
id: '5'
srcip: '10.206.104.43'
url: 'SHELL'
**Phase 3: Completed filtering (rules).
id: '81706'
level: '1'
description: 'HP 5500 EI - Notification event'
groups: '['hp', 'hp5500', 'hp-notification']'
firedtimes: '1'
mail: 'False'
###############################
root@wazuh:/var/ossec/bin# ./wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line
Dec 9 13:10:31 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration
**Phase 1: Completed pre-decoding.
full event: 'Dec 9 13:10:31 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration'
timestamp: 'Dec 9 13:10:31'
hostname: 'SA-DC-ALL-SSC-01'
**Phase 2: Completed decoding.
name: 'hp_5500'
action: 'SHELL_CMD(l)'
id: '6'
url: 'SHELL'
**Phase 3: Completed filtering (rules).
id: '81707'
level: '0'
description: 'HP 5500 EI - Informational event'
groups: '['hp', 'hp5500', 'hp-informational']'
firedtimes: '1'
mail: 'False'
**Phase 1: Completed pre-decoding.
full event: 'Dec 9 13:10:31 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration'
timestamp: 'Dec 9 13:10:31'
hostname: 'SA-DC-ALL-SSC-01'
**Phase 2: Completed decoding.
name: 'hp_5500'
action: 'SHELL_CMD(l)'
id: '6'
url: 'SHELL'
**Phase 3: Completed filtering (rules).
id: '81707'
level: '0'
description: 'HP 5500 EI - Informational event'
groups: '['hp', 'hp5500', 'hp-informational']'
firedtimes: '1'
mail: 'False'
Nicolas Oscar Lastra
Dec 10, 2021, 5:32:54 PM12/10/21
to Wazuh mailing list
Hi Wesley. I'm going to be trying to help you with this. On Monday I will do some tests with the parameters that changed in your example log.
Have a good weekend!
Have a good weekend!
wesley staenle
Dec 13, 2021, 1:02:11 PM12/13/21
to Wazuh mailing list
thank you have a great week
Nicolas Oscar Lastra
Dec 14, 2021, 2:41:21 PM12/14/21
to Wazuh mailing list
Hi @ Wesley
The new decoder could add stages to capture new parameters. One possible option would be:
Decoder example:
Add decoder in /var/ossec/etc/decoders/local_decoder.xml
```
<decoder name="hp_5500_fields">
<parent>hp_5500</parent>
<regex offset="after_parent">-Task=(\w+)-IPAddr=(\d+.\d+.\d+.\d+)-User=(\w+)</regex>
<order>extra_data, srcip, user</order>
</decoder>
```
The new decoder could add stages to capture new parameters. One possible option would be:
Decoder example:
Add decoder in /var/ossec/etc/decoders/local_decoder.xml
```
parent: hp_5500, corresponds to the original Wazuh decoder group. This decoder adds new features ...
- Task as extra_data
- IPAddr as srcip
- User as user
Note 1: it is necessary to restart wazuh-manager:
systemctl restart wazuh-manager
Decoder test: /var/ossec/bin/wazuh-logtest Starting wazuh-logtest v4.3.0
Type one log per line
Dec 9 13:10:31 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration
**Phase 1: Completed pre-decoding.
full event: 'Dec 9 13:10:31 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration'
timestamp: 'Dec 9 13:10:31'
hostname: 'SA-DC-ALL-SSC-01'
**Phase 2: Completed decoding.
name: 'hp_5500'
action: 'SHELL_CMD(l)'
dstuser: 'supredes'
extra_data: 'vt0'
id: '6'
srcip: '10.206.104.43'
url: 'SHELL'
**Phase 3: Completed filtering (rules).
id: '81707'
level: '0'
description: 'HP 5500 EI - Informational event'
groups: '['hp', 'hp5500', 'hp-informational']'
firedtimes: '1'
mail: 'False'
systemctl restart wazuh-manager
Decoder test: /var/ossec/bin/wazuh-logtest Starting wazuh-logtest v4.3.0
About adding a new rule:
Could you tell me what you are looking for?
Initially Wazuh already has a set of rules for hp5500. They can be modified, for that it is necessary to overwrite them (in the custom rules path).This example only modifies one rule, number 81707.
vim /var/ossec/etc/rules/local_rules.xml ```
<!-- Original rule: 81707
<rule id="81707" level="0">
<if_sid>81700</if_sid>
<id>6</id>
<description>HP 5500 EI - Informational event</description>
<group>hp-informational,</group>
</rule>
-->
<rule id="81707" level="0" overwrite="yes">
<if_sid>81700</if_sid>
<id>6</id>
<description>HP 5500 EI - Informational event</description>
<group>hp-informational,</group>
</rule>
```
Could you tell me what you are looking for?
Initially Wazuh already has a set of rules for hp5500. They can be modified, for that it is necessary to overwrite them (in the custom rules path).This example only modifies one rule, number 81707.
vim /var/ossec/etc/rules/local_rules.xml ```
Note 2: When you override the behavior of a rule, it is recommended to copy the original structure of the rule. And make the modifications that you consider. And the parameter overwrite="yes" is added.
Note 3: it is necessary to restart wazuh-manager:
systemctl restart wazuh-manager
The reference documentation to deepen on decoder and rules would be:
Note 3: it is necessary to restart wazuh-manager:
systemctl restart wazuh-manager
The reference documentation to deepen on decoder and rules would be:
- https://documentation.wazuh.com/current/learning-wazuh/replace-stock-rule.html
- https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/sibling-decoders.html
- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/index.html
wesley staenle
Dec 15, 2021, 6:23:05 AM12/15/21
to Wazuh mailing list
I would like to capture the commands performed, the login/logout events are ok
wesley staenle
Dec 15, 2021, 7:13:41 AM12/15/21
to Wazuh mailing list
Syslog :
hostname: 'SA-DC-ALL-SSC-01'
**Phase 2: Completed decoding.
name: 'hp_5500'
action: 'SHELL_CMD(l)'
id: '6'
url: 'SHELL'
**Phase 3: Completed filtering (rules).
id: '81707'
level: '0'
description: 'HP 5500 EI - Informational event'
groups: '['hp', 'hp5500', 'hp-informational']'
firedtimes: '1'
mail: 'False'
root@wazuh:/var/ossec/ruleset/rules# tail -f /var/log/sa-dc-all-ssc-01.log | grep SA-DC-ALL-SSC-01
Dec 15 08:49:41 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_LAUNCH(l): -AAAType=AUTHEN-AAAScheme= local-Service=login-UserName=supredes@system; AAA launched.
Dec 15 08:49:41 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_SUCCESS(l): -AAAType=AUTHEN-AAAScheme= local-Service=login-UserName=supredes@system; AAA is successful.
Dec 15 08:49:41 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_LAUNCH(l): -AAAType=AUTHOR-AAAScheme= local-Service=login-UserName=supredes@system; AAA launched.
Dec 15 08:49:41 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_SUCCESS(l): -AAAType=AUTHOR-AAAScheme= local-Service=login-UserName=supredes@system; AAA is successful.
Dec 15 08:49:41 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_LAUNCH(l): -AAAType=ACCOUNT-AAAScheme= local-Service=login-UserName=supredes@system; AAA launched.
Dec 15 08:49:41 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_SUCCESS(l): -AAAType=ACCOUNT-AAAScheme= local-Service=login-UserName=supredes@system; AAA is successful.
Dec 15 08:49:41 SA-DC-ALL-SSC-01 %%10SHELL/4/LOGIN(t): Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1:supredes login from VTY
Dec 15 08:49:41 SA-DC-ALL-SSC-01 %%10SHELL/5/SHELL_LOGIN(l): supredes logged in from 10.206.104.43.
Dec 15 08:49:44 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration
Dec 15 08:58:43 SA-DC-ALL-SSC-01 %%10DHCPR/5/DHCPR_DETECT_SERVER(l): DHCP Relay information: DHCP Relay interface = Vlan-interface940, server IP (detected by DHCP Relay) = 10.206.254.3.
Dec 15 09:09:29 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration
Dec 15 09:09:32 SA-DC-ALL-SSC-01 %%10SHELL/4/LOGOUT(t): Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.2:supredes logout from VTY
Dec 15 09:09:32 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is quit
Dec 15 08:49:41 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_LAUNCH(l): -AAAType=AUTHEN-AAAScheme= local-Service=login-UserName=supredes@system; AAA launched.
Dec 15 08:49:41 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_SUCCESS(l): -AAAType=AUTHEN-AAAScheme= local-Service=login-UserName=supredes@system; AAA is successful.
Dec 15 08:49:41 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_LAUNCH(l): -AAAType=AUTHOR-AAAScheme= local-Service=login-UserName=supredes@system; AAA launched.
Dec 15 08:49:41 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_SUCCESS(l): -AAAType=AUTHOR-AAAScheme= local-Service=login-UserName=supredes@system; AAA is successful.
Dec 15 08:49:41 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_LAUNCH(l): -AAAType=ACCOUNT-AAAScheme= local-Service=login-UserName=supredes@system; AAA launched.
Dec 15 08:49:41 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_SUCCESS(l): -AAAType=ACCOUNT-AAAScheme= local-Service=login-UserName=supredes@system; AAA is successful.
Dec 15 08:49:41 SA-DC-ALL-SSC-01 %%10SHELL/4/LOGIN(t): Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1:supredes login from VTY
Dec 15 08:49:41 SA-DC-ALL-SSC-01 %%10SHELL/5/SHELL_LOGIN(l): supredes logged in from 10.206.104.43.
Dec 15 08:49:44 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration
Dec 15 08:58:43 SA-DC-ALL-SSC-01 %%10DHCPR/5/DHCPR_DETECT_SERVER(l): DHCP Relay information: DHCP Relay interface = Vlan-interface940, server IP (detected by DHCP Relay) = 10.206.254.3.
Dec 15 09:09:29 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration
Dec 15 09:09:32 SA-DC-ALL-SSC-01 %%10SHELL/4/LOGOUT(t): Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.2:supredes logout from VTY
Dec 15 09:09:32 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is quit
Alerts.json:
root@wazuh:/var/ossec/ruleset/rules# tail -f /var/ossec/logs/alerts/alerts.json | grep SA-DC-ALL-SSC-01
{"timestamp":"2021-12-15T09:11:37.649-0300","rule":{"level":3,"description":"HP 5500 EI - Warning event","id":"81705","firedtimes":2,"mail":true,"groups":["hp","hp5500","hp-warning"]},"agent":{"id":"000","name":"wazuh"},"manager":{"name":"wazuh"},"id":"1639570297.1342016731","full_log":"Dec 15 09:11:36 SA-DC-ALL-SSC-01 %%10SHELL/4/LOGIN(t): Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1:supredes login from VTY","predecoder":{"timestamp":"Dec 15 09:11:36","hostname":"SA-DC-ALL-SSC-01"},"decoder":{"name":"hp_5500"},"data":{"action":"LOGIN(t)","id":"4","url":"SHELL"},"location":"/var/log/syslog"}
{"timestamp":"2021-12-15T09:11:37.649-0300","rule":{"level":3,"description":"HP 5500 EI - Warning event","id":"81705","firedtimes":2,"mail":true,"groups":["hp","hp5500","hp-warning"]},"agent":{"id":"000","name":"wazuh"},"manager":{"name":"wazuh"},"id":"1639570297.1342016731","full_log":"Dec 15 09:11:36 SA-DC-ALL-SSC-01 %%10SHELL/4/LOGIN(t): Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1:supredes login from VTY","predecoder":{"timestamp":"Dec 15 09:11:36","hostname":"SA-DC-ALL-SSC-01"},"decoder":{"name":"hp_5500"},"data":{"action":"LOGIN(t)","id":"4","url":"SHELL"},"location":"/var/log/syslog"}
Wazuh-logtest :
root@wazuh:/var/ossec/bin# ./wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line
Starting wazuh-logtest v4.2.5
Type one log per line
Dec 15 09:09:29 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration
**Phase 1: Completed pre-decoding.
full event: 'Dec 15 09:09:29 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration'
timestamp: 'Dec 15 09:09:29'
**Phase 1: Completed pre-decoding.
full event: 'Dec 15 09:09:29 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration'
timestamp: 'Dec 15 09:09:29'
hostname: 'SA-DC-ALL-SSC-01'
**Phase 2: Completed decoding.
name: 'hp_5500'
action: 'SHELL_CMD(l)'
id: '6'
url: 'SHELL'
**Phase 3: Completed filtering (rules).
id: '81707'
level: '0'
description: 'HP 5500 EI - Informational event'
groups: '['hp', 'hp5500', 'hp-informational']'
firedtimes: '1'
mail: 'False'
Nicolas Oscar Lastra
Dec 21, 2021, 6:55:44 PM12/21/21
to Wazuh mailing list
Hello Wesley, to do like what you comment now.
We take this log as an example:
´´´
Dec 9 13:10:31 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration
Add decoder in /var/ossec/etc/decoders/local_decoder.xml
```
<decoder name="hp_5500_fields">
<parent>hp_5500</parent>
**Phase 1: Completed pre-decoding.
full event: 'Dec 9 13:10:31 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration'
timestamp: 'Dec 9 13:10:31'
hostname: 'SA-DC-ALL-SSC-01'
**Phase 2: Completed decoding.
name: 'hp_5500'
action: 'SHELL_CMD(l)'
id: '6'
srcip: '10.206.104.43'
url: 'SHELL'
**Phase 3: Completed filtering (rules).
groups: '['hp', 'hp5500', 'hp-informational']'
firedtimes: '1'
mail: 'False'
We take this log as an example:
´´´
Dec 9 13:10:31 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration
´´´
We generate the decoder to extend the base data of hp_5500.
We generate the decoder to extend the base data of hp_5500.
Add decoder in /var/ossec/etc/decoders/local_decoder.xml
```
<decoder name="hp_5500_fields">
<parent>hp_5500</parent>
<regex offset="after_parent">-IPAddr=(\d+.\d+.\d+.\d+)-User=(\w+); Command (\.)</regex>
<order>srcip, user, command</order>
</decoder>
```
Then you must add a custom rule. This rule would remain as a daughter of rule 81700 of the Wazuh defaul ruleset.
The <id> of custom rules will be in the range from 100000 to 120000.
vim /var/ossec/etc/rules/local_rules.xml
```
<group name="hp,hp5500,">
<rule id="120000" level="8">
<if_sid>81700, 81701, 81702, 81703, 81704, 81705, 81706, 81707, 81708, 81709, 81710</if_sid>
<field name="command">^is</field>
<description>HP 5500 EI - Command event: $(command)</description>
<group>hp-informational,</group>
</rule>
</group>
```
Now, it is necessary to restart wazuh-manager:
systemctl restart wazuh-manager
Test decoder and rule:
<order>srcip, user, command</order>
</decoder>
```
Then you must add a custom rule. This rule would remain as a daughter of rule 81700 of the Wazuh defaul ruleset.
The <id> of custom rules will be in the range from 100000 to 120000.
vim /var/ossec/etc/rules/local_rules.xml
```
<group name="hp,hp5500,">
<rule id="120000" level="8">
<if_sid>81700, 81701, 81702, 81703, 81704, 81705, 81706, 81707, 81708, 81709, 81710</if_sid>
<field name="command">^is</field>
<description>HP 5500 EI - Command event: $(command)</description>
<group>hp-informational,</group>
</rule>
</group>
```
Now, it is necessary to restart wazuh-manager:
systemctl restart wazuh-manager
Test decoder and rule:
**Phase 1: Completed pre-decoding.
full event: 'Dec 9 13:10:31 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration'
timestamp: 'Dec 9 13:10:31'
hostname: 'SA-DC-ALL-SSC-01'
**Phase 2: Completed decoding.
name: 'hp_5500'
action: 'SHELL_CMD(l)'
command: 'disp current-configuration'
dstuser: 'supredes'
dstuser: 'supredes'
id: '6'
srcip: '10.206.104.43'
url: 'SHELL'
**Phase 3: Completed filtering (rules).
id: '120000'
level: '8'
description: 'HP 5500 EI - Command event: is disp current-configuration'
level: '8'
description: 'HP 5500 EI - Command event: is disp current-configuration'
groups: '['hp', 'hp5500', 'hp-informational']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Let me know if that works!.
Regards.
Let me know if that works!.
Regards.
wesley staenle
Dec 22, 2021, 5:54:40 AM12/22/21
to Wazuh mailing list
Hello .
Still not generating alerts in alerts.jsonStarting wazuh-logtest v4.2.5
Type one log per line
**Phase 1: Completed pre-decoding.
full event: 'Dec 22 07:45:19 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is quit'
timestamp: 'Dec 22 07:45:19'
hostname: 'SA-DC-ALL-SSC-01'
**Phase 2: Completed decoding.
name: 'hp_5500'
action: 'SHELL_CMD(l)'
dstuser: 'supredes'
id: '6'
srcip: '10.206.104.43'
url: 'SHELL'
**Phase 3: Completed filtering (rules).
id: '81707'
level: '0'
description: 'HP 5500 EI - Informational event'
groups: '['hp', 'hp5500', 'hp-informational']'
firedtimes: '1'
mail: 'False'
level: '0'
description: 'HP 5500 EI - Informational event'
groups: '['hp', 'hp5500', 'hp-informational']'
firedtimes: '1'
mail: 'False'
--------------------------------------------
root@wazuh:/var/ossec/bin# tail -f /var/log/sa-dc-all-ssc-01.log | grep SA-DC-ALL-SSC-01
Dec 22 07:34:38 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_SUCCESS(l): -AAAType=AUTHEN-AAAScheme= local-Service=login-UserName=supredes@system; AAA is successful.
Dec 22 07:34:38 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_LAUNCH(l): -AAAType=AUTHOR-AAAScheme= local-Service=login-UserName=supredes@system; AAA launched.
Dec 22 07:34:38 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_SUCCESS(l): -AAAType=AUTHOR-AAAScheme= local-Service=login-UserName=supredes@system; AAA is successful.
Dec 22 07:34:38 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_LAUNCH(l): -AAAType=ACCOUNT-AAAScheme= local-Service=login-UserName=supredes@system; AAA launched.
Dec 22 07:34:38 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_SUCCESS(l): -AAAType=ACCOUNT-AAAScheme= local-Service=login-UserName=supredes@system; AAA is successful.
Dec 22 07:34:38 SA-DC-ALL-SSC-01 %%10SHELL/4/LOGIN(t): Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1:supredes login from VTY
Dec 22 07:34:38 SA-DC-ALL-SSC-01 %%10SHELL/5/SHELL_LOGIN(l): supredes logged in from 10.206.104.43.
Dec 22 07:34:42 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is system-view
Dec 22 07:34:55 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration
Dec 22 07:44:27 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp vlan
Dec 22 07:34:38 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_SUCCESS(l): -AAAType=AUTHEN-AAAScheme= local-Service=login-UserName=supredes@system; AAA is successful.
Dec 22 07:34:38 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_LAUNCH(l): -AAAType=AUTHOR-AAAScheme= local-Service=login-UserName=supredes@system; AAA launched.
Dec 22 07:34:38 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_SUCCESS(l): -AAAType=AUTHOR-AAAScheme= local-Service=login-UserName=supredes@system; AAA is successful.
Dec 22 07:34:38 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_LAUNCH(l): -AAAType=ACCOUNT-AAAScheme= local-Service=login-UserName=supredes@system; AAA launched.
Dec 22 07:34:38 SA-DC-ALL-SSC-01 %%10SC/6/SC_AAA_SUCCESS(l): -AAAType=ACCOUNT-AAAScheme= local-Service=login-UserName=supredes@system; AAA is successful.
Dec 22 07:34:38 SA-DC-ALL-SSC-01 %%10SHELL/4/LOGIN(t): Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1:supredes login from VTY
Dec 22 07:34:38 SA-DC-ALL-SSC-01 %%10SHELL/5/SHELL_LOGIN(l): supredes logged in from 10.206.104.43.
Dec 22 07:34:42 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is system-view
Dec 22 07:34:55 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration
Dec 22 07:44:27 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp vlan
-
-----------------------
root@wazuh:/var/ossec/bin# tail -f /var/ossec/logs/alerts/alerts.json | grep SA-DC-ALL-SSC-01
{"timestamp":"2021-12-22T07:50:04.150-0300","rule":{"level":3,"description":"HP 5500 EI - Warning event","id":"81705","firedtimes":1,"mail":true,"groups":["hp","hp5500","hp-warning"]},"agent":{"id":"000","name":"wazuh"},"manager":{"name":"wazuh"},"id":"1640170204.5817228576","full_log":"Dec 22 07:50:03 SA-DC-ALL-SSC-01 %%10SHELL/4/LOGOUT(t): Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.2:supredes logout from VTY","predecoder":{"timestamp":"Dec 22 07:50:03","hostname":"SA-DC-ALL-SSC-01"},"decoder":{"name":"hp_5500"},"data":{"action":"LOGOUT(t)","id":"4","url":"SHELL"},"location":"/var/log/syslog"}
{"timestamp":"2021-12-22T07:50:14.192-0300","rule":{"level":3,"description":"HP 5500 EI - Warning event","id":"81705","firedtimes":2,"mail":true,"groups":["hp","hp5500","hp-warning"]},"agent":{"id":"000","name":"wazuh"},"manager":{"name":"wazuh"},"id":"1640170214.5818388680","full_log":"Dec 22 07:50:14 SA-DC-ALL-SSC-01 %%10SHELL/4/LOGIN(t): Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1:supredes login from VTY","predecoder":{"timestamp":"Dec 22 07:50:14","hostname":"SA-DC-ALL-SSC-01"},"decoder":{"name":"hp_5500"},"data":{"action":"LOGIN(t)","id":"4","url":"SHELL"},"location":"/var/log/syslog"}
root@wazuh:/var/ossec/bin# tail -f /var/ossec/logs/alerts/alerts.json | grep SA-DC-ALL-SSC-01
{"timestamp":"2021-12-22T07:50:04.150-0300","rule":{"level":3,"description":"HP 5500 EI - Warning event","id":"81705","firedtimes":1,"mail":true,"groups":["hp","hp5500","hp-warning"]},"agent":{"id":"000","name":"wazuh"},"manager":{"name":"wazuh"},"id":"1640170204.5817228576","full_log":"Dec 22 07:50:03 SA-DC-ALL-SSC-01 %%10SHELL/4/LOGOUT(t): Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.2:supredes logout from VTY","predecoder":{"timestamp":"Dec 22 07:50:03","hostname":"SA-DC-ALL-SSC-01"},"decoder":{"name":"hp_5500"},"data":{"action":"LOGOUT(t)","id":"4","url":"SHELL"},"location":"/var/log/syslog"}
{"timestamp":"2021-12-22T07:50:14.192-0300","rule":{"level":3,"description":"HP 5500 EI - Warning event","id":"81705","firedtimes":2,"mail":true,"groups":["hp","hp5500","hp-warning"]},"agent":{"id":"000","name":"wazuh"},"manager":{"name":"wazuh"},"id":"1640170214.5818388680","full_log":"Dec 22 07:50:14 SA-DC-ALL-SSC-01 %%10SHELL/4/LOGIN(t): Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1:supredes login from VTY","predecoder":{"timestamp":"Dec 22 07:50:14","hostname":"SA-DC-ALL-SSC-01"},"decoder":{"name":"hp_5500"},"data":{"action":"LOGIN(t)","id":"4","url":"SHELL"},"location":"/var/log/syslog"}
wesley staenle
Dec 22, 2021, 6:13:32 AM12/22/21
to Wazuh mailing list
root@wazuh:/var/ossec/bin# cat /var/ossec/etc/decoders/local_decoder.xml
<!-- Local Decoders -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015-2020, Wazuh Inc. -->
<!--
- Allowed static fields:
- location - where the log came from (only on FTS)
- srcuser - extracts the source username
- dstuser - extracts the destination (target) username
- user - an alias to dstuser (only one of the two can be used)
- srcip - source ip
- dstip - dst ip
- srcport - source port
- dstport - destination port
- protocol - protocol
- id - event id
- url - url of the event
- action - event action (deny, drop, accept, etc)
- status - event status (success, failure, etc)
- extra_data - Any extra data
-->
<decoder name="local_decoder_example">
<program_name>local_decoder_example</program_name>
</decoder>
<decoder name="hp_5500_fields">
<parent>hp_5500</parent>
<regex offset="after_parent">-IPAddr=(\d+.\d+.\d+.\d+)-User=(\w+); Command (\.)</regex>
<order>srcip, user, command</order>
</decoder>
<if_sid>81700, 81701, 81702, 81703, 81704, 81705, 81706, 81707, 81708, 81709, 81710</if_sid>
<field name="command">^is</field>
<description>HP 5500 EI - Command event: $(command)</description>
<group>hp-informational,</group>
</rule>
</group>
<!-- Local Decoders -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015-2020, Wazuh Inc. -->
<!--
- Allowed static fields:
- location - where the log came from (only on FTS)
- srcuser - extracts the source username
- dstuser - extracts the destination (target) username
- user - an alias to dstuser (only one of the two can be used)
- srcip - source ip
- dstip - dst ip
- srcport - source port
- dstport - destination port
- protocol - protocol
- id - event id
- url - url of the event
- action - event action (deny, drop, accept, etc)
- status - event status (success, failure, etc)
- extra_data - Any extra data
-->
<decoder name="local_decoder_example">
<program_name>local_decoder_example</program_name>
</decoder>
<decoder name="hp_5500_fields">
<parent>hp_5500</parent>
<regex offset="after_parent">-IPAddr=(\d+.\d+.\d+.\d+)-User=(\w+); Command (\.)</regex>
<order>srcip, user, command</order>
</decoder>
-------------------------------
root@wazuh:/var/ossec/bin# cat /var/ossec/etc/rules/local_rules.xml
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015-2020, Wazuh Inc. -->
<!-- Example -->
<group name="local,syslog,sshd,hp,hp5500,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<rule id="100000" level="3">
<if_sid>70020</if_sid>
<field name="log_subtype">Admin</field>
<description>Event_Administrator</description>
</rule>
<rule id="100002" level="3">
<if_sid>70020</if_sid>
<field name="log_subtype">Authentication</field>
<description>Authentication</description>
</rule>
<rule id="100003" level="3">
<if_sid>70020</if_sid>
<field name="log_subtype">Drop</field>
<description>IPS</description>
</rule>
<rule id="100004" level="8">
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015-2020, Wazuh Inc. -->
<!-- Example -->
<group name="local,syslog,sshd,hp,hp5500,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<rule id="100000" level="3">
<if_sid>70020</if_sid>
<field name="log_subtype">Admin</field>
<description>Event_Administrator</description>
</rule>
<rule id="100002" level="3">
<if_sid>70020</if_sid>
<field name="log_subtype">Authentication</field>
<description>Authentication</description>
</rule>
<rule id="100003" level="3">
<if_sid>70020</if_sid>
<field name="log_subtype">Drop</field>
<description>IPS</description>
</rule>
<rule id="100004" level="8">
<if_sid>81700, 81701, 81702, 81703, 81704, 81705, 81706, 81707, 81708, 81709, 81710</if_sid>
<field name="command">^is</field>
<description>HP 5500 EI - Command event: $(command)</description>
<group>hp-informational,</group>
</rule>
</group>
root@wazuh:/var/ossec/bin#
Nicolas Oscar Lastra
Dec 24, 2021, 11:50:34 AM12/24/21
to Wazuh mailing list
Hi Wesley,
<decoder name="hp_5500_fields">
<parent>hp_5500</parent>
<order>srcip, user, command</order>
</decoder>
There I could check, when I gave you the decoder I must have made some confusion. I apologize.
The correct decoder is:
The correct decoder is:
<decoder name="hp_5500_fields">
<parent>hp_5500</parent>
<regex offset="after_parent">-IPAddr=(\d+.\d+.\d+.\d+)-User=(\w+); Command (\.+)</regex>
<order>srcip, user, command</order>
</decoder>
Note, as you will notice it is the same, but the command regex is missing a + at the end.
If you apply that change. And you restart the wazuh-manager service.
You can check with the rules test and decode the operation.
I attach my example with the log you sent.
If you apply that change. And you restart the wazuh-manager service.
You can check with the rules test and decode the operation.
I attach my example with the log you sent.
```
**Phase 1: Completed pre-decoding.
full event: Dec 22 07:45:19 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is quit
timestamp: Dec 22 07:45:19
hostname: SA-DC-ALL-SSC-01
program_name: -
**Phase 2: Completed decoding.
name: hp_5500
data: {
"action": "SHELL_CMD(l)",
"srcip": "10.206.104.43",
"dstuser": "supredes",
"id": "6",
"url": "SHELL",
"command": "is quit"
}
**Phase 3: Completed filtering (rules).
id: 120000
level: 8
description: HP 5500 EI - Command event: is quit
groups: ["hp","hp5500","hp-informational"]
firedtimes: 1
gdpr: "-"
gpg13: "-"
hipaa: "-"
mail: "-"
mitre.id: "-"
mitre.technique: "-"
nist_800_53: "-"
pci_dss: "-"
tsc: "-"
**Alert to be generated.
```
I wish you have a nice festivities! Greetings from the Wazuh team!
Let me know if that works!
Regards.
Reply all
Reply to author
Forward
0 new messages