Custom decoder and logtest on trendmicro
Francisco Camêlo
2024-10-04 15:30:48 192.168.20.127 WFBS-SVC-AC [LogV...@1.3.6.1.4.1.6101 Action Taken=“Attempt to clean infected file was unsuccessful; File quarantined successfully” Device name=“TECH-04” Domain=“group2” File name="eicar. txt“ Generated=”2024-10-04T15:30:27+01:00“ Group name=”tech“ IPv6 Address=”-“ Infection Channel=”Local or network drive“ Label=”“ Path=”C:\Users\user\Downloads\“ Received=”2024-10-04T15:30:48+01:00“ Scan Type=”Real-time analysis“ Virus/Malware Name=”Eicar_test_1"]
I wrote the decoder as follows:
<decoder name="trendmicro-wfbs-events">
<program_name>^WFBS-SVC-AC</program_name>
</decoder>
<decoder name="trendmicro-wfbs-events-logs">
<parent>trendmicro-wfbs-events</parent>
<regex type="pcre2">(\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d)</regex>
<order>timestamp</order>
</decoder>
<decoder name="trendmicro-wfbs-events-logs">
<parent>trendmicro-wfbs-events</parent>
<regex>(\S+) WFBS-SVC-AC</regex>
<order>ip_machine</order>
</decoder>
<decoder name="trendmicro-wfbs-events-logs">
<parent>trendmicro-wfbs-events</parent>
<regex>(\w+)@1.3.6.1.4.1.6101</regex>
<order>type_log</order>
</decoder>
<decoder name="trendmicro-wfbs-events-logs">
<parent>trendmicro-wfbs-events</parent>
<regex>Action="(\.+)"|Action Taken="(\.+)"</regex>
<order>action</order>
</decoder>
<decoder name="trendmicro-wfbs-events-logs">
<parent>trendmicro-wfbs-events</parent>
<regex>Group name="(\w+)"</regex>
<order>group_name</order>
</decoder>
<decoder name="trendmicro-wfbs-events-logs">
<parent>trendmicro-wfbs-events</parent>
<regex>IPv6 Address="(\S+)" </regex>
<order>ipv6_address</order>
</decoder>
<decoder name="trendmicro-wfbs-events-logs">
<parent>trendmicro-wfbs-events</parent>
<regex>URL="(\S+)"</regex>
<order>url</order>
</decoder>
<decoder name="trendmicro-wfbs-events-logs">
<parent>trendmicro-wfbs-events</parent>
<regex>URL Category="(\.+)"</regex>
<order>url_category</order>
</decoder>
<decoder name="trendmicro-wfbs-events-logs">
<parent>trendmicro-wfbs-events</parent>
<regex>User="(\w+)"</regex>
<order>user</order>
</decoder>
<decoder name="trendmicro-wfbs-events-logs">
<parent>trendmicro-wfbs-events</parent>
<regex>File name="(\.+)"</regex>
<order>disp</order>
</decoder>
<decoder name="trendmicro-wfbs-events-logs">
<parent>trendmicro-wfbs-events</parent>
<regex>Infection Channel="(\.+)"</regex>
<order>infection_channel</order>
</decoder>
<decoder name="trendmicro-wfbs-events-logs">
<parent>trendmicro-wfbs-events</parent>
<regex>Path="(\.+)"</regex>
<order>path</order>
</decoder>
<decoder name="trendmicro-wfbs-events-logs">
<parent>trendmicro-wfbs-events</parent>
<regex>Scan Type="(\.+)"</regex>
<order>scan_type</order>
</decoder>
<decoder name="trendmicro-wfbs-events-logs">
<parent>trendmicro-wfbs-events</parent>
<regex>Scan Type="(\.+)"</regex>
<order>scan_type</order>
</decoder>
<decoder name="trendmicro-wfbs-events-logs">
<parent>trendmicro-wfbs-events</parent>
<regex>Scan Type="(\.+)"</regex>
<order>scan_type</order>
</decoder>
<decoder name="trendmicro-wfbs-events-logs">
<parent>trendmicro-wfbs-events</parent>
<regex>Virus/Malware Name="(\.+)"</regex>
<order>malware_name</order>
</decoder>
but the result always looks like this no matter what I do:
**Phase 1: Pre-decoding completed.
Complete event: '2024-10-04 15:30:48 192.168.20.127 WFBS-SVC-AC [LogV...@1.3.6.1.4.1.6101 Action Taken=“Attempt to clean infected file was unsuccessful; File quarantined successfully” Device name=“TECH-04” Domain=“group2” File name="eicar. txt“ Generated=”2024-10-04T15:30:27+01:00“ Group name=”tech“ IPv6 Address=”-“ Infection Channel=”Local or network drive“ Label=”“ Path=”C:\Users\user\Downloads\“ Received=”2024-10-04T15:30:48+01:00“ Scan Type=”Real-Time Scan“ Virus/Malware Name=”Eicar_test_1"]'
**Phase 2: Decryption completed.
name: 'windows-date-format'
Translated with DeepL.com (free version)
Md. Nazmur Sakib
Hi Francisco,
As you can see your log matches with another existing decoder pattern named windows-date-format
So either we need to write decoders based on this decoder or we need to modify the existing decoder file.
Ref: https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html#modify-default-decoders
Before doing so. I would like to confirm that this is the right format of logs we are working with.
For this, you can enable archive JSON format log from your manager's ossec.conf
<ossec_config>
<global>
___________________
<logall_json>yes</logall_json>
_______________
After making the changes make sure to restart the manager.
We recommend creating custom rules and decoders based on archives.json because in these logs we can see the field full_log, which is the one being parsed by analysis, one of the archives.json events should look like this (the field of interest is in bold):
{"timestamp":"2023-09-05T02:47:40.074+0000","agent":{"id":"001","name":"abc","ip":"10.0.2.29},"manager":{"name":"Server85"},"id":"1693882060.373586","full_log
":"Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower'","predecoder"{"program_name":"dbus-daemon","timestamp":"Sep 5 03:10:19","hostname":"Server91"},"decoder":{},"location":"/var/log/syslog"}Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
Share the json format logs related to WFBS-SVC if you need further assistance on this.
cat /var/ossec/logs/archives/archives.json | grep WFBS-SVC
Looking forward to your update on the issue.
Francisco Camêlo
Md. Nazmur Sakib
No matter how you are forwarding the logs to Wazuh if you enable archive. You should see the all logs in the archive logs. Are you able to see similar logs in archives.json?
Can you share the output of this command?
cat /var/ossec/logs/archives/archives.json | grep WFBS-SVC
Or
cat /var/ossec/logs/archives/archives.json | grep quarantined
It will help me understand the format of your logs that are forwarded to Wazuh rule engine and I will be able to guide you accordingly.
Looking forward to your update on the issue.