Rule to detect login from public ip

[Daniel D'Angeli]

Hi,

i created the following rule:

  <rule id="100070" level="10">
    <if_group>authentication_success</if_group>
    <regex>rhost=(10.\d+.\d+.\d+)|rhost=(172.(1[6-9]|[12]|3[01]).\d+.\d+)|rhost=(192.168.\d+.\d+)</regex>
    <description>Login successful from pubblic ip address.</description>
  </rule>

I receive an error related to the first or (the one with 172), if i remove it the rule starts working, otherwise i cant save it due to a syntax error. I used regex101 to workout the expression.

What is wrong with it?

Regards,

Daniel D.

[Jose Antonio Izquierdo]

Hi Daniel, 

The regex has a problem in the second octet expression.

This:

   (172.(1[6-9]|[12]|3[01]).\d+.\d+)

Should be:

   (172.(?:1[6-9]|[12]|3[01]).\d+.\d+)

To avoid regex, try to capture the second octet. 

To verify, the second octet in your regex can be just: 12, 16, 17, 18, 19, 30, or 31. 

This one works for me: 

     rhost=(10\.\d+\.\d+\.\d+)|rhost=(172.(?:1[6-9]+|[12]|3[01]).\d+.\d+)|rhost=(192.168.\d+.\d+) 

Ping me if you need further help. 

Thanks,

Jose.

[Jose Antonio Izquierdo]

Also Daniel, 

Consider negating regex. current one will match 172, 192, and 10, networks, so internal networks mostly. 

Thanks, 

Jose. 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5e3bb94f-af4f-4cca-af58-f4a59451ed06n%40googlegroups.com.

--

Jose antonio izquierdo
M - +34 673 055 255
Skype - izquierdo.lopez (@OWLH)

[Daniel D'Angeli]

Hi Jose,

thanks for the quick response. I have this but it doesnt allow me to save the rule due to a syntax error from the Wazuh App:

  <rule id="100070" level="10">
    <if_group>authentication_success</if_group>

    <regex negate="yes">rhost=(10\.\d+\.\d+\.\d+)|rhost=(172.(?:1[6-9]+|[12]|3[01]).\d+.\d+)|rhost=(192.168.\d+.\d+)</regex>

    <description>Login successful from pubblic ip address.</description>
  </rule>

I copied what you wrote.

Best regards,

Daniel D.

[Jose Antonio Izquierdo]

Hi, sorry, use type="pcre2"

  <rule id="100070" level="10">
    <if_group>authentication_success</if_group>

    <regex type="pcre2" negate="yes">rhost=(10\.\d+\.\d+\.\d+)|rhost=(172.(?:1[6-9]+|[12]|3[01]).\d+.\d+)|rhost=(192.168.\d+.\d+)</regex>

    <description>Login successful from pubblic ip address.</description>
  </rule>

Hope it helps

Jose.

[Daniel D'Angeli]

Hi Jose,

with pcre2 now it saves correctly, i will try soon some logs.

Best regards,

Daniel D.

[Daniel D'Angeli]

Hi Jose,

i tested the rule and it works as it should, but there is a problem with addresses like 172.1.0.0 that pass as private and not public.

I adjusted the rule to make it work with that IP too, here is the final working result:

  <rule id="100070" level="10">
    <if_group>authentication_success</if_group>

    <regex type="pcre2" negate="yes">rhost=(10\.\d+\.\d+\.\d+)|rhost=(172.(?:1[6-9]+|2\d|3[01]).\d+.\d+)|rhost=(192.168.\d+.\d+)</regex>

    <description>Login successful from pubblic ip address.</description>
  </rule>
 

  <rule id="100071" level="10">
    <if_group>authentication_failed</if_group>
    <regex type="pcre2" negate="yes">rhost=(10\.\d+\.\d+\.\d+)|rhost=(172.(?:1[6-9]+|2\d|3[01]).\d+.\d+)|rhost=(192.168.\d+.\d+)</regex>
    <description>Login failed from pubblic ip address.</description>
  </rule>

Thanks again for the support,

Daniel D.

[Jose Antonio Izquierdo]

Cool Daniel,  thanks 

Jose