Custom decoder and logtest
165 views
Skip to first unread message
Aleksey Subbotin
Apr 11, 2023, 10:07:02 AM4/11/23
to Wazuh mailing list
Hi. Have some problems with decode logs and rise alerts.
Want collect OpenVPN clients log from Windows devices. But unfortunately cant decode by default decoders. I havnt access to OpenVPN server all i have is windows log like this.
2023-04-11 12:08:32 UDP link local: (not bound)
2023-04-11 12:08:32 UDP link remote: [AF_INET]217.15.139.83:19196
2023-04-11 12:08:32 MANAGEMENT: >STATE:1681204112,WAIT,,,,,,
2023-04-11 12:08:32 MANAGEMENT: >STATE:1681204112,AUTH,,,,,,
2023-04-11 12:08:32 TLS: Initial packet from [AF_INET]217.15.139.83:19196, sid=9efd9330 b3b7cfbf
2023-04-11 12:08:32 VERIFY OK: depth=1, C=*, ST=*, L=**, O=**, CN=**, emailAddress=***
2023-04-11 12:08:32 VERIFY OK: nsCertType=SERVER
2023-04-11 12:08:32 VERIFY OK: depth=0, C=*, ST=*, L=**, O=**, CN=**, emailAddress=***
2023-04-11 12:08:32 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 1024 bit RSA, signature: RSA-SHA256
2023-04-11 12:08:32 [ovpn] Peer Connection Initiated with [AF_INET]217.15.139.83:19196
2023-04-11 12:08:33 MANAGEMENT: >STATE:1681204113,GET_CONFIG,,,,,,
2023-04-11 12:08:33 SENT CONTROL [ovpn]: 'PUSH_REQUEST' (status=1)
2023-04-11 12:08:33 PUSH: Received control message: 'PUSH_REPLY,route-delay 2,route 10.0.0.0 255.255.0.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.0.0.244,route 172.26.8.1,topology net30,ping 10,ping-restart 120,ifconfig 172.26.8.114 172.26.8.113,peer-id 8,cipher AES-256-GCM'
2023-04-11 12:08:32 UDP link remote: [AF_INET]217.15.139.83:19196
2023-04-11 12:08:32 MANAGEMENT: >STATE:1681204112,WAIT,,,,,,
2023-04-11 12:08:32 MANAGEMENT: >STATE:1681204112,AUTH,,,,,,
2023-04-11 12:08:32 TLS: Initial packet from [AF_INET]217.15.139.83:19196, sid=9efd9330 b3b7cfbf
2023-04-11 12:08:32 VERIFY OK: depth=1, C=*, ST=*, L=**, O=**, CN=**, emailAddress=***
2023-04-11 12:08:32 VERIFY OK: nsCertType=SERVER
2023-04-11 12:08:32 VERIFY OK: depth=0, C=*, ST=*, L=**, O=**, CN=**, emailAddress=***
2023-04-11 12:08:32 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 1024 bit RSA, signature: RSA-SHA256
2023-04-11 12:08:32 [ovpn] Peer Connection Initiated with [AF_INET]217.15.139.83:19196
2023-04-11 12:08:33 MANAGEMENT: >STATE:1681204113,GET_CONFIG,,,,,,
2023-04-11 12:08:33 SENT CONTROL [ovpn]: 'PUSH_REQUEST' (status=1)
2023-04-11 12:08:33 PUSH: Received control message: 'PUSH_REPLY,route-delay 2,route 10.0.0.0 255.255.0.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.0.0.244,route 172.26.8.1,topology net30,ping 10,ping-restart 120,ifconfig 172.26.8.114 172.26.8.113,peer-id 8,cipher AES-256-GCM'
Its not auto decode. I want to rise alert to this string
2023-04-11 12:08:32 [ovpn] Peer Connection Initiated with [AF_INET]217.15.139.83:19196
edit local_decoder
<decoder name="openvpn_decoder">
<prematch type="pcre2">\[ovpn\]</prematch>
</decoder>
<decoder name="openvpn_decoder_child">
<parent>openvpn_decoder</parent>
<regex type="pcre2">(\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d)</regex>
<order>timestamp</order>
</decoder>
<decoder name="openvpn_decoder_child">
<parent>openvpn_decoder</parent>
<regex type="pcre2">Peer Connection (\w+) with \[(\w+)\]((?:[0-9]{1,3}\.){3}[0-9]{1,3}):(\d+)</regex>
<order>action, interface, dstip, dstport</order>
</decoder>
<prematch type="pcre2">\[ovpn\]</prematch>
</decoder>
<decoder name="openvpn_decoder_child">
<parent>openvpn_decoder</parent>
<regex type="pcre2">(\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d)</regex>
<order>timestamp</order>
</decoder>
<decoder name="openvpn_decoder_child">
<parent>openvpn_decoder</parent>
<regex type="pcre2">Peer Connection (\w+) with \[(\w+)\]((?:[0-9]{1,3}\.){3}[0-9]{1,3}):(\d+)</regex>
<order>action, interface, dstip, dstport</order>
</decoder>
On https://regex101.com/ all work and find regex.
But when i run logtest with this string
**Phase 1: Completed pre-decoding.
full event: '2023-04-11 12:08:32 [ovpn] Peer Connection Initiated with [AF_INET]217.15.139.83:19196'
**Phase 2: Completed decoding.
name: 'windows-date-format'
full event: '2023-04-11 12:08:32 [ovpn] Peer Connection Initiated with [AF_INET]217.15.139.83:19196'
**Phase 2: Completed decoding.
name: 'windows-date-format'
I write some rules too, but now its not problem. I dont understand how to find my mistake. Thx a lot for advice or help. Want to learn how to parse custom log files coz need a lot of this in work.
Juan Carlos Tello
Apr 11, 2023, 10:41:00 AM4/11/23
to Aleksey Subbotin, Wazuh mailing list
Hello Aleksey,
Thank you for reaching out, and I have verified and indeed your decoder is correctly built.
The issue is that the windows-date-format decoder is overreaching and selecting events based only on a common date format.
Given that the ruleset loading order is determined in part based on the filename that contains the rules and decoders, you may move your decoders file to /var/ossec/etc/decoders/0370-ovpn_decoders.xml which will then be loaded before the offending default decoder in ( /var/ossec/ruleset/decoders/0380-windows_decoders.xml ).
The output of wazuh-ruletest is then:
echo "2023-04-11 12:08:32 [ovpn] Peer Connection Initiated with [AF_INET]217.15.139.83:19196" | /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.4.0
Type one log per line
Starting wazuh-logtest v4.4.0
Type one log per line
**Phase 1: Completed pre-decoding.
full event: '2023-04-11 12:08:32 [ovpn] Peer Connection Initiated with [AF_INET]217.15.139.83:19196'
**Phase 2: Completed decoding.
name: 'openvpn_decoder'
action: 'Initiated'
dstip: '217.15.139.83'
dstport: '19196'
interface: 'AF_INET'
timestamp: '2023-04-11 12:08:32'
action: 'Initiated'
dstip: '217.15.139.83'
dstport: '19196'
interface: 'AF_INET'
timestamp: '2023-04-11 12:08:32'
I hope you find this information useful and please let us know if you have any other questions.
Best Regards,
Juan C. Tello
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9db26144-9a4b-4744-a74c-50d0bda907een%40googlegroups.com.
Message has been deleted
Aleksey Subbotin
Apr 14, 2023, 4:08:46 AM4/14/23
to Juan Carlos Tello, Wazuh mailing list
Reply all
Reply to author
Forward
0 new messages