Squid URL Exception log
230 views
Skip to first unread message
Musakkarul Lambatjing
Jul 28, 2022, 4:22:53 AM7/28/22
to Wazuh mailing list
Hi Wazuh team,
i'm trying to exclude some of squid url, but unfortunately is not work.
i only able to exclude one of them. can you help me with it.
i now running Wazuh version 4.3.5
<rule id="35023" level="0">
<if_sid>35004, 35005, 35006, 35009</if_sid>
<url>.jpg|.gif|favicon.ico$|.png$|.swf|.txt$|.zip|.css|.xml|.js|.bmp$|</url>
<url>windowsupdate/redir/wuredir.cab|</url>
<url>^http://codecs.microsoft.com/isapi/ocget.dll|</url>
<url>^http://activex.microsoft.com/objects/ocget.dll|</url>
<url>^http://webmessenger.msn.com/session/null|</url>
<url>^http://sqm.msn.com/sqm/wmp/sqmserver.dll|</url>
<url>^http://config.messenger.msn.com/Config/MsgrConfig.asmx|</url>
<url>kaspersky-labs.com/|</url>
<url>^http://liveupdate.symantecliveupdate.com/|</url>
<url>_vti_bin/owssvr.dll|MSOffice/cltreq.asp|</url>
<url>google.com/mt?|</url>
<url>google.com/kh?|</url>
<url>^http://kh.google.com/flatfile</url>
<url type="pcre2">^(\w)*trendmicro.com</url> ---> its worked !
<!-- Add more extensions to be ignored in here.
<url>|.html$|.htm</url>
-->
<url type="pcre2">^(\w)*.telemetry.mozilla.org</url> ----> its not worked.
<description>Squid: Ignored files on a 40x error.</description>
</rule>
<if_sid>35004, 35005, 35006, 35009</if_sid>
<url>.jpg|.gif|favicon.ico$|.png$|.swf|.txt$|.zip|.css|.xml|.js|.bmp$|</url>
<url>windowsupdate/redir/wuredir.cab|</url>
<url>^http://codecs.microsoft.com/isapi/ocget.dll|</url>
<url>^http://activex.microsoft.com/objects/ocget.dll|</url>
<url>^http://webmessenger.msn.com/session/null|</url>
<url>^http://sqm.msn.com/sqm/wmp/sqmserver.dll|</url>
<url>^http://config.messenger.msn.com/Config/MsgrConfig.asmx|</url>
<url>kaspersky-labs.com/|</url>
<url>^http://liveupdate.symantecliveupdate.com/|</url>
<url>_vti_bin/owssvr.dll|MSOffice/cltreq.asp|</url>
<url>google.com/mt?|</url>
<url>google.com/kh?|</url>
<url>^http://kh.google.com/flatfile</url>
<url type="pcre2">^(\w)*trendmicro.com</url> ---> its worked !
<!-- Add more extensions to be ignored in here.
<url>|.html$|.htm</url>
-->
<url type="pcre2">^(\w)*.telemetry.mozilla.org</url> ----> its not worked.
<description>Squid: Ignored files on a 40x error.</description>
</rule>
i still getting alert with *.telemetry.mozilla.org url with it.
please kindly need advice.
Mariano Koremblum
Jul 30, 2022, 1:00:36 PM7/30/22
to Wazuh mailing list
Hi Musakkarul,
At a first sight, the parenthesis are not needed. So, it would be like this:
<url type="pcre2">^\w*.telemetry.mozilla.org</url>
Is the asterisk literal or are you trying to capture anything with that asterisk?
Could you also please share with us the alert that you have mentioned?
Best Regards,
Mariano Koremblum
Musakkarul Lambatjing
Jul 31, 2022, 9:17:54 PM7/31/22
to Wazuh mailing list
Hi Mariano,
Regards,
Thanks for replying.
yes, i need that asterisk, because actually, i wanna exclude all the alert with domain *.telemetry.mozilla.org
please refer on attach one of alert i wanna exclude.
Regards,
Musakkarul
Mariano Koremblum
Aug 1, 2022, 12:34:58 PM8/1/22
to Wazuh mailing list
Hi Musakkarul,
I wouldn’t recommend modifying the default ruleset, as if you someday upgrade your manager, all the changes will be lost.
The best way is to create/modify the rules on the local_rules file which is located in /var/ossec/etc/rules/local_rules.xml. I tested the following and it is working:
<group name="squid,">
<rule id="135000" level="0">
<if_sid>35004, 35005, 35006, 35009</if_sid>
<url type="pcre2">trendmicro\.com|</url>
<url type="pcre2">telemetry\.mozilla\.org</url>
<description>Squid: Ignored files on a 40x error.</description>
</rule>
</group>
And this is the output I get when using the wazuh-logtest tool:
# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.5
Type one log per line
0 192.168.10.10 TCP_DENIED/403 4140 CONNECT incoming.trendmicro.com:443 - HIER_NONE/- test/html
**Phase 1: Completed pre-decoding.
full event: '0 192.168.10.10 TCP_DENIED/403 4140 CONNECT incoming.trendmicro.com:443 - HIER_NONE/- test/html'
**Phase 2: Completed decoding.
name: 'squid-accesslog'
action: 'TCP_DENIED'
id: '403'
srcip: '192.168.10.10'
url: 'incoming.trendmicro.com:443'
**Phase 3: Completed filtering (rules).
id: '135000'
level: '0'
description: 'Squid: Ignored files on a 40x error.'
groups: '['test']'
firedtimes: '1'
mail: 'False'
0 192.168.10.10 TCP_DENIED/403 4140 CONNECT incoming.telemetry.mozilla.org:443 - HIER_NONE/- test/html
**Phase 1: Completed pre-decoding.
full event: '0 192.168.10.10 TCP_DENIED/403 4140 CONNECT incoming.telemetry.mozilla.org:443 - HIER_NONE/- test/html'
**Phase 2: Completed decoding.
name: 'squid-accesslog'
action: 'TCP_DENIED'
id: '403'
srcip: '192.168.10.10'
url: 'incoming.telemetry.mozilla.org:443'
**Phase 3: Completed filtering (rules).
id: '135000'
level: '0'
description: 'Squid: Ignored files on a 40x error.'
groups: '['test']'
firedtimes: '2'
mail: 'False'
I would strongly recommend you to read the following links to have a better understanding of the rules/decoders creation:
- https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
- https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
- https://documentation.wazuh.com/current/learning-wazuh/replace-stock-rule.html
- https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/
Please, give it a try and let us know if it is useful for you. PS: remember to reset your manager after applying the changes.
Best Regards,
Mariano Koremblum
Mariano Koremblum
Aug 1, 2022, 12:52:33 PM8/1/22
to Wazuh mailing list
I am sorry, it does not display well the rule. It is the following one:
Regards
<group name="squid,">
<rule id="135000" level="0">
<rule id="135000" level="0">
<if_sid>35004, 35005, 35006, 35009</if_sid>
<url type="pcre2">trendmicro\.com|</url>
<url type="pcre2">telemetry\.mozilla\.org</url>
<description>Squid: Ignored files on a 40x error.</description>
</rule>
</rule>
</group>
Musakkarul Lambatjing
Aug 1, 2022, 9:48:36 PM8/1/22
to Wazuh mailing list
Hello Mariano,
Thank you, i'll give it a try first.
what if i don't wanna use url type "pcre2" just default "<url></url>", could you please help me?
Thank you again.
Thank you again.
Regards,
Musakkarul
Musakkarul Lambatjing
Aug 2, 2022, 2:35:24 AM8/2/22
to Wazuh mailing list
Hello Mariano,
i've tried your rule, but still showing the alert *.telemetry.mozilla.org on the event.
Please kindly check on my capture attached.
Thanks
Mariano Koremblum
Aug 2, 2022, 10:37:25 AM8/2/22
to Wazuh mailing list
Hi Musakkarul,
Could you please share with us the full_log field of one of such events? Remember to obfuscate the sensitive information it may contain.
I will be waiting for your reply,
Mariano Koremblum
Musakkarul Lambatjing
Aug 2, 2022, 9:30:44 PM8/2/22
to Wazuh mailing list
Hi Mariano,
Thanks
here's the full_log , one of the event.
1659425569.305 0 172.16.2.56 TCP_DENIED/403 4140 CONNECT incoming.telemetry.mozilla.org:443 - HIER_NONE/- text/html
Mariano Koremblum
Aug 3, 2022, 9:16:50 AM8/3/22
to Wazuh mailing list
Hi again Musakkarul,
When I test the log with our wazuh-logtest tool, I get the following:
# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.6
Type one log per line
0 172.16.2.56 TCP_DENIED/403 4140 CONNECT incoming.telemetry.mozilla.org:443 - HIER_NONE/- text/html
**Phase 1: Completed pre-decoding.
full event: '0 172.16.2.56 TCP_DENIED/403 4140 CONNECT incoming.telemetry.mozilla.org:443 - HIER_NONE/- text/html'
**Phase 2: Completed decoding.
name: 'squid-accesslog'
action: 'TCP_DENIED'
id: '403'
srcip: '172.16.2.56'
url: 'incoming.telemetry.mozilla.org:443'
**Phase 3: Completed filtering (rules).
id: '135000'
level: '0'
description: 'Squid: Ignored files on a 40x error.'
groups: '['test']'
firedtimes: '1'
mail: 'False'
Which means that it is working as expected.
Just in case, did you restart your manager after applying the changes?
Best Regards,
Mariano Koremblum
Mariano Koremblum
Aug 3, 2022, 9:19:12 AM8/3/22
to Wazuh mailing list
Additionally, please check in the event if the field url is being correctly extracted. If not, when passing through our custom rule, the URL labels won’t have any effect.
Regards
Musakkarul Lambatjing
Aug 8, 2022, 9:58:08 PM8/8/22
to Wazuh mailing list
Hi Mariano,
<description>Squid: Ignored files on a 40x error.</description>
</rule>
</group>
sorry i've just informed you.
i already solved my problem but with different syntax. because, i tried using the syntax you gave to me is not working.
i tried using these syntax to ignore several squid alert.
<group name="squid,">
<rule id="135000" level="0">
<if_sid>35004, 35005, 35006, 35009</if_sid>
<rule id="135000" level="0">
<if_sid>35004, 35005, 35006, 35009</if_sid>
<url type="pcre2">trendmicro\.com|</url>
<url>mozilla.org</url>
<description>Squid: Ignored files on a 40x error.</description>
</rule>
</group>
but i little bit worried, could you please make sure, it means all url contain *mozilla.org* in it will be ignored? Please correct me if i'm wrong.
Thank you.
Regards,
Musakkarul
Mariano Koremblum
Aug 9, 2022, 9:59:53 AM8/9/22
to Wazuh mailing list
Hi Musakarul,
If I test your configuration using wazuh-logtest I get the following:
# /var/ossec/bin/wazuh-logtest 130 ↵
Starting wazuh-logtest v4.3.6
Type one log per line
0 192.168.10.10 TCP_DENIED/403 4140 CONNECT incoming.telemetry.mozilla.org:443 - HIER_NONE/- test/html
**Phase 1: Completed pre-decoding.
full event: '0 192.168.10.10 TCP_DENIED/403 4140 CONNECT incoming.telemetry.mozilla.org:443 - HIER_NONE/- test/html'
**Phase 2: Completed decoding.
name: 'squid-accesslog'
action: 'TCP_DENIED'
id: '403'
srcip: '192.168.10.10'
url: 'incoming.telemetry.mozilla.org:443'
**Phase 3: Completed filtering (rules).
id: '135000'
level: '0'
description: 'Squid: Ignored files on a 40x error.'
groups: '['squid']'
firedtimes: '1'
mail: 'False'
0 192.168.10.10 TCP_DENIED/403 4140 CONNECT incoming.trendmicro.com:443 - HIER_NONE/- test/html
**Phase 1: Completed pre-decoding.
full event: '0 192.168.10.10 TCP_DENIED/403 4140 CONNECT incoming.trendmicro.com:443 - HIER_NONE/- test/html'
**Phase 2: Completed decoding.
name: 'squid-accesslog'
action: 'TCP_DENIED'
id: '403'
srcip: '192.168.10.10'
url: 'incoming.trendmicro.com:443'
**Phase 3: Completed filtering (rules).
id: '35005'
level: '5'
description: 'Squid: Forbidden: Attempt to access forbidden file or directory.'
groups: '['squid']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.14', 'AC.7']'
pci_dss: '['10.2.4']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
It is not handling correctly the trendmicro URLs. But, if you change the rule to:
<group name="squid,">
<rule id="135000" level="0">
<if_sid>35004, 35005, 35006, 35009</if_sid>
<url type="pcre2">trendmicro\.com|</url>
<url type="pcre2">mozilla.org</url>
<description>Squid: Ignored files on a 40x error.</description>
</rule>
</group>
Then I get the expected output:
# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.6
Type one log per line
0 192.168.10.10 TCP_DENIED/403 4140 CONNECT incoming.telemetry.mozilla.org:443 - HIER_NONE/- test/html
**Phase 1: Completed pre-decoding.
full event: '0 192.168.10.10 TCP_DENIED/403 4140 CONNECT incoming.telemetry.mozilla.org:443 - HIER_NONE/- test/html'
**Phase 2: Completed decoding.
name: 'squid-accesslog'
action: 'TCP_DENIED'
id: '403'
srcip: '192.168.10.10'
url: 'incoming.telemetry.mozilla.org:443'
**Phase 3: Completed filtering (rules).
id: '135000'
level: '0'
description: 'Squid: Ignored files on a 40x error.'
groups: '['squid']'
firedtimes: '1'
mail: 'False'
0 192.168.10.10 TCP_DENIED/403 4140 CONNECT incoming.trendmicro.com:443 - HIER_NONE/- test/html
**Phase 1: Completed pre-decoding.
full event: '0 192.168.10.10 TCP_DENIED/403 4140 CONNECT incoming.trendmicro.com:443 - HIER_NONE/- test/html'
**Phase 2: Completed decoding.
name: 'squid-accesslog'
action: 'TCP_DENIED'
id: '403'
srcip: '192.168.10.10'
url: 'incoming.trendmicro.com:443'
**Phase 3: Completed filtering (rules).
id: '135000'
level: '0'
description: 'Squid: Ignored files on a 40x error.'
groups: '['squid']'
firedtimes: '2'
mail: 'False'
We do not recommend mixing different regexes types.
Coming back to your question, yes, it will omit every URL that contains the string mozilla.org.
Best Regards,
Mariano Koremblum
Musakkarul Lambatjing
Aug 14, 2022, 9:52:08 PM8/14/22
to Wazuh mailing list
Hi Mariano,
thanks for your help.
its already fix regarding my issue. i'm now using URL type only and not using regex, its simpler than the regex.
thank you again for your help.
Regards,
musakkarul
Reply all
Reply to author
Forward
0 new messages