Advice on decoders for Paloalto

243 views
Skip to first unread message

M Jones

unread,
Apr 14, 2022, 5:19:57 PM4/14/22
to Wazuh mailing list
Hi,

Just looking for some advice around on if its possible to extract the the srcip and dstip from this log. the decoders currently put it into the data.description field but i would like its to have its separate field so i can do geoip. Is it best to separate the current decoders for palo to make this work? Any help would be great before i start, thanks.

Log - 

 2022-04-14T21:43:30+01:00 Forwarded from 199.99.99.9: 1,2022/04/14 21:43:30,013101003103,SYSTEM,auth,0,2022/04/14 21:43:30,,auth-fail,High-Users,0,0,general,medium,"failed authentication for user 'te...@test.co.uk'. Reason: Invalid username/password. auth profile 'High-Users', vsys 'vsys1', server profile 'LDAP-AUTH', server address '10.999.9.99', From: 174.147.45.4.",8888888158888888777,0x0,0,0,0,0,,Servername  

Current decoders attached.palo.JPG


Luis González Romero

unread,
Apr 18, 2022, 5:56:16 AM4/18/22
to Wazuh mailing list

Hello! Hope you are doing great.

You can split the description field into srcip and dstip, simply by changing the decoder regex like this:

<decoder name="paloalto_system_fields">
    <parent>paloalto_system</parent>
    <regex offset="after_regex">\.*,\.*,(\w*),(\w*),"\.*'(\d+.\d+.\d+.\d+)'\.*:\s(\d+.\d+.\d+.\d+).",(\d*),(\S*),(\d*,\d*,\d*,\d*),(\.*),(\S*)</regex>
    <order>module,severity,srcip,dstip,sequence_number, actionflags,dg_hier_level_1_to_dg_hier_level_4,virtual_system_name,device_name</order>
</decoder>

Here the log is, with the new fields:

**Phase 1: Completed pre-decoding.
    full event: '2022-04-14T21:43:30+01:00 Forwarded from 199.99.99.9: 1,2022/04/14 21:43:30,013101003103,SYSTEM,auth,0,2022/04/14 21:43:30,,auth-fail,High-Users,0,0,general,medium,"failed authentication for user 'te...@test.co.uk'. Reason: Invalid username/password. auth profile 'High-Users', vsys 'vsys1', server profile 'LDAP-AUTH', server address '10.999.9.99', From: 174.147.45.4.",8888888158888888777,0x0,0,0,0,0,,Servername'
    timestamp: '2022-04-14T21:43:30+01:00'

**Phase 2: Completed decoding.
    name: 'paloalto_system'
    actionflags: '0x0'
    content_type: 'auth'
    device_name: 'Servername'
    dg_hier_level_1_to_dg_hier_level_4: '0,0,0,0'
    dstip: '174.147.45.4'
    eventid: 'auth-fail'
    module: 'general'
    object: 'High-Users'
    receive_time: '2022/04/14 21:43:30'
    sequence_number: '8888888158888888777'
    serial_number: '013101003103'
    severity: 'medium'
    srcip: '10.999.9.99'
    time_generated: '2022/04/14 21:43:30'
    type: 'SYSTEM'

**Phase 3: Completed filtering (rules).
    id: '64504'
    level: '5'
    description: 'Palo Alto SYSTEM: medium severity log on Servername: '
    groups: '['paloalto']'
    firedtimes: '1'
    gdpr: '['IV_35.7.d']'
    gpg13: '['4.12']'
    hipaa: '['164.312.b']'
    mail: 'False'
    pci_dss: '['1.4', '10.6.1']'
    tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3', 'CC6.7', 'CC7.4']'

I suggest you follow this guide to change an existing decoder.

Do not hesitate to ask for help or if you have any doubt.

Hope this helps you,
Luis.

M Jones

unread,
Apr 23, 2022, 3:27:31 AM4/23/22
to Wazuh mailing list
Thank you Luis, sorry for asking but how would you pull the Reason the from the description or just everything before the ip addresses, been trying to extract it but seems like i need to work on my regex skills :)

So the description could be : Reason: Invalid username/password

or 

Failed authentication for user 'te...@test.co.uk'. Reason: Invalid username/password

Thank you for your help so far,

Luis González Romero

unread,
Apr 25, 2022, 6:32:53 AM4/25/22
to Wazuh mailing list

Hello again!

Do not worry. I am going to try to explain how I obtain the regex.

  • First option: Reuse the paloalto_system_fields as we did before.

Adding the .\s(\w+:\s\.*)\s\.*' sub-regex to the regex(just before the block we added for the IP addresses). With this We ensure that we match the description we want after the user @test.co.uk'. which ends with a literal dot, that’s why we’re using it.

With this sub-regex, we are catching the Reason and after the double dots, any character until it matches with the srcip field we worked on before. I tried to add a literal dot so only catches the desired string but did not work. Using this workaround, we obtain everything before the srcip and dstip. 

<decoder name="paloalto_system_fields">
    <parent>paloalto_system</parent>
    <regex offset="after_regex">\.*,\.*,(\w*),(\w*),"\.*'.\s(\w+:\s\.*)\s\.*'(\d+.\d+.\d+.\d+)'\.*:\s(\d+.\d+.\d+.\d+).",(\d*),(\S*),(\d*,\d*,\d*,\d*),(\.*),(\S*)</regex>
    <order>module,severity,description2,srcip,dstip,sequence_number, actionflags,dg_hier_level_1_to_dg_hier_level_4,virtual_system_name,device_name</order>
</decoder>
  • Second option: adding this new paloalto_system_fields decoder section.
<decoder name="paloalto_system_fields">
    <parent>paloalto_system</parent>
    <regex>\.*\s(\w+:\s\.*.)\s\.*"\.*</regex>
    <order>description3</order>
</decoder>

Here we skip everything until the user @test.co.uk'. which ends with a space. After that string, just obtain Reason, the double dots, a space and everything until the final dot.

root@manager:/home/vagrant# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line

2022-04-14T21:43:30+01:00 Forwarded from 199.99.99.9: 1,2022/04/14 21:43:30,013101003103,SYSTEM,auth,0,2022/04/14 21:43:30,,auth-fail,High-Users,0,0,general,medium,"failed authentication for user 'xxxxxxxx@test.co.uk'. Reason: Invalid username/password. auth profile 'High-Users', vsys 'vsys1', server profile 'LDAP-AUTH', server address '10.999.9.99', From: 174.147.45.4.",8888888158888888777,0x0,0,0,0,0,,Servername

**Phase 1: Completed pre-decoding.
    full event: '2022-04-14T21:43:30+01:00 Forwarded from 199.99.99.9: 1,2022/04/14 21:43:30,013101003103,SYSTEM,auth,0,2022/04/14 21:43:30,,auth-fail,High-Users,0,0,general,medium,"failed authentication for user 'xxxx...@test.co.uk'. Reason: Invalid username/password. auth profile 'High-Users', vsys 'vsys1', server profile 'LDAP-AUTH', server address '10.999.9.99', From: 174.147.45.4.",8888888158888888777,0x0,0,0,0,0,,Servername'
    timestamp: '2022-04-14T21:43:30+01:00'

**Phase 2: Completed decoding.
    name: 'paloalto_system'
    actionflags: '0x0'
    content_type: 'auth'
    description2: 'Reason: Invalid username/password. auth profile 'High-Users', vsys 'vsys1', server profile 'LDAP-AUTH','
    description3: 'Reason: Invalid username/password.'
    device_name: 'Servername'
    dg_hier_level_1_to_dg_hier_level_4: '0,0,0,0'
    dstip: '174.147.45.4'
    eventid: 'auth-fail'
    module: 'general'
    object: 'High-Users'
    receive_time: '2022/04/14 21:43:30'
    sequence_number: '8888888158888888777'
    serial_number: '013101003103'
    severity: 'medium'
    srcip: '10.999.9.99'
    time_generated: '2022/04/14 21:43:30'
    type: 'SYSTEM'

**Phase 3: Completed filtering (rules).
    id: '64504'
    level: '5'
    description: 'Palo Alto SYSTEM: medium severity log on Servername: '
    groups: '['paloalto']'
    firedtimes: '1'
    gdpr: '['IV_35.7.d']'
    gpg13: '['4.12']'
    hipaa: '['164.312.b']'
    mail: 'False'
    pci_dss: '['1.4', '10.6.1']'
    tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3', 'CC6.7', 'CC7.4']'

If you need help with anything else or have any doubt feel free to ask!

Hope this helps you,
Luis.

Reply all
Reply to author
Forward
0 new messages