Help with decoder

61 views
Skip to first unread message

Leginho

unread,
Sep 28, 2022, 4:15:08 AM9/28/22
to Wazuh mailing list
Hello!  Im new into wazuh and im trying to do a decoder for this log but is hard for me to understand well how to do it, can someone plis help me with the decoder for this log? I tried so many things but nothing seem to work really well..


Sep 25 03:31:02 96.199.212.221 [2022-09-25 05:31:09] EFW: CONN: prio=1 id=00600004 rev=1 even srccountry="" srcusername="" destusername="" conn=open connipproto=TCP connrecvif=WIFI_MNGMT connsrcip=10.0.99.42 connsrcport=46752 conndestif=WAN conndestzone="" conndestdevice="" connonnnewsrcport=50878 connnewdestip=183.12.121.208 connnewdestport=8080

victor....@wazuh.com

unread,
Sep 28, 2022, 5:31:29 AM9/28/22
to Wazuh mailing list

Hello Leginho,

Consider this first decoder approach:

<decoder name="decoder_EFW">
    <prematch>\.*EFW:</prematch>
    <regex>(\.*)</regex>
    <order>testing</order>
</decoder>

It prematch for EFW string, gathering as testing variable all the event except for the text decoded for the pre-decoding phase. This can be seen easily using the /var/ossec/bin/wazuh-logtest tool:

root@centos5:/home/vagrant# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.8
Type one log per line

Sep 25 03:31:02 96.199.212.221 [2022-09-25 05:31:09] EFW: CONN: prio=1 id=00600004 rev=1 even srccountry="" srcusername="" destusername="" conn=open connipproto=TCP connrecvif=WIFI_MNGMT connsrcip=10.0.99.42 connsrcport=46752 conndestif=WAN conndestzone="" conndestdevice="" connonnnewsrcport=50878 connnewdestip=183.12.121.208 connnewdestport=8080

**Phase 1: Completed pre-decoding.
    full event: 'Sep 25 03:31:02 96.199.212.221 [2022-09-25 05:31:09] EFW: CONN: prio=1 id=00600004 rev=1 even srccountry="" srcusername="" destusername="" conn=open connipproto=TCP connrecvif=WIFI_MNGMT connsrcip=10.0.99.42 connsrcport=46752 conndestif=WAN conndestzone="" conndestdevice="" connonnnewsrcport=50878 connnewdestip=183.12.121.208 connnewdestport=8080'
    timestamp: 'Sep 25 03:31:02'
    hostname: '96.199.212.221'

**Phase 2: Completed decoding.
    name: 'decoder_EFW'
    testing: '[2022-09-25 05:31:09] EFW: CONN: prio=1 id=00600004 rev=1 even srccountry="" srcusername="" destusername="" conn=open connipproto=TCP connrecvif=WIFI_MNGMT connsrcip=10.0.99.42 connsrcport=46752 conndestif=WAN conndestzone="" conndestdevice="" connonnnewsrcport=50878 connnewdestip=183.12.121.208 connnewdestport=8080'

If we check Phase 2 We notice that the event has been decoded using our decoder. Also, testing contains all the string, except for the Sep 25 03:31:02 96.199.212.221header, decoded as timestamp and hostname in the pre-decoding phase. So, our decoders should work with this string: [2022-09-25 05:31:09] EFW:...connnewdestport=8080

At this point, if we want to gather all specified fields, it could be a good idea to follow the Sibling decoder's strategy to make a structured and clean ruleset.

Consider the following decoders:

<decoder name="decoder_EFW">
    <parent>decoder_EFW</parent>
    <regex>prio=(\S+)</regex>
    <order>prio</order>
</decoder>

<decoder name="decoder_EFW">
    <parent>decoder_EFW</parent>
    <regex>id=(\S+)</regex>
    <order>id</order>
</decoder>

<decoder name="decoder_EFW">
    <parent>decoder_EFW</parent>
    <regex>rev=(\S+)</regex>
    <order>rev</order>
</decoder>


<decoder name="decoder_EFW">
    <parent>decoder_EFW</parent>
    <regex>srccountry="(\S+)"</regex>
    <order>srccountry</order>
</decoder>

<decoder name="decoder_EFW">
    <parent>decoder_EFW</parent>
    <regex>srcusername="(\S+)"</regex>
    <order>srcusername</order>
</decoder>

They use as the parent the first decoder, decoder_EFW, and are capable of gathering the fields srcusername, srccountry, rev, id, and prio using the regex/order option.
Using the logtest tool we can see that our ruleset gets all the expected values:

root@centos5:/home/vagrant# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.8
Type one log per line

Sep 25 03:31:02 96.199.212.221 [2022-09-25 05:31:09] EFW: CONN: prio=1 id=00600004 rev=1 even srccountry="" srcusername="user1" destusername="" conn=open connipproto=TCP connrecvif=WIFI_MNGMT connsrcip=10.0.99.42 connsrcport=46752 conndestif=WAN conndestzone="" conndestdevice="" connonnnewsrcport=50878 connnewdestip=183.12.121.208 connnewdestport=8080

**Phase 1: Completed pre-decoding.
    full event: 'Sep 25 03:31:02 96.199.212.221 [2022-09-25 05:31:09] EFW: CONN: prio=1 id=00600004 rev=1 even srccountry="" srcusername="user1" destusername="" conn=open connipproto=TCP connrecvif=WIFI_MNGMT connsrcip=10.0.99.42 connsrcport=46752 conndestif=WAN conndestzone="" conndestdevice="" connonnnewsrcport=50878 connnewdestip=183.12.121.208 connnewdestport=8080'
    timestamp: 'Sep 25 03:31:02'
    hostname: '96.199.212.221'

**Phase 2: Completed decoding.
    name: 'decoder_EFW'
    id: '00600004'
    prio: '1'
    rev: '1'
    srcusername: 'user1'

I suggest following this approach for the rest of the fields you required to decoder, using the regular expression syntax documentation.

If you have any doubt do not hesitate to ask.

Reply all
Reply to author
Forward
0 new messages