Rule creation for wordpress security logs

[Basim Ibrahim]

Hello Team,

can someone help me with creating decoder and rule for the below log.

the bolded values are importnt

0,brute_force,invalid-login::username-admin,"a:5:{s:7:""details"";a:2:{s:6:""source"";s:12:""wp-login.php"";s:20:""authentication_types"";a:1:{i:0;s:21:""username_and_password"";}}s:4:""user"";O:8:""WP_Error"":3:{s:6:""errors"";a:1:{s:16:""invalid_username"";a:1:{i:0;s:159:""<strong>Error:</strong> The username <strong>admin</strong> is not registered on this site. If you are unsure of your username, try your email address instead."";}}s:10:""error_data"";a:0:{}s:18:""*additional_data"";a:0:{}}s:8:""username"";s:5:""admin"";s:7:""user_id"";i:0;s:6:""SERVER"";a:14:{s:20:""HTTP_ACCEPT_ENCODING"";s:4:""gzip"";s:15:""HTTP_CONNECTION"";s:5:""close"";s:12:""CONTENT_TYPE"";s:33:""application/x-www-form-urlencoded"";s:14:""CONTENT_LENGTH"";s:3:""101"";s:9:""HTTP_HOST"";s:16:""mydomain.com"";s:15:""HTTP_USER_AGENT"";s:110:""Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"";s:14:""REQUEST_SCHEME"";s:5:""https"";s:5:""HTTPS"";s:2:""on"";s:18:""HTTP_AUTHORIZATION"";s:0:"""";s:15:""SCRIPT_FILENAME"";s:66:""/home/u491132095/domains/mydomain.com/public_html/wp-login.php"";s:15:""SERVER_PROTOCOL"";s:8:""HTTP/1.1"";s:14:""REQUEST_METHOD"";s:4:""POST"";s:18:""REQUEST_TIME_FLOAT"";d:1668425663.097939;s:12:""REQUEST_TIME"";i:1668425663;}}",notice,"2022-11-14 11:34:23","2022-11-14 11:34:23",11603352,11652512,https://mydomain.com/wp-login.php,1,0,167.172.206.144

[Mariano Koremblum]

Hi Basim,

Does this log always have the same format? What fields can change? I could provide you a decoder for the log but if it changes its structure somehow, it won't work anymore.

I will be waiting for your reply,

Mariano Koremblum

[Basim Ibrahim]

Hi Mariano,

the first numeric is based on the event it always a number 

second word (brute_force) in this case is the attack

third value is the action/comment (invalid-login::username-admin or scan or clean  etc)

ending is the site url along with the attackers ip so thats important

these values and placement are always same for all logs

[Mariano Koremblum]

Hi again Basim,

Please, try adding the following decoder to your /var/ossec/etc/decoders/local_decoder.xml file:

<decoder name="basim_logs">
  <prematch type="pcre2">\d+,\w+,[^,]+,"\w+:\d+:{</prematch>
</decoder>

<decoder name="basim_logs_child">
  <parent>basim_logs</parent>
  <regex type="pcre2">\d+,\w+,([^,]+),[^;]+;[^;]+;\w+:\d+:""([^"]+)"";.+",\w+,".+",".+",\d+,\d+,[^,>
  <order>first, second, third</order>
</decoder>

Feel free to modify the “first”, “second” and “third” capture group names to fit the field name you want to have, and the decoders' names as well.

Take into account that this will only work if the amount of parameters (separated by commas) and their types remains always the same.

This is the output that I get testing your log in our wazuh-logtest tool:

# /var/ossec/bin/wazuh-logtest                                                 
Starting wazuh-logtest v4.3.9
Type one log per line

0,brute_force,invalid-login::username-admin,"a:5:{s:7:""details"";a:2:{s:6:""source"";s:12:""wp-login.php"";s:20:""authentication_types"";a:1:{i:0;s:21:""username_and_password"";}}s:4:""user"";O:8:""WP_Error"":3:{s:6:""errors"";a:1:{s:16:""invalid_username"";a:1:{i:0;s:159:""<strong>Error:</strong> The username <strong>admin</strong> is not registered on this site. If you are unsure of your username, try your email address instead."";}}s:10:""error_data"";a:0:{}s:18:""*additional_data"";a:0:{}}s:8:""username"";s:5:""admin"";s:7:""user_id"";i:0;s:6:""SERVER"";a:14:{s:20:""HTTP_ACCEPT_ENCODING"";s:4:""gzip"";s:15:""HTTP_CONNECTION"";s:5:""close"";s:12:""CONTENT_TYPE"";s:33:""application/x-www-form-urlencoded"";s:14:""CONTENT_LENGTH"";s:3:""101"";s:9:""HTTP_HOST"";s:16:""mydomain.com"";s:15:""HTTP_USER_AGENT"";s:110:""Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"";s:14:""REQUEST_SCHEME"";s:5:""https"";s:5:""HTTPS"";s:2:""on"";s:18:""HTTP_AUTHORIZATION"";s:0:"""";s:15:""SCRIPT_FILENAME"";s:66:""/home/u491132095/domains/mydomain.com/public_html/wp-login.php"";s:15:""SERVER_PROTOCOL"";s:8:""HTTP/1.1"";s:14:""REQUEST_METHOD"";s:4:""POST"";s:18:""REQUEST_TIME_FLOAT"";d:1668425663.097939;s:12:""REQUEST_TIME"";i:1668425663;}}",notice,"2022-11-14 11:34:23","2022-11-14 11:34:23",11603352,11652512,https://mydomain.com/wp-login.php,1,0,167.172.206.144

**Phase 1: Completed pre-decoding.
    full event: '0,brute_force,invalid-login::username-admin,"a:5:{s:7:""details"";a:2:{s:6:""source"";s:12:""wp-login.php"";s:20:""authentication_types"";a:1:{i:0;s:21:""username_and_password"";}}s:4:""user"";O:8:""WP_Error"":3:{s:6:""errors"";a:1:{s:16:""invalid_username"";a:1:{i:0;s:159:""<strong>Error:</strong> The username <strong>admin</strong> is not registered on this site. If you are unsure of your username, try your email address instead."";}}s:10:""error_data"";a:0:{}s:18:""*additional_data"";a:0:{}}s:8:""username"";s:5:""admin"";s:7:""user_id"";i:0;s:6:""SERVER"";a:14:{s:20:""HTTP_ACCEPT_ENCODING"";s:4:""gzip"";s:15:""HTTP_CONNECTION"";s:5:""close"";s:12:""CONTENT_TYPE"";s:33:""application/x-www-form-urlencoded"";s:14:""CONTENT_LENGTH"";s:3:""101"";s:9:""HTTP_HOST"";s:16:""mydomain.com"";s:15:""HTTP_USER_AGENT"";s:110:""Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"";s:14:""REQUEST_SCHEME"";s:5:""https"";s:5:""HTTPS"";s:2:""on"";s:18:""HTTP_AUTHORIZATION"";s:0:"""";s:15:""SCRIPT_FILENAME"";s:66:""/home/u491132095/domains/mydomain.com/public_html/wp-login.php"";s:15:""SERVER_PROTOCOL"";s:8:""HTTP/1.1"";s:14:""REQUEST_METHOD"";s:4:""POST"";s:18:""REQUEST_TIME_FLOAT"";d:1668425663.097939;s:12:""REQUEST_TIME"";i:1668425663;}}",notice,"2022-11-14 11:34:23","2022-11-14 11:34:23",11603352,11652512,https://mydomain.com/wp-login.php,1,0,167.172.206.144'

**Phase 2: Completed decoding.
    name: 'test'
    first: 'invalid-login::username-admin'
    second: 'wp-login.php'
    third: '167.172.206.144'

**Phase 3: Completed filtering (rules).
    id: '1002'
    level: '2'
    description: 'Unknown problem somewhere in the system.'
    groups: '['syslog', 'errors']'
    firedtimes: '1'
    gpg13: '['4.3']'
    mail: 'False'

Please, let us know if it worked :)

Mariano Koremblum

​

[Mariano Koremblum]

I am sorry, the decoder got cut, this is the complete one:

<decoder name="basim_logs">
  <prematch type="pcre2">\d+,\w+,[^,]+,"\w+:\d+:{</prematch>
</decoder>

<decoder name="basim_logs_child">
  <parent>basim_logs</parent>

  <regex type="pcre2">\d+,\w+,([^,]+),[^;]+;[^;]+;\w+:\d+:""([^"]+)"";.+",\w+,".+",".+",\d+,\d+,[^,]+,\d+,\d+,(.*)</regex>

  <order>first, second, third</order>
</decoder>

Best regards,

Mariano Koremblum

​