Matching Rule Issue
123 views
Skip to first unread message
David Adonis
Oct 19, 2025, 2:45:48 AMOct 19
to Wazuh | Mailing List
Intention:
- I am monitoring network traffic on my OpenWRT firewall. I use the nlbwmon package to monitor and export data, which I then send to a Wazuh server using rsyslog. The problem is that nlbwmon exports data in a JSON format that is not standard for Wazuh, and rsyslog just forwards this data within a standard syslog message. To fix this, I wrote an automated script to standardize the nlbwmon data. This script formats the traffic data and places it directly into the msg section of the syslog message, which rsyslog then forwards. Below is an example:
.jpg?part=0.5&view=1)
.jpg?part=0.3&view=1)
.jpg?part=0.1&view=1)
.jpg?part=0.4&view=1)
- Then I configured Wazuh Server to process this data:
1. Write a decoder to parsing the traffic data using JSON_Decoder
2. Write a rule with <decoded_as>syslog_custome</decoded_as> options to match and trigger alert
Issue:
When I tested the rule, Wazuh didn't match and trigger alert as I expected. I checked correctly with logtest, Though.
- As you can see, everything seems work correctly. But there's no alert presented on Dashboard
- However, when I replaced character " to \", it worked
Hope someone can help me to explain and fix this issue soon, Thanks
Franco Giovanolli
Oct 20, 2025, 8:43:41 AMOct 20
to Wazuh | Mailing List
Hi David,
This appears to be related to JSON quote escaping.
Can you share the complete lines from the alert.json in both cases? Both with escaped quotes and without escaping them?
Regards,
Franco.
This appears to be related to JSON quote escaping.
Can you share the complete lines from the alert.json in both cases? Both with escaped quotes and without escaping them?
Regards,
Franco.
David Adonis
Oct 20, 2025, 11:00:34 AMOct 20
to Wazuh | Mailing List
Alerts.json in case 1 with ":
.jpg?part=0.1&view=1)
Alerts.json in case 2 with \":
.jpg?part=0.2&view=1)
Vào lúc 19:43:41 UTC+7 ngày Thứ Hai, 20 tháng 10, 2025, Franco Giovanolli đã viết:
David Adonis
Oct 25, 2025, 1:48:36 PMOct 25
to Wazuh | Mailing List
Hello Franco Giovanolli, I've sent two log samples, could you proceed to help me fix my issue?
Vào lúc 22:00:34 UTC+7 ngày Thứ Hai, 20 tháng 10, 2025, David Adonis đã viết:
Franco Giovanolli
Oct 27, 2025, 6:53:32 AMOct 27
to Wazuh | Mailing List
Hi David, sorry for the delay in my response.
Could you copy the text directly? I want to analyze why the error occurred. If you prefer, you can obfuscate the sensitive information by replacing it with random text of the same format.
Regards,
Franco
David Adonis
Oct 31, 2025, 10:51:31 AM (11 days ago) Oct 31
to Wazuh | Mailing List
Hello, this is log from archives.json
Log with \":
{"timestamp":"2025-10-27T07:12:39.312-0700","rule":{"level":10,"description":"Test file transfer via web service: ","id":"100009","mitre":{"id":["T1567"],"tactic":["Exfiltration"],"technique":["Exfiltration Over Web Service"]},"firedtimes":18,"mail":false,"groups":["file_transfer"," web_service"]},"agent":{"id":"000","name":"LabtainerVMware"},"manager":{"name":"LabtainerVMware"},"id":"1761574359.2864284","full_log":"Oct 27 14:12:39 OpenWrt network_flows: {\\\"family\\\": 4, \\\"proto\\\": \\\"IGMP\\\", \\\"port\\\": 0, \\\"mac\\\": \\\"00:00:00:00\\\", \\\"ip\\\": \\\"0.0.0.0\\\", \\\"conns\\\": 1, \\\"rx_bytes\\\": 0, \\\"rx_pkts\\\": 0, \\\"tx_bytes\\\": 160, \\\"tx_pkts\\\": 4, \\\"layer7\\\": \\\"IGMP\\\"}","predecoder":{"program_name":"network_flows","timestamp":"Oct 27 14:12:39","hostname":"OpenWrt"},"decoder":{"name":"syslog_custome"},"location":"0.0.0.0"}
Log with ":
{"timestamp":"2025-10-27T07:13:29.750-0700","rule":{"level":10,"description":"Test file transfer via web service: 00:00:00:00","id":"100009","mitre":{"id":["T1567"],"tactic":["Exfiltration"],"technique":["Exfiltration Over Web Service"]},"firedtimes":54,"mail":false,"groups":["file_transfer"," web_service"]},"agent":{"id":"000","name":"LabtainerVMware"},"manager":{"name":"LabtainerVMware"},"id":"1761574409.2885435","full_log":"Oct 27 14:13:29 OpenWrt network_flows: {\"family\": 4, \"proto\": \"IP\", \"port\": 0, \"mac\": \"00:00:00:00\", \"ip\": \"0.0.0.0\", \"conns\": 6, \"rx_bytes\": 0, \"rx_pkts\": 0, \"tx_bytes\": 7866, \"tx_pkts\": 23, \"layer7\": null}","predecoder":{"program_name":"network_flows","timestamp":"Oct 27 14:13:29","hostname":"OpenWrt"},"decoder":{"name":"syslog_custome"},"data":{"family":"4","proto":"IP","port":"0","mac":"00:00:00:00","ip":"0.0.0.0","conns":"6","rx_bytes":"0","rx_pkts":"0","tx_bytes":"7866","tx_pkts":"23","layer7":"null"},"location":"0.0.0.0"}
I've replaces sensitive information with zero value, mac & ip, for example
Log with \":
{"timestamp":"2025-10-27T07:12:39.312-0700","rule":{"level":10,"description":"Test file transfer via web service: ","id":"100009","mitre":{"id":["T1567"],"tactic":["Exfiltration"],"technique":["Exfiltration Over Web Service"]},"firedtimes":18,"mail":false,"groups":["file_transfer"," web_service"]},"agent":{"id":"000","name":"LabtainerVMware"},"manager":{"name":"LabtainerVMware"},"id":"1761574359.2864284","full_log":"Oct 27 14:12:39 OpenWrt network_flows: {\\\"family\\\": 4, \\\"proto\\\": \\\"IGMP\\\", \\\"port\\\": 0, \\\"mac\\\": \\\"00:00:00:00\\\", \\\"ip\\\": \\\"0.0.0.0\\\", \\\"conns\\\": 1, \\\"rx_bytes\\\": 0, \\\"rx_pkts\\\": 0, \\\"tx_bytes\\\": 160, \\\"tx_pkts\\\": 4, \\\"layer7\\\": \\\"IGMP\\\"}","predecoder":{"program_name":"network_flows","timestamp":"Oct 27 14:12:39","hostname":"OpenWrt"},"decoder":{"name":"syslog_custome"},"location":"0.0.0.0"}
Log with ":
{"timestamp":"2025-10-27T07:13:29.750-0700","rule":{"level":10,"description":"Test file transfer via web service: 00:00:00:00","id":"100009","mitre":{"id":["T1567"],"tactic":["Exfiltration"],"technique":["Exfiltration Over Web Service"]},"firedtimes":54,"mail":false,"groups":["file_transfer"," web_service"]},"agent":{"id":"000","name":"LabtainerVMware"},"manager":{"name":"LabtainerVMware"},"id":"1761574409.2885435","full_log":"Oct 27 14:13:29 OpenWrt network_flows: {\"family\": 4, \"proto\": \"IP\", \"port\": 0, \"mac\": \"00:00:00:00\", \"ip\": \"0.0.0.0\", \"conns\": 6, \"rx_bytes\": 0, \"rx_pkts\": 0, \"tx_bytes\": 7866, \"tx_pkts\": 23, \"layer7\": null}","predecoder":{"program_name":"network_flows","timestamp":"Oct 27 14:13:29","hostname":"OpenWrt"},"decoder":{"name":"syslog_custome"},"data":{"family":"4","proto":"IP","port":"0","mac":"00:00:00:00","ip":"0.0.0.0","conns":"6","rx_bytes":"0","rx_pkts":"0","tx_bytes":"7866","tx_pkts":"23","layer7":"null"},"location":"0.0.0.0"}
I've replaces sensitive information with zero value, mac & ip, for example
Vào lúc 17:53:32 UTC+7 ngày Thứ Hai, 27 tháng 10, 2025, Franco Giovanolli đã viết:
Franco Giovanolli
Nov 3, 2025, 7:45:00 AM (8 days ago) Nov 3
to Wazuh | Mailing List
Hi David,
Thanks for the info. Let me check it and I back to you soon.
Regards,
Franco
Thanks for the info. Let me check it and I back to you soon.
Regards,
Franco
David Adonis
Nov 3, 2025, 3:50:05 PM (8 days ago) Nov 3
to Wazuh | Mailing List
Thank you a lot.
Vào lúc 19:45:00 UTC+7 ngày Thứ Hai, 3 tháng 11, 2025, Franco Giovanolli đã viết:
Franco Giovanolli
Nov 5, 2025, 7:43:49 AM (6 days ago) Nov 5
to Wazuh | Mailing List
Hello David, apologies for the delay.
I've tried to reproduce your case without success. Could you please tell me which version of Wazuh you're using and what installation method (Docker, VM, etc.)?
Regards,
Franco.
David Adonis
Nov 9, 2025, 6:25:13 AM (2 days ago) Nov 9
to Wazuh | Mailing List
I'm using Wazuh server 4.12.0
Vào lúc 19:43:49 UTC+7 ngày Thứ Tư, 5 tháng 11, 2025, Franco Giovanolli đã viết:
David Adonis
Nov 9, 2025, 6:25:13 AM (2 days ago) Nov 9
to Wazuh | Mailing List
And I install it on VMware , on Ubuntu OS
Vào lúc 19:43:49 UTC+7 ngày Thứ Tư, 5 tháng 11, 2025, Franco Giovanolli đã viết:
Reply all
Reply to author
Forward
0 new messages