Decoders and Rules for Trend Micro TippingPoint

170 views
Skip to first unread message

KnaT

unread,
May 5, 2023, 4:17:49 AM5/5/23
to Wazuh mailing list
Hi Everyone,

Does someone have an example of Decoders and rules for Trend Micro TippingPoint IPS?
Because the default log of that include "enter" so I don't know how to decode the rule.

These are the log examples:

BVB-TRENDMICRO-SMS CEF:0|TippingPoint|UnityOne|1.0.0.17|12451|12451: DHCP: Dynamic Host Configuration Protocol|1
 |app=UDP cnt=1 dst=255.255.255.255 dpt=67
act=Block cn1=52 cn1Label=VLAN ID cn2=67438333
cn2Label=Taxonomy cn3=0 cn3Label=Packet Trace cs1=HATANG-OUT
cs1Label=Profile Name cs2=6a51ff13-847e-43d7-b7d6-dd8f11eb8cc9 cs2Label=Policy UUID cs3=00000001-0001-0001-0001-000000012451
cs3Label=Signature UUID cs4=0 cs4Label=DeviceSegment
cs5=BVB-TRENDMICRO-SMS cs5Label=SMS Name dvchost=DC-IPS-TPS2200T-02 cs6=  
cs6Label=Filter Message Parms srcip=10.33.5.86 spt=68
externalId=48509293 rt=1682476530849 cat=Security Policy proto=UDP
deviceInboundInterface=16 c6a2= c6a2Label=Source
IPv6 c6a3= c6a3Label=Destination IPv6 request=
requestMethod= dhost= sourceTranslatedAddress=10.33.5.86
c6a1= c6a1Label=Client IPv6 suser= sntdom=
duser= dntdom=


I have created a decoder for that log like belowe:


<decoder name="trend_micro_IPS">
    <prematch>BVB-TRENDMICRO-SMS</prematch>
</decoder>
<decoder name="trend_micro_IPS_UnityOne">
    <parent>trend_micro_IPS</parent>
    <regex>BVB-TRENDMICRO-SMS CEF:0\|(\.+)\|(\.+)\|(\.+)\|(\d+)\|(\.+)\|</regex>
    <order>application,productname,version,event.id,event.name</order>
</decoder>

<decoder name="trend_micro_IPS_UnityOne">
    <parent>trend_micro_IPS</parent>
    <regex>dvchost=(\S+)</regex>
    <order>dvcshost</order>
</decoder>
<decoder name="trend_micro_IPS_UnityOne">
    <parent>trend_micro_IPS</parent>
    <regex>act=(\S+)</regex>
    <order>action</order>
</decoder>


And this is wazuh-logtest result test:


**Phase 1: Completed pre-decoding. full event: 'BVB-TRENDMICRO-SMS CEF:0|TippingPoint|UnityOne|1.0.0.17|12451|12451: DHCP: Dynamic Host Configuration Protocol|1' **Phase 2: Completed decoding. name: 'trend_micro_IPS' application: 'TippingPoint' event.id: '12451' event.name: '12451: DHCP: Dynamic Host Configuration Protocol' productname: 'UnityOne' version: '1.0.0.17' **Phase 3: Completed filtering (rules). id: '200807' level: '4' description: 'Trend Micro IPS Log detected.' groups: '["cef_trend_micro","ocse"]' firedtimes: '1' mail: 'false' **Alert to be generated. **Phase 1: Completed pre-decoding. full event: ' |app=UDP cnt=1 dst=255.255.255.255 dpt=67' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: 'act=Block cn1=52 cn1Label=VLAN ID cn2=67438333 ' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: 'cn2Label=Taxonomy cn3=0 cn3Label=Packet Trace cs1=HATANG-OUT ' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: 'cs1Label=Profile Name cs2=6a51ff13-847e-43d7-b7d6-dd8f11eb8cc9 cs2Label=Policy UUID cs3=00000001-0001-0001-0001-000000012451 ' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: 'cs3Label=Signature UUID cs4=0 cs4Label=DeviceSegment ' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: 'cs5=BVB-TRENDMICRO-SMS cs5Label=SMS Name dvchost=DC-IPS-TPS2200T-02 cs6= ' **Phase 2: Completed decoding. name: 'trend_micro_IPS' dvcshost: 'DC-IPS-TPS2200T-02' **Phase 3: Completed filtering (rules). id: '200807' level: '4' description: 'Trend Micro IPS Log detected.' groups: '["cef_trend_micro","ocse"]' firedtimes: '2' mail: 'false' **Alert to be generated. **Phase 1: Completed pre-decoding. full event: 'cs6Label=Filter Message Parms srcip=10.33.5.86 spt=68 ' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: 'externalId=48509293 rt=1682476530849 cat=Security Policy proto=UDP ' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: 'deviceInboundInterface=16 c6a2= c6a2Label=Source ' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: 'IPv6 c6a3= c6a3Label=Destination IPv6 request= ' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: 'requestMethod= dhost= sourceTranslatedAddress=10.33.5.86 ' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: 'c6a1= c6a1Label=Client IPv6 suser= sntdom= ' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: 'duser= dntdom=' **Phase 2: Completed decoding. No decoder matched.


It can be worked with the first row begin with the regex above, but can not decode all the row below 


Please help me. Thanks!




Gonzalo Membrillo Solbes

unread,
May 5, 2023, 10:04:30 AM5/5/23
to Wazuh mailing list
Hello,

In this case, the problem you are facing is that testing a multi-line log is impossible. You would have to make it into a single line in order to test it. You can still make rules and decoders for them, however. To do this, you need to identify the file that the agent is pulling the logs from. Once you have identified the file, you need to change the log format to multi-line:14. This is because the log you shared has 14 different lines so, if you don't do this, each line gets analyzed as a separate log.
Captura de pantalla 2023-05-05 155937.png
Once you do this, save the configuration on the agent and see if you start receiving alerts. I used the decoders you shared and obtained the following results:
Captura de pantalla 2023-05-05 160111.png
If you look at the full_log, you can see that the entire log is decoded as a single event and some fields not present on the first line are being properly obtained.

Keep in mind that this will only work if the logs have a consistent number of lines. If you have a variable number of lines, you will have to use the multi-line-regex option.
For more information regarding this, check out our documentation on the topic: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#log-format

I hope you find this helpful. Feel free to let us know if you need anything else.

Best regards,
Gonzalo

KnaT

unread,
May 7, 2023, 11:23:51 PM5/7/23
to Wazuh mailing list
Hi Gonzalo,
Thanks for supporting me.
That logs above are from Physical device (IPS) and I have configured the device to send log to wazuh-manager. For now, all logs were send to archive.log, so If I change the log format of this log file, it can be affected other logs from other agents (also other devices)
How can I redirect the logs to another file like you above? e.g /var/ossec/logs/IPS.log

Thanks!

KnaT

unread,
May 8, 2023, 10:12:03 PM5/8/23
to Wazuh mailing list
Hi  Gonzalo,
Any update?
Waiting for your response soon.

Best regards,
TA
On Friday, May 5, 2023 at 9:04:30 PM UTC+7 Gonzalo Membrillo Solbes wrote:

Gonzalo Membrillo Solbes

unread,
May 29, 2023, 1:21:38 AM5/29/23
to Wazuh mailing list
Hello,

Sorry for the delayed response. To be able to answer that question, I would need to know how the devices are communicating with Wazuh. Is it via Syslog or is it some other way? In most cases, external devices will report to a log file stored within /var/log/<device-name>. External devices cannot send logs directly into the manager since it only accepts messages from registered Wazuh agents. Verify the configuration of your devices and let me know where and how these devices report to.

Regards,
Gonzalo
Reply all
Reply to author
Forward
0 new messages