New message:
I have a pfSense router/firewall that I wanted to get alerts for all 'DHCPACK' lines.
I temporarily turned on 'logall' for regular and json events. Checked archives.json, found the relevant entry, and the 'full_log' field contains:
Mar 13 15:19:43 dhcpd[7416]: DHCPACK on 10.10.10.77 to 56:8d:3d:8f:0c:90 via mvneta0.4091I originally was trying archives.log and was seeing a completely different format:
2023 Mar 13 22:19:43 ubuntusrvwazuhtest1->10.10.10.253 Mar 13 15:19:43 dhcpd[7416]: DHCPACK on 10.10.10.77 to 56:8d:3d:8f:0c:90 via mvneta0.4091And was trying to base my decoder off of that, very unsuccessfully. Anyway, once I went by the log in archives.json, that's when I eventually found success.
So a quick side question - should I only always use archives.json? Because I thought that somewhere in the documentation it says to look at archives.log.
Anyway, so following are my current decoder and rules files.
local_decoder.xml:
<decoder name="SGPfsense">
<prematch>\w\w\w \w\w \d\d\p\d\d\p\d\d</prematch>
</decoder>
<decoder name="SGPfsense">
<parent>SGPfsense</parent>
<regex>(DHCP\w+) on (\d+.\d+.\d+.\d+) to (\w\w:\w\w:\w\w:\w\w:\w\w:\w\w)</regex>
<order>dhcpreqorack,ipassigned,tomacaddress</order>
</decoder>local_rules.xml:
<rule id="100010" level="3">
<decoded_as>SGPfsense</decoded_as>
<field name="dhcpreqorack">DHCPACK</field>
<description>SG - IP address $(ipassigned) assigned to $(tomacaddress)</description>
</rule>Well, this works fine, I'm getting actual alerts as expected. And just for reference, here's what I get with wazuh-logtest:
Starting wazuh-logtest v4.3.10
Type one log per line
Mar 29 15:10:56 dhcpd[3246]: DHCPACK on 10.10.10.65 to 84:98:66:ca:f5:e3 (Galaxy-Tab-A) via mvneta0.4091
**Phase 1: Completed pre-decoding.
full event: 'Mar 29 15:10:56 dhcpd[3246]: DHCPACK on 10.10.10.65 to 84:98:66:ca:f5:e3 (Galaxy-Tab-A) via mvneta0.4091'
timestamp: 'Mar 29 15:10:56'
hostname: 'dhcpd[3246]:'
**Phase 2: Completed decoding.
name: 'SGPfsense'
dhcpreqorack: 'DHCPACK'
ipassigned: '10.10.10.65'
tomacaddress: '84:98:66:ca:f5:e3'
**Phase 3: Completed filtering (rules).
id: '100010'
level: '3'
description: 'SG - IP address 10.10.10.65 assigned to 84:98:66:ca:f5:e3'
groups: '['SG']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.Wonderful.
Now finally to my main point. The reason I'm posting this is that I wanted to drill down and get the regular expression for that log more specific (I recall reading somewhere on the Wazuh documentation that you should be as explicit as possible so that logs and decoders don't get mixed up).
I've tried all the below variations to match the log better:
\w\w\w \w\w \d\d\p\d\d\p\d\d dhcpd
\w\w\w \w\w \d\d\p\d\d\p\d\d dhcpd\p
\w\w\w \w\w \d\d\p\d\d\p\d\d \w+
\w\w\w \w\w \d\d\p\d\d\p\d\d \w+\p
\w\w\w \w\w \d\d\p\d\d\p\d\d \w+\p\d+
\w\w\w \w\w \d\d\p\d\d\p\d\d \w+\p\d+\p
\w\w\w \w\w \d\d\p\d\d\p\d\d \w+\p\d+\p:
\w\w\w \w\w \d\d\p\d\d\p\d\d \w+\p\w+\p:
\w\w\w \w\w \d\d\p\d\d\p\d\d \w+\p\w+\p+But they all end up giving me the following in wazuh-logtest:
Starting wazuh-logtest v4.3.10
Type one log per line
Mar 29 15:10:56 dhcpd[3246]: DHCPACK on 10.10.10.65 to 84:98:66:ca:f5:e3 (Galaxy-Tab-A) via mvneta0.4091
**Phase 1: Completed pre-decoding.
full event: 'Mar 29 15:10:56 dhcpd[3246]: DHCPACK on 10.10.10.65 to 84:98:66:ca:f5:e3 (Galaxy-Tab-A) via mvneta0.4091'
timestamp: 'Mar 29 15:10:56'
hostname: 'dhcpd[3246]:'
**Phase 2: Completed decoding.
No decoder matched.I'm very new to regular expressions, but I feel like those should all work, according to:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.htmlSoo, I guess my question is why don't any of the above variations work?
And kind of a side question, but very much related is that why doesn't this work:
\w\w\w \d\dbut this does:
\w\w\w \w\wI thought that
\d would match anything between
0 and
9. And from my sample log, you'll notice that what the
\d\d represents is:
29 which are digits. So why doesn't that match, but
\w\w does?
Thank you,
Jamie