how to use the tool wazuh-regex?
649 views
Skip to first unread message
brandon echenique garcia
May 25, 2023, 11:13:10 AM5/25/23
to Wazuh mailing list
I've a hesitate about the correct use of the wazuh-regex tool,
could you teach how to use it?
Diego Ariel Balbuena
May 25, 2023, 1:46:19 PM5/25/23
to Wazuh mailing list
Hi Brandon! Thank you for sharing with the community
Please let me share the documentation for Testing decoders and rules
Wazuh logtest is a tool to test new rules and decoders and verify the current ones. You can use it with any of the following alternatives:
- Wazuh dashboard
- Command line tool
- Wazuh API
- Input event logs.
- Check what decoders match them and check what fields these decoders identify.
- Check what alerts match the event logs.
Wazuh logtest shares the same rules engine with the Wazuh analysis module. It's based on unique sessions. Each session loads its own set of rules and decoders.
The firedtimes counters keep track of all the matching occurrences of the rules. Wazuh logtest keeps these counters throughout the duration of the session.
The firedtimes counters keep track of all the matching occurrences of the rules. Wazuh logtest keeps these counters throughout the duration of the session.
I hope this helps!
Diego Ariel Balbuena
brandon echenique garcia
May 25, 2023, 7:21:47 PM5/25/23
to Wazuh mailing list
Hello Diego,
I was referring to this tool:
/var/ossec/bin/wazuh-regex '<pattern>' , I want to have an example of what is pattern and how to use it with the wazuh-regex tool.
/var/ossec/bin/wazuh-regex '<pattern>' , I want to have an example of what is pattern and how to use it with the wazuh-regex tool.
Regards!
Diego Ariel Balbuena
May 26, 2023, 4:06:44 PM5/26/23
to Wazuh mailing list
Hi Brandon!
I got it. I am sorry I misunderstood you.
There is not too much information in the wazuh-regex tool documentation: https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-regex.html
The wazuh-regex tool is used to test regular expressions against log messages.
I tested in a lab environment.
Example:
[root@wazuh-manager-master-0 /]# /var/ossec/bin/wazuh-regex '^(\d\d\d\d-\d\d-\d\d)'
2023-04-26T15:37:25.115608Z 21 Query SELECT * FROM users where username='' or 123=123 -- ' and password='a'
+OSRegex_Execute: 2023-04-26T15:37:25.115608Z 21 Query SELECT * FROM users where username='' or 123=123 -- ' and password='a'
-Substring: 2023-04-26
+OS_Regex : 2023-04-26T15:37:25.115608Z 21 Query SELECT * FROM users where username='' or 123=123 -- ' and password='a'
2023-04-26T15:37:25.115608Z 21 Query SELECT * FROM users where username='' or 123=123 -- ' and password='a'
+OSRegex_Execute: 2023-04-26T15:37:25.115608Z 21 Query SELECT * FROM users where username='' or 123=123 -- ' and password='a'
-Substring: 2023-04-26
+OS_Regex : 2023-04-26T15:37:25.115608Z 21 Query SELECT * FROM users where username='' or 123=123 -- ' and password='a'
The tool will output whether the regular expression matches the log message or not.
I hope this helps!
Diego
Reply all
Reply to author
Forward
0 new messages