Disable IIS decoders
George Paun
Bony V John
Bony V John
This configuration must be added inside the <ruleset> tag, and you need to specify the exact default decoder file name in <decoder-file-name>.xml.
However, in your case, you are talking about disabling a default decoder file, and it seems you are referring to 0380-windows_decoders.xml. This file contains multiple decoders, not just a single one.
In this situation, I recommend the following approach instead of disabling the entire decoder file directly:
1. Copy the default decoder file to the local decoders directory
2. Edit the copied decoder file (modify only required decoders and don't change the parent decoders names)
vi /var/ossec/etc/decoders/local-windows_decoders.xml
3. Next, change the file permission of the custom decoder file.
chmod 660 /var/ossec/etc/decoders/ local-windows_decoders.xml
chown wazuh:wazuh /var/ossec/etc/decoders/local-windows_decoders.xml
4. After that go to the manager’s ossec.conf
vi /var/ossec/etc/ossec.conf
Under the
<ruleset>
5. Add this line to exclude the default decoder file.
<decoder_exclude>ruleset/decoders/0380-windows_decoders.xml</decoder_exclude>
6. Now restart the Wazuh manager.
systemctl restart wazuh-manager
Check this document to learn more about modifying the existing decoder:
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html#modify-default-decoders
George Paun
Bony V John
I have already gone through the decoder file you shared, and I provided the updated decoder file in my previous response. In the decoder file you shared, there were newline characters inside the <order> tag, which caused the issue. I have corrected that in the updated decoder and shared it with you.
Additionally, I would like to suggest not replacing the entire default decoder file 0380-windows_decoders.xml with the custom decoder you shared. Replacing the full default decoder file can affect default rule dependencies and may cause the Wazuh manager to fail when those default decoders are excluded.
Instead, I recommend following the steps I shared earlier:
-
Copy the default 0380-windows_decoders.xml file to a custom decoder file.
-
Modify the required decoder or add your new custom decoder in the copied file.
-
If needed, adjust the existing decoder regex in that copied file based on your requirements.
This approach ensures that default rule dependencies remain intact and avoids stability issues on the Wazuh manager.
You can refer to the Wazuh decoder syntax documentation for creating or modifying decoders.
Please let me know if you have any further questions.
George Paun
Bony V John
Hi,
Based on the shared ossec.conf file on the Wazuh agent, the configuration is correct. Also, the log you shared is from the archives log file on the Wazuh Manager, which confirms that the events are being ingested into the Wazuh Manager for analysis.
The reason the alerts are not being triggered based on your rule is that this is a Windows Event Channel log. For Event Channel logs, a custom decoder is not required, because Wazuh already has a default built-in decoder for Windows Event Channel events. So there is no need to create a custom decoder for this.
Also, the event is already being decoded and is matching a default Wazuh rule with rule ID 60009. Because of that rule’s level, it is not being shown on the dashboard, since rules with a level below 3 are not displayed there.
So, I modified your custom rule as a child rule of rule ID 60009, so it can analyze the events correctly and trigger alerts when the conditions are matched.
You can try the updated rule below on your end and check whether it is triggering alerts:
<rule id="140000" level="3">
<if_sid>60009</if_sid>
<description>IIS logging event detected.</description>
<group>iis,web</group>
</rule>
<rule id="140001" level="5">
<if_sid>140000</if_sid>
<field name="win.eventdata.cs-method">GET</field>
<description>IIS GET request detected</description>
<group>iis,web</group>
</rule>
<rule id="140002" level="5">
<if_sid>140000</if_sid>
<field name="win.eventdata.cs-method">POST</field>
<description>IIS POST request detected</description>
<group>iis,web</group>
</rule>
</group>
I replaced the <match> tag with the <field> tag so the field name and value are matched more accurately, which helps avoid unwanted mismatches.
You can refer to the Wazuh rules syntax documentation for more details about custom rule creation.
After applying the rules, restart the Wazuh Manager service:
Then trigger the event again on the endpoint and check whether the alerts are being generated.
Since this is a Windows Event Channel log, you cannot test it directly using the Wazuh logtest tool.
George Paun
George Paun
Bony V John
Hi,
Please do not disable the 0380-windows_decoders.xml decoder, as it may affect the analysis of other events and it is not recommended to disable it.
Instead, it is better to use the default Windows Event Channel decoder, and it appears that the URL is already being decoded by the default Windows Event Channel log decoder in the field win.eventdata.csReferer.
Please try the updated custom rule I shared earlier and check if it works correctly.
Regarding rules 60010 and 60011, these correspond to Windows Event Channel warning and error severity rules. Please ensure that these are the correct parent rule IDs for your requirement by verifying them using the logtest tool.
Please let me know if you need any further assistance, and also share the sample logs with us so we can review them from our end.
George Paun
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/YGxAeMRK5KI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/ee539d26-b5c1-4978-889e-03b98a79e5cfn%40googlegroups.com.