Decoders and Rules Switch HPE 3600
91 views
Skip to first unread message
wesley staenle
Dec 8, 2021, 6:30:57 AM12/8/21
to Wazuh mailing list
Dear, I would like to get the logs generated by an Hp 3600 switch, but there is no decoder?
Dec 8 07:58:19 2021 SA-DC-ALL-SSC-01 %%10SHELL/5/SHELL_LOGIN(l): supredes logged in from 10.206.104.43.
Dec 8 07:58:24 2021 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp version
Dec 8 07:58:53 2021 SA-DC-ALL-SSC-01 %%10SHELL/4/LOGOUT(t): Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.2:supredes logout from VTY
Dec 8 07:58:53 2021 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is quit
Dec 8 07:58:53 2021 SA-DC-ALL-SSC-01 %%10SHELL/5/SHELL_LOGOUT(l): supredes logged out from 10.206.104.43.
^C
root@wazuh:/var/ossec/bin# ./wazuh-logtest'
> ^C
root@wazuh:/var/ossec/bin# ./wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line
Dec 8 07:58:53 2021 SA-DC-ALL-SSC-01 %%10SHELL/5/SHELL_LOGOUT(l): supredes logged out from 10.206.104.43.
logtest result:
**Phase 1: Completed pre-decoding.
full event: 'Dec 8 07:58:53 2021 SA-DC-ALL-SSC-01 %%10SHELL/5/SHELL_LOGOUT(l): supredes logged out from 10.206.104.43.'
timestamp: 'Dec 8 07:58:53'
hostname: '2021'
**Phase 2: Completed decoding.
No decoder matched.
Julián Morales
Dec 8, 2021, 2:45:17 PM12/8/21
to Wazuh mailing list
Hi Wesley,
Currently Wazuh does not have a specific ruleset for the HPE 3600 Switch, but you could create it yourself by knowing the switch's logs.
There is an entry in our blog that will guide you to creating the rules and decoders (here). There is also an entry in our documentation (here) that might help you as well.
On the other hand, as it can be seen in Wazuh-Logtest, the log is not being correctly pre-decoded, due it takes the year of the log as if it were the hostname. This is because the log does not fit the standard Syslog format, it is advisable, if possible, on the switch device, to change the log format to a standard one.
If you can't change the log format, and all your logs have the following format: "{month} {day} {time} SA-DC-ALL-SSC-01 %%10" you could use a decoder, as a parent decoder, like the following:
<decoder name="Switch_HPE_3600">
<prematch>^SA-DC-ALL-SSC-01 %%10</prematch>
</decoder>
Regards,
Julian
Currently Wazuh does not have a specific ruleset for the HPE 3600 Switch, but you could create it yourself by knowing the switch's logs.
There is an entry in our blog that will guide you to creating the rules and decoders (here). There is also an entry in our documentation (here) that might help you as well.
On the other hand, as it can be seen in Wazuh-Logtest, the log is not being correctly pre-decoded, due it takes the year of the log as if it were the hostname. This is because the log does not fit the standard Syslog format, it is advisable, if possible, on the switch device, to change the log format to a standard one.
If you can't change the log format, and all your logs have the following format: "{month} {day} {time} SA-DC-ALL-SSC-01 %%10" you could use a decoder, as a parent decoder, like the following:
<decoder name="Switch_HPE_3600">
<prematch>^SA-DC-ALL-SSC-01 %%10</prematch>
</decoder>
Regards,
Julian
wesley staenle
Dec 9, 2021, 11:15:41 AM12/9/21
to Wazuh mailing list
Good afternoon .
I changed the format of the log, can you help me to create the decoder and the rule?
root@wazuh:/var/ossec/bin# ./wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line
----
root@wazuh:/var/ossec/bin# ./wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line
Starting wazuh-logtest v4.2.5
Type one log per line
Dec 9 13:10:25 SA-DC-ALL-SSC-01 %%10SHELL/5/SHELL_LOGIN(l): supredes logged in from 10.206.104.43.
**Phase 1: Completed pre-decoding.
full event: 'Dec 9 13:10:25 SA-DC-ALL-SSC-01 %%10SHELL/5/SHELL_LOGIN(l): supredes logged in from 10.206.104.43.'
timestamp: 'Dec 9 13:10:25'
hostname: 'SA-DC-ALL-SSC-01'
**Phase 2: Completed decoding.
name: 'hp_5500'
action: 'SHELL_LOGIN(l)'
id: '5'
srcip: '10.206.104.43'
url: 'SHELL'
**Phase 3: Completed filtering (rules).
id: '81706'
level: '1'
description: 'HP 5500 EI - Notification event'
groups: '['hp', 'hp5500', 'hp-notification']'
firedtimes: '1'
mail: 'False'
###############################
**Phase 1: Completed pre-decoding.
full event: 'Dec 9 13:10:25 SA-DC-ALL-SSC-01 %%10SHELL/5/SHELL_LOGIN(l): supredes logged in from 10.206.104.43.'
timestamp: 'Dec 9 13:10:25'
hostname: 'SA-DC-ALL-SSC-01'
**Phase 2: Completed decoding.
name: 'hp_5500'
action: 'SHELL_LOGIN(l)'
id: '5'
srcip: '10.206.104.43'
url: 'SHELL'
**Phase 3: Completed filtering (rules).
id: '81706'
level: '1'
description: 'HP 5500 EI - Notification event'
groups: '['hp', 'hp5500', 'hp-notification']'
firedtimes: '1'
mail: 'False'
###############################
root@wazuh:/var/ossec/bin# ./wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line
Dec 9 13:10:31 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration
**Phase 1: Completed pre-decoding.
full event: 'Dec 9 13:10:31 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration'
timestamp: 'Dec 9 13:10:31'
hostname: 'SA-DC-ALL-SSC-01'
**Phase 2: Completed decoding.
name: 'hp_5500'
action: 'SHELL_CMD(l)'
id: '6'
url: 'SHELL'
**Phase 3: Completed filtering (rules).
id: '81707'
level: '0'
description: 'HP 5500 EI - Informational event'
groups: '['hp', 'hp5500', 'hp-informational']'
firedtimes: '1'
mail: 'False'
**Phase 1: Completed pre-decoding.
full event: 'Dec 9 13:10:31 SA-DC-ALL-SSC-01 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.206.104.43-User=supredes; Command is disp current-configuration'
timestamp: 'Dec 9 13:10:31'
hostname: 'SA-DC-ALL-SSC-01'
**Phase 2: Completed decoding.
name: 'hp_5500'
action: 'SHELL_CMD(l)'
id: '6'
url: 'SHELL'
**Phase 3: Completed filtering (rules).
id: '81707'
level: '0'
description: 'HP 5500 EI - Informational event'
groups: '['hp', 'hp5500', 'hp-informational']'
firedtimes: '1'
mail: 'False'
Reply all
Reply to author
Forward
0 new messages