Decoder and Rule for SEP
216 views
Skip to first unread message
chachab
Aug 16, 2022, 9:39:08 AM8/16/22
to Wazuh mailing list
Hello Team,
I created a syslog for SEP and I tried to cat the /var/ossec/logs/archives/archives.log file I was able to see SEP log, But I know there is no decoder and rule for SEP thus why I can't see them on the Dashboard, Anyone please help me to construct the rule and decoder for the log below
I created a syslog for SEP and I tried to cat the /var/ossec/logs/archives/archives.log file I was able to see SEP log, But I know there is no decoder and rule for SEP thus why I can't see them on the Dashboard, Anyone please help me to construct the rule and decoder for the log below
2022 Aug 16 10:23:10 serverAV->/var/log/syslog Aug 16 10:08:12 serverAV SymantecServer: Workstation-6B-D-06,Event Description: [SID: 31350] Malicious Site: Malicious Domain Request 22 attack blocked. Traffic has been blocked for this application: C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\CHROME.EXE,Event Type: ,Local Host IP: 10.111.26.29,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 192.243.61.227,Remote Host MAC: 000000000000,Inbound,TCP,,Begin: 2022-08-16 10:06:01,End Time: 2022-08-16 10:06:01,Occurrences: 1,Application: C:/PROGRAM FILES (X86)/GOOGLE/CHROME/APPLICATION/CHROME.EXE,Location: Default,User Name: ally.ally,Domain Name: TEST,Local Port: 50827,Remote Port: 443,CIDS Signature ID: 31350,CIDS Signature string: Malicious Site: Malicious Domain Request 22,CIDS Signature SubID: 68276,Intrusion URL: https://ef9i0f3oev47.com,Intrusion Payload URL: ,SHA-256: C00D3779E15E5EC55CFC256768CEDE0BD4F4D5DD377EDD80956FE53D2F14B5DC,MD-5: ,Intensive Protection Level: N/A,URL Risk: N/A,URL Category: N/A
2022 Aug 16 10:23:10 serverAV->/var/log/syslog Aug 16 10:16:52 serverAV SymantecServer: Workstation-4A-D-05,Event Description: [SID: 31350] Malicious Site: Malicious Domain Request 22 attack blocked. Traffic has been blocked for this application: C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE,Event Type: ,Local Host IP: 10.111.26.38,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 139.45.197.251,Remote Host MAC: 000000000000,Inbound,TCP,,Begin: 2022-08-16 10:15:35,End Time: 2022-08-16 10:15:35,Occurrences: 1,Application: C:/PROGRAM FILES (X86)/MOZILLA FIREFOX/FIREFOX.EXE,Location: Default,User Name: betta.betta,Domain Name: TEST,Local Port: 54946,Remote Port: 443,CIDS Signature ID: 31350,CIDS Signature string: Malicious Site: Malicious Domain Request 22,CIDS Signature SubID: 68276,Intrusion URL: https://jouteetu.net,Intrusion Payload URL: ,SHA-256: 4B1A47DAE58300D753488ECF13EBCA28C8FA0D5C9111ED4EC5749E3E8E837526,MD-5: ,Intensive Protection Level: N/A,URL Risk: N/A,URL Category: N/A
2022 Aug 16 10:23:10 serverAV->/var/log/syslog Aug 16 10:16:52 serverAV SymantecServer: Workstation-4A-D-05,Event Description: The client will block traffic from IP address 139.45.197.251 for the next 600 seconds (from 16/08/2022 10:15:48 to 16/08/2022 10:25:48). ,Event Type: ,Local Host IP: 10.111.26..38,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 139.45.197.251,Remote Host MAC: 000000000000,Inbound,OTHERS,,Begin: 2022-08-16 10:15:48,End Time: 2022-08-16 10:25:48,Occurrences: 1,Application: ,Location: Default,User Name: renalda.christian,Domain Name: TEST,Local Port: 0,Remote Port: 0,CIDS Signature ID: 0,CIDS Signature string: ,CIDS Signature SubID: 0,Intrusion URL: ,Intrusion Payload URL: ,SHA-256: ,MD-5: ,Intensive Protection Level: N/A,URL Risk: N/A,URL Category: N/A
2022 Aug 16 10:23:10 serverAV->/var/log/syslog Aug 16 10:16:52 serverAV SymantecServer: Workstation-4A-D-05,Event Description: [SID: 31414] Web Attack: Unwanted Browser Notification Website 30 attack blocked. Traffic has been blocked for this application: C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE,Event Type: ,Local Host IP: 10.111.26.38,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 139.45.197.250,Remote Host MAC: 000000000000,Inbound,TCP,,Begin: 2022-08-16 10:15:35,End Time: 2022-08-16 10:15:35,Occurrences: 1,Application: C:/PROGRAM FILES (X86)/MOZILLA FIREFOX/FIREFOX.EXE,Location: Default,User Name: mody.mody,Domain Name: TEST,Local Port: 54963,Remote Port: 443,CIDS Signature ID: 31414,CIDS Signature string: Web Attack: Unwanted Browser Notification Website 30,CIDS Signature SubID: 70706,Intrusion URL: https://lolsefti.com,Intrusion Payload URL: ,SHA-256: 4B1A47DAE58300D753488ECF13EBCA28C8FA0D5C9111ED4EC5749E3E8E837526,MD-5: ,Intensive Protection Level: N/A,URL Risk: N/A,URL Category: N/A
2022 Aug 16 10:23:10 serverAV->/var/log/syslog Aug 16 10:16:52 serverAV SymantecServer: Workstation-4A-D-05,Event Description: The client will block traffic from IP address 139.45.197.250 for the next 600 seconds (from 16/08/2022 10:15:49 to 16/08/2022 10:25:49). ,Event Type: ,Local Host IP: 10.111.26..38,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 139.45.197.250,Remote Host MAC: 000000000000,Inbound,OTHERS,,Begin: 2022-08-16 10:15:49,End Time: 2022-08-16 10:25:49,Occurrences: 1,Application: ,Location: Default,User Name: renalda.christian,Domain Name: TEST,Local Port: 0,Remote Port: 0,CIDS Signature ID: 0,CIDS Signature string: ,CIDS Signature SubID: 0,Intrusion URL: ,Intrusion Payload URL: ,SHA-256: ,MD-5: ,Intensive Protection Level: N/A,URL Risk: N/A,URL Category: N/A
2022 Aug 16 10:23:10 serverAV->/var/log/syslog Aug 16 10:14:52 serverAV SymantecServer: Workstation-L-12A-16,Event Description: The client will block traffic from IP address 10.200.208.90 for the next 600 seconds (from 8/16/2022 10:14:04 AM to 8/16/2022 10:24:04 AM). ,Event Type: ,Local Host IP: 10.100.112.26,Local Host MAC: 00E04C360F70,Remote Host Name: ,Remote Host IP: 10.200.208.90,Remote Host MAC: C4B36A7123C8,Inbound,OTHERS,,Begin: 2022-08-16 10:14:04,End Time: 2022-08-16 10:24:04,Occurrences: 1,Application: ,Location: Default,User Name: User,Domain Name: Workstation-L-12A-1,Local Port: 0,Remote Port: 0,CIDS Signature ID: 0,CIDS Signature string: ,CIDS Signature SubID: 0,Intrusion URL: ,Intrusion Payload URL: ,SHA-256: ,MD-5: ,Intensive Protection Level: N/A,URL Risk: N/A,URL Category: N/A
Message has been deleted
Lucio Donda
Aug 17, 2022, 7:32:50 AM8/17/22
to Wazuh mailing list
This answer was taken from here becasuse it was duplicated and first handled from the Slack channel.
With this Regular Expression
/^(\d{4} \w{3} \d{2} \d{2}:\d{2}:\d{2}) .*serverAV SymantecServer: (\w+-\w*-\w*-\w*),Event Description: (.*),Event Type:.*,Local Host IP: (\d*.\d*.\d*.\d*.),.*,Remote Host IP: (\d*.\d*.\d*.\d*.),.*MAC: \d*,(\w*),(TCP|UDP|OTHERS),.*Intrusion URL:(.*),SHA-256: (\w*)/gmWith this Regular Expression
I managed to match the 6 events with a couple of doubts:
There are a couple of IPs with wrong format Local Host IP: 10.111.26..38 did you change the logs before sharing them?
Does the protocol supposed to handle only 3 vaues (TCP, UDP and OTHER) ?
After that I've checked the first log with wazuh-logtest and the response was:
**Phase 1: Completed pre-decoding.
full event: 'Aug 16 10:08:12 serverAV SymantecServer: Workstation-6B-D-06,Event Description: [SID: 31350] Malicious Site: Malicious Domain Request 22 attack blocked. Traffic has been blocked for this application: C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\CHROME.EXE,Event Type: ,Local Host IP: 10.111.26.29,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 192.243.61.227,Remote Host MAC: 000000000000,Inbound,TCP,,Begin: 2022-08-16 10:06:01,End Time: 2022-08-16 10:06:01,Occurrences: 1,Application: C:/PROGRAM FILES (X86)/GOOGLE/CHROME/APPLICATION/CHROME.EXE,Location: Default,User Name: ally.ally,Domain Name: TEST,Local Port: 50827,Remote Port: 443,CIDS Signature ID: 31350,CIDS Signature string: Malicious Site: Malicious Domain Request 22,CIDS Signature SubID: 68276,Intrusion URL: https://ef9i0f3oev47.com,Intrusion Payload URL: ,SHA-256: C00D3779E15E5EC55CFC256768CEDE0BD4F4D5DD377EDD80956FE53D2F14B5DC,MD-5: ,Intensive Protection Level: N/A,URL Risk: N/A,URL Category: N/A'
There are a couple of IPs with wrong format Local Host IP: 10.111.26..38 did you change the logs before sharing them?
Does the protocol supposed to handle only 3 vaues (TCP, UDP and OTHER) ?
After that I've checked the first log with wazuh-logtest and the response was:
timestamp: 'Aug 16 10:08:12'
hostname: 'serverAV'
program_name: 'SymantecServer'
**Phase 2: Completed decoding. No decoder matched.
**Phase 3: Completed filtering (rules).
id: '1002'
level: '2'
description: 'Unknown problem somewhere in the system.'
groups: '['syslog', 'errors']'
firedtimes: '1'
gpg13: '['4.3']'
mail: 'False'
That means we could Inherit from that (1002) rule and thtat the timestamp is already a decoded field. let me dive into that option while I'll wait for your answer.
From my side I've been able to decode those logs with this custom decoder:
<decoder name="local_decoder_community">
<program_name>SymantecServer</program_name>
<regex type="pcre2" offset="after_prematch">(\w+-\w*-\w*-\w*),Event Description: (.*),Event Type:.*,Local Host IP: (\d*.\d*.\d*.\d*.),.*,Remote Host IP: (\d*.\d*.\d*.\d*.),.*MAC: \d*,(\w*),(TCP|UDP|OTHERS),.*Intrusion URL: (.*),Intrusion Payload URL: (.*),SHA-256: (\w*),MD-5</regex>
<order>computerName, EventDescription, LocalHostIP, RemoteHostIP, Inboud, Protocol, IntrusionURL, SHA256</order>
</decoder>
With wazuh-logtest:
**Phase 1: Completed pre-decoding.
full event: 'Aug 16 10:08:12 serverAV SymantecServer: Workstation-6B-D-06,Event Description: [SID: 31350] Malicious Site: Malicious Domain Request 22 attack blocked. Traffic has been blocked for this application: C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\CHROME.EXE,Event Type: ,Local Host IP: 10.111.26.29,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 192.243.61.227,Remote Host MAC: 000000000000,Inbound,TCP,,Begin: 2022-08-16 10:06:01,End Time: 2022-08-16 10:06:01,Occurrences: 1,Application: C:/PROGRAM FILES (X86)/GOOGLE/CHROME/APPLICATION/CHROME.EXE,Location: Default,User Name: ally.ally,Domain Name: TEST,Local Port: 50827,Remote Port: 443,CIDS Signature ID: 31350,CIDS Signature string: Malicious Site: Malicious Domain Request 22,CIDS Signature SubID: 68276,Intrusion URL: https://ef9i0f3oev47.com,Intrusion Payload URL: ,SHA-256: C00D3779E15E5EC55CFC256768CEDE0BD4F4D5DD377EDD80956FE53D2F14B5DC,MD-5: ,Intensive Protection Level: N/A,URL Risk: N/A,URL Category: N/A'
timestamp: 'Aug 16 10:08:12'
hostname: 'serverAV'
program_name: 'SymantecServer'
**Phase 2: Completed decoding.
name: 'local_decoder_community'
EventDescription: '[SID: 31350] Malicious Site: Malicious Domain Request 22 attack blocked. Traffic has been blocked for this application: C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\CHROME.EXE'
Inboud: 'Inbound'
IntrusionURL: 'https://ef9i0f3oev47.com'
LocalHostIP: '10.111.26.29'
Protocol: 'TCP'
RemoteHostIP: '192.243.61.227'
computerName: 'Workstation-6B-D-06'
**Phase 3: Completed filtering (rules).
id: '1002'
level: '2'
description: 'Unknown problem somewhere in the system.'
groups: '['syslog', 'errors']'
firedtimes: '1'
gpg13: '['4.3']'
mail: 'False'
chachab
Aug 22, 2022, 2:52:14 AM8/22/22
to Wazuh mailing list
Thanks for the help. It was working fine
Reply all
Reply to author
Forward
0 new messages