Wazuh Decoder and Rule Creation
124 views
Skip to first unread message
bryan lai
Jun 8, 2023, 3:38:13 AM6/8/23
to Wazuh mailing list
I have encountered a problem that I am unable to resolve on my own.
Based on the log entry below, it appears that my decoder is not functioning as expected:
09:58:07.360 INFO c.i.s.l.ActivityLogEventListener - SYNG_SYSLOG:10.10.17.123:LOGIN:SUPER22
The log indicates a successful login by the user "SUPER22". However, my decoder fails to properly parse and interpret this log entry, preventing me from effectively monitoring and responding to such events.
To address this issue, I have created a decoder named "c.i.s.l.ActivityLogEventListener" with the following code:
<decoder name="c.i.s.l.ActivityLogEventListener">
<program_name>c.i.s.l.ActivityLogEventListener</program_name>
<regex>SYNG_SYSLOG:(\d+.\d+.\d+.\d+):LOGIN:(\w+)</regex>
<order>srcip, user</order>
</decoder>
Despite implementing this decoder, it is not functioning as intended. I have verified that the log entry matches the specified regular expression pattern, but the decoder fails to capture the necessary information, such as the source IP address and the username.
I am seeking your guidance on troubleshooting this decoder code. Could you please review the provided code and let me know if there are any issues or improvements that need to be made? I am eager to understand the problem and find a solution.
Based on the log entry below, it appears that my decoder is not functioning as expected:
09:58:07.360 INFO c.i.s.l.ActivityLogEventListener - SYNG_SYSLOG:10.10.17.123:LOGIN:SUPER22
The log indicates a successful login by the user "SUPER22". However, my decoder fails to properly parse and interpret this log entry, preventing me from effectively monitoring and responding to such events.
To address this issue, I have created a decoder named "c.i.s.l.ActivityLogEventListener" with the following code:
<decoder name="c.i.s.l.ActivityLogEventListener">
<program_name>c.i.s.l.ActivityLogEventListener</program_name>
<regex>SYNG_SYSLOG:(\d+.\d+.\d+.\d+):LOGIN:(\w+)</regex>
<order>srcip, user</order>
</decoder>
Despite implementing this decoder, it is not functioning as intended. I have verified that the log entry matches the specified regular expression pattern, but the decoder fails to capture the necessary information, such as the source IP address and the username.
I am seeking your guidance on troubleshooting this decoder code. Could you please review the provided code and let me know if there are any issues or improvements that need to be made? I am eager to understand the problem and find a solution.
Kasim Mustapha
Jun 8, 2023, 8:21:46 AM6/8/23
to Wazuh mailing list
Hello Bryan,
<regex>SYNG_SYSLOG:(\d+.\d+.\d+.\d+):LOGIN:(\w+)</regex>
<order>srcip, user</order>
</decoder>
Thanks for reaching out.
A better way to write this code is as follows:
<decoder name="c.i.s.l.ActivityLogEventListener">
<prematch>^\d+:\d+:\d+.\d+ \w+ \S+ - SYNG_SYSLOG:\d+.\d+.\d+.\d+:LOGIN:\w+</prematch>
</decoder>
<decoder name="ActivityLogEventListener1">
<parent>c.i.s.l.ActivityLogEventListener</parent>
<decoder name="c.i.s.l.ActivityLogEventListener">
<prematch>^\d+:\d+:\d+.\d+ \w+ \S+ - SYNG_SYSLOG:\d+.\d+.\d+.\d+:LOGIN:\w+</prematch>
</decoder>
<decoder name="ActivityLogEventListener1">
<parent>c.i.s.l.ActivityLogEventListener</parent>
<regex>SYNG_SYSLOG:(\d+.\d+.\d+.\d+):LOGIN:(\w+)</regex>
<order>srcip, user</order>
</decoder>
I've tried and it worked as shown in the image below. I guess the issue is coming from the <program_name> you specified. The pre-decoding phase could not extract the program name from the input logs.
Let me know if this worked for you or if you have further questions.
Regards,
Kasim Mustapha
bryan lai
Jun 8, 2023, 10:30:02 PM6/8/23
to Wazuh mailing list
Hello Kasim Mustapha,
I still having another question. Despite creating a custom decoder and rules specifically for login success information, the count is not increasing as expected.
Is it anyway to increase the "Authentication Success" after trigger the login success log?
Kasim Mustapha
Jun 9, 2023, 6:49:23 PM6/9/23
to Wazuh mailing list
Hello Bryan,
Apologies for the later response.
You can use the <group> field in your rules to group your rules to the Authentication success group.
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#group
For example;
For example;
<rule id="3904" level="3">
<if_sid>3900</if_sid>
<match>^LOGIN,</match>
<description>Courier (imap/pop3) authentication success.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>authentication_success,</group>
</rule>
<if_sid>3900</if_sid>
<match>^LOGIN,</match>
<description>Courier (imap/pop3) authentication success.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>authentication_success,</group>
</rule>
I hope this helps. Let me know if you have further questions.
Reply all
Reply to author
Forward
0 new messages