Custom decoder field Padding
202 views
Skip to first unread message
Rhys Evans
Feb 5, 2019, 5:55:44 AM2/5/19
to Wazuh mailing list
Hi
Test Logs
Working result catching last regex
Result catching the first regex - fields are in the wrong place
however the result now ends up like
Any idea on how achieve this decoding ?
Ok, I am looking to add some custom decoders to "enrich" some of the returned logs.these decoders would require and OR within them, due to logging differences. Due to these differences some "padding" may need to be done
<decoder name="pix-fw14"> <parent>pix-2</parent> <type>firewall</type> <prematch offset="after_parent">^3-305006</prematch> <regex offset="after_parent">(\S+): </regex> <regex>(\w+) translation creation failed for (\w+) src (\S+):(\S+)\s+dst (\S+):(\S+)\s+\(type (\d+), code (\d+)\)|</regex> <regex>(\S+): (\w+) translation creation failed for (\w+) src (\S+):(\S+)/(\d+) dst (\S+):(\S+)/(\d+)</regex> <order>id, type, protocol, srcint, srcip, srcport, dstint, dstip ,dstport, icmptype, icmpcode</order></decoder>Test Logs
%ASA-3-305006: regular translation creation failed for icmp src VoIP:192.168.5.74 dst outside:1.1.1.1 (type 3, code 3)%ASA-3-305006: regular translation creation failed for icmp src inside-192.168.5.x:192.168.5.2 dst outside:1.1.1.1 (type 3, code 3)%ASA-3-305006: portmap translation creation failed for tcp src inside-192.168.5.x:192.168.5.2/342 dst outside:1.1.1.1/443 Working result catching last regex
%ASA-3-305006: portmap translation creation failed for tcp src inside-192.168.5.x:192.168.5.2/342 dst outside:1.1.1.1/443
**Phase 1: Completed pre-decoding. full event: '%ASA-3-305006: portmap translation creation failed for tcp src inside-192.168.5.x:192.168.5.2/342 dst outside:1.1.1.1/443' timestamp: '(null)' hostname: 'wazuh' program_name: '(null)' log: '%ASA-3-305006: portmap translation creation failed for tcp src inside-192.168.5.x:192.168.5.2/342 dst outside:1.1.1.1/443'
**Phase 2: Completed decoding. decoder: 'pix-2' id: '3-305006' type: 'portmap' protocol: 'tcp' srcint: 'inside-192.168.5.x' srcip: '192.168.5.2' srcport: '342' dstint: 'outside' dstip: '1.1.1.1' dstport: '443'
**Phase 3: Completed filtering (rules). Rule id: '4100' Level: '0' Description: 'Firewall rules grouped.'
%ASA-3-305006: regular translation creation failed for icmp src inside-192.168.5.x:192.168.5.2 dst outside:1.1.1.1 (type 3, code 3)
**Phase 1: Completed pre-decoding. full event: '%ASA-3-305006: regular translation creation failed for icmp src inside-192.168.5.x:192.168.5.2 dst outside:1.1.1.1 (type 3, code 3)' timestamp: '(null)' hostname: 'wazuh' program_name: '(null)' log: '%ASA-3-305006: regular translation creation failed for icmp src inside-192.168.5.x:192.168.5.2 dst outside:1.1.1.1 (type 3, code 3)'
**Phase 2: Completed decoding. decoder: 'pix-2' id: '3-305006' type: 'regular' protocol: 'icmp' srcint: 'inside-192.168.5.x' srcip: '192.168.5.2' srcport: 'outside' dstint: '1.1.1.1' dstip: '3' dstport: '3'
**Phase 3: Completed filtering (rules). Rule id: '4100' Level: '0' Description: 'Firewall rules grouped.'
Now the "obvious" (in my opinion) option would be to change the decoder to something like, () around the \s+ to try "shift" the fields by catching the spaces as "values" (so srcport and dstport end up as "spaces")
<decoder name="pix-fw14"> <parent>pix-2</parent> <type>firewall</type> <prematch offset="after_parent">^3-305006</prematch> <regex offset="after_parent">(\S+): </regex> <regex>(\w+) translation creation failed for (\w+) src (\S+):(\S+)(\s+)dst (\S+):(\S+)(\s+)\(type (\d+), code (\d+)\)|</regex> <regex>(\S+): (\w+) translation creation failed for (\w+) src (\S+):(\S+)/(\d+) dst (\S+):(\S+)/(\d+)</regex> <order>id, type, protocol, srcint, srcip, srcport, dstint, dstip ,dstport, icmptype, icmpcode</order></decoder>
%ASA-3-305006: regular translation creation failed for icmp src inside-192.168.5.x:192.168.5.2 dst outside:1.1.1.1 (type 3, code 3)
**Phase 1: Completed pre-decoding. full event: '%ASA-3-305006: regular translation creation failed for icmp src inside-192.168.5.x:192.168.5.2 dst outside:1.1.1.1 (type 3, code 3)' timestamp: '(null)' hostname: 'wazuh' program_name: '(null)' log: '%ASA-3-305006: regular translation creation failed for icmp src inside-192.168.5.x:192.168.5.2 dst outside:1.1.1.1 (type 3, code 3)'
**Phase 2: Completed decoding. decoder: 'pix-2'
**Phase 3: Completed filtering (rules). Rule id: '4100' Level: '0' Description: 'Firewall rules grouped.'
Any idea on how achieve this decoding ?
Any help is appreciated
Thanks
Victor Fernandez
Feb 8, 2019, 4:26:52 AM2/8/19
to Rhys Evans, Wazuh mailing list
Hi Rhys,
Only as a suggestion, you may want to use multi-regex decoders so that you can develop one regex per pattern.
Example:
<decoder name="pix-fw14"> <parent>pix-2</parent> <type>firewall</type>
<regex offset="after_parent">(\S+): (\w+) translation creation failed for (\w+) src (\S+):(\S+)\s+dst (\S+):(\S+)\s+\(type (\d+), code (\d+)\)</regex>
<order>id, type, protocol, srcint, srcip, srcport, dstint, dstip ,dstport, icmptype, icmpcode</order> </decoder>
<decoder name="pix-fw14"> <parent>pix-2</parent> <type>firewall</type>
<regex offset="after_parent">(\S+): </regex> <regex>(\S+): (\w+) translation creation failed for (\w+) src (\S+):(\S+)/(\d+) dst (\S+):(\S+)/(\d+)</regex>
<order>id, type, protocol, srcint, srcip, srcport, dstint, dstip ,dstport, icmptype, icmpcode</order> </decoder>
There are two conditions: multi-regex decoders must have a parent and must not have a prematch.
I see you have more ordered fields than groups in the regexes, so you may want to remove some of them, I'm not sure how you want to extract them.
For instance, in this log:
%ASA-3-305006: regular translation creation failed for icmp src inside-192.168.5.x:192.168.5.2 dst outside:1.1.1.1 (type 3, code 3)
srcint is extracted as "inside-192.168.5.x", maybe it's interesting to split them with a "-" separator.
Hope this helps you. Let us know you need further help with this decoder.
Best regards.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6fea3d6a-1377-4113-9936-33114a2b3ce7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Rhys Evans
Feb 9, 2019, 4:18:38 AM2/9/19
to Victor Fernandez, Wazuh mailing list
Hi
thanks
I have updated my decoders to look like
"
<decoder name="pix-fw14">
<parent>pix-2</parent>
<type>firewall</type>
<regex offset="after_parent">(\S+): (\w+) translation creation failed for (\w+) src (\S+):(\S+)\s+dst (\S+):(\S+)\s+\(type (\d+), code (\d+)\)</regex>
<order>id, type, protocol, srcint, srcip, srcport, dstint, icmptype, icmpcode</order>
</decoder>
<decoder name="pix-fw14">
<parent>pix-2</parent>
<type>firewall</type>
<regex offset="after_parent">(\S+): (\w+) translation creation failed for (\w+) src (\S+):(\S+)/(\d+) dst (\S+):(\S+)/(\d+)</regex>
<order>id, type, protocol, srcint, srcip, srcport, dstint, dstip ,dstport</order>
</decoder>
"
and this seems to work as expected
I will work through a few more then post up my pix decoder file
I have one question around the decoder name, in this instance should they be the same or different ?
Thanks
Victor Fernandez
Feb 9, 2019, 4:27:32 PM2/9/19
to Rhys Evans, Wazuh mailing list
Hi Rhys,
You're welcome. Happy to help.
Regarding your question, multi-regex decoders are a facility to extract complex data through simple decoders. They must:
- Have the same name.
- Be children of the same parent, and,
- Not have a pre-match, since all they will be guessed.
We can call them "sibling decoders". This is not well documented, we will work to explain this in the documentation.
Hope this answers your question.
Best,
Victor Manuel Fernandez-Castro
Core Engineering | vic...@wazuh.com
Core Engineering | vic...@wazuh.com
Rhys Evans
Feb 11, 2019, 7:14:05 AM2/11/19
to Victor Fernandez, Wazuh mailing list
Ok, I have a question over these decoders as I am having issues with multiple ones in the config
Essentially I am getting only the top decoder hit, if I have more than one
so I have the following logs
%ASA-4-106023: Deny icmp src textint:10.240.0.0 dst test-10.10.25.x:10.10.25.31 (type 8, code 0) by access-group "global_access" [0x0, 0x0]
%PIX-4-106023: Deny udp src inside:192.168.15.1/60476 dst outside:10.10.25.31/389 by access-group "inside_in" [0x37984de, 0x0]
%ASA-4-106023: Deny tcp src outside:10.10.25.31/49926 dst Z5-192.168.5.x:192.168.5.12/445 by access-group "outside_in" [0x2c1465, 0x0]
%ASA-3-305006: portmap translation creation failed for tcp src inside:192.168.15.11/1470 dst outside:192.168.15.249/53314
%ASA-3-305006: regular translation creation failed for icmp src inside:192.168.5.74 dst outside:1.1.1.1 (type 3, code 3)
and the following decoder setup (subset of entire file) pix-fw101 is a replacement for the default fw3 one
```
<decoder name="pix-fw100">
<parent>pix-2</parent>
<type>firewall</type>
<regex offset="after_parent">(\S+): (\w+) translation creation failed for (\w+) src (\S+):(\S+)\s+dst (\S+):(\S+)\s+\(type (\d+), code (\d+)\)</regex>
<order>id, type, protocol, srcint, srcip, srcport, dstint, icmptype, icmpcode</order>
</decoder>
<decoder name="pix-fw100">
<parent>pix-2</parent>
<type>firewall</type>
<regex offset="after_parent">(\S+): (\w+) translation creation failed for (\w+) src (\S+):(\S+)/(\d+) dst (\S+):(\S+)/(\d+)</regex>
<order>id, type, protocol, srcint, srcip, srcport, dstint, dstip ,dstport</order>
</decoder>
<decoder name="pix-fw101">
<parent>pix-2</parent>
<type>firewall</type>
<regex offset="after_parent">^(\S+): (\w+) (\w+) src (\S+):(\S+)/(\S+) dst (\S+):(\S+)/(\S+) by access-group "(\S+)"</regex>
<order>id, action, protocol, srcint, srcip, srcport, dstint, dstip, dstport, acl</order>
</decoder>
<decoder name="pix-fw101">
<parent>pix-2</parent>
<type>firewall</type>
<regex offset="after_parent">^(\S+): (\w+) (\w+) src (\S+):(\S+) dst (\S+):(\S+) \(type (\d+), code (\d+)\) by access-group "(\S+)"</regex>
<order>id, action, protocol, srcint, srcip, dstint, dstip, icmptype, icmpcode, acl</order>
</decoder>
```
All these are doing is trying to distinguish between an tcp/udp hit and a icmp hit (icmp having type and code information)
Now with the rules in the order above, i never get any hits on pix-fw101. now if I swap them around I don't get hits on the pix100 .
So this seems to be acting as a "catch all" rather than an if don't match carry on ?
Any help is appreciated
Thanks
Victor Fernandez
Feb 20, 2019, 4:24:58 PM2/20/19
to Rhys Evans, Wazuh mailing list
Hi Rhys,
Sorry for the late reply. You need a selector: <prematch>, <program_name> or both, for each child.
Selectors drive the decoder choice: Wazuh must select one decoder: "pix-2", "pix-fw100" or "pix-fw101". We use <prematch> or <program_name> to choose the correct one. Once Wazuh selected a decoder, it will execute the regex and extract the items into the fields defined by <order>. If you defined multiple sibling decoder items (with the same name), Wazuh will try to execute all their regexes.
You must use <prematch> or <program_name> in the parent decoder (or you'll get an error). If children decoders defined, Wazuh will choose the first one that matches <prematch> and <program_name> (if defined), or the first decoder with no <prematch> or <program_name> defined.
This image illustrates this behavior:
If none of the children decoders is selected, then Wazuh will execute the regex of the parent decoder (if defined).
Hope it helps,
Best regards,
Victor Manuel Fernandez-Castro
Core Engineering | vic...@wazuh.com
Core Engineering | vic...@wazuh.com
Rhys Evans
Feb 21, 2019, 3:00:07 AM2/21/19
to Victor Fernandez, Wazuh mailing list
Hi
no worries and thanks for coming back.
I managed to work around my issue by combining the 100 and 101 decoders into 1 larger 100 decoder
I have attached my full custom pix decoder, as it is so far (with the rules other than looking for pix-2 they are unchanged), it is still a work and progress (and can be done more efficiently etc) but seems to be working initially for us in the testing stage
Thanks
Reply all
Reply to author
Forward
0 new messages