Problem with my decoder
107 views
Skip to first unread message
M G
Oct 10, 2023, 4:15:47 AM10/10/23
to Wazuh | Mailing List
Hello dear Wazuh Team
<prematch>^[**] [\d+:\d+:\d+] </prematch>a
<regex>^[**] [(\d+:\d+:\d+)] \.+ (\S+)\p*\d* -> </regex>
<regex>(\S+)|^[(\d+:\d+:\d+)] \.+ </regex>
<regex>(\S+)\p*\d* -> (\S+)</regex>
<order>id,srcip,dstip,extra_data</order>
<fts>name,id,srcip,dstip,extra_data</fts>
</decoder>
I have problem with edditing a decoder.
I take form from snort decoder and I want to add to this decoder message field
10/10/2023-09:19:37.160090 [**] [1:2200074:2] SURICATA TCPv4 invalid checksum [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 111.222.333.444:5555 -> 444.333.222.111:5555
I want have a bold text as a message (extra_data).
This is decoder
<decoder name="SSSSSSSSSSsnortblebleble">
<type>ids</type><prematch>^[**] [\d+:\d+:\d+] </prematch>a
<regex>^[**] [(\d+:\d+:\d+)] \.+ (\S+)\p*\d* -> </regex>
<regex>(\S+)|^[(\d+:\d+:\d+)] \.+ </regex>
<regex>(\S+)\p*\d* -> (\S+)</regex>
<order>id,srcip,dstip,extra_data</order>
<fts>name,id,srcip,dstip,extra_data</fts>
</decoder>
Can you help me ;)
Regards
Mateusz
M G
Oct 10, 2023, 10:18:08 AM10/10/23
to Wazuh | Mailing List
Hello again
<type>ids</type>
<prematch>^[**] [\d+:\d+:\d+] </prematch>
Now I have
<decoder name="Suricata_testy">
<type>ids</type>
<prematch>^[**] [\d+:\d+:\d+] </prematch>
<regex>^[**] [(\d+:\d+:\d+)]</regex>
<regex>\S+$({\w\w\w})</regex>
<regex>\S+</regex>
<order>id,extra_data,srcip,dstip</order>
<fts>name,id,srcip,dstip,extra_data</fts>
</decoder>
<regex>\S+$({\w\w\w})</regex>
<regex>\S+</regex>
<order>id,extra_data,srcip,dstip</order>
<fts>name,id,srcip,dstip,extra_data</fts>
</decoder>
Now i got extra_data and ID but I don't have informations about srcip and dstip.
Regards
Mateusz
Obinna Uchubilo
Oct 10, 2023, 4:10:56 PM10/10/23
to Wazuh | Mailing List
Hello Mateusz,
Thanks for using Wazuh!
Give me some time to check this out.
Thanks for using Wazuh!
Give me some time to check this out.
Regards
Obinna Uchubilo
Oct 12, 2023, 9:29:35 AM10/12/23
to Wazuh | Mailing List
Hello Mateusz,
Starting wazuh-logtest v4.5.3
Type one log per line
10/10/2023-09:19:37.160090 [**] [1:2200074:2] SURICATA TCPv4 invalid checksum [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 111.222.333.444:5555 -> 444.333.222.111:5555
Apologies for the late response.
Please add this custom decoder local_decoder.xml file
<decoder name="snort2">
<parent>snort</parent>
<regex offset="after_parent">^(\.+) {</regex>
<order>extra_data</order>
</decoder>
Please add this custom decoder local_decoder.xml file
<decoder name="snort2">
<parent>snort</parent>
<regex offset="after_parent">^(\.+) {</regex>
<order>extra_data</order>
</decoder>
Output of logtest
Starting wazuh-logtest v4.5.3
Type one log per line
10/10/2023-09:19:37.160090 [**] [1:2200074:2] SURICATA TCPv4 invalid checksum [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 111.222.333.444:5555 -> 444.333.222.111:5555
**Phase 1: Completed pre-decoding.
full event: '10/10/2023-09:19:37.160090 [**] [1:2200074:2] SURICATA TCPv4 invalid checksum [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 111.222.333.444:5555 -> 444.333.222.111:5555'
timestamp: '10/10/2023-09:19:37.160090'
**Phase 2: Completed decoding.
name: 'snort'
parent: 'snort'
dstip: '444.333.222.111:5555'
extra_data: 'SURICATA TCPv4 invalid checksum [**] [Classification: Generic Protocol Command Decode] [Priority: 3]'
id: '1:2200074:2'
srcip: '111.222.333.444'
**Phase 3: Completed filtering (rules).
id: '20100'
level: '8'
description: 'First time this IDS alert is generated.'
groups: '['ids', 'fts']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
full event: '10/10/2023-09:19:37.160090 [**] [1:2200074:2] SURICATA TCPv4 invalid checksum [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 111.222.333.444:5555 -> 444.333.222.111:5555'
timestamp: '10/10/2023-09:19:37.160090'
**Phase 2: Completed decoding.
name: 'snort'
parent: 'snort'
dstip: '444.333.222.111:5555'
extra_data: 'SURICATA TCPv4 invalid checksum [**] [Classification: Generic Protocol Command Decode] [Priority: 3]'
id: '1:2200074:2'
srcip: '111.222.333.444'
**Phase 3: Completed filtering (rules).
id: '20100'
level: '8'
description: 'First time this IDS alert is generated.'
groups: '['ids', 'fts']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Regards
M G
Oct 19, 2023, 4:40:02 AM10/19/23
to Wazuh | Mailing List
Thank you very much ;)
Regards
Matuesz
Reply all
Reply to author
Forward
0 new messages