JSON Decoder not work as expected

Kpex

unread,

Mar 3, 2022, 9:39:34 AM3/3/22

to Wazuh mailing list

Hi Guys,

i'm working from a log in JSON format, something like this:

full event: '{"timestamp":"2022-01-17T17:52:09.749+0100","agent":{"id":"000","name":"vm01"},"manager":{"name":"vm01"},"id":"1642438329.280612553","full_log":"Jan 17 17:52:09 xxxxxx json_host_lockdown -: {\"log_type\": \"host_lockdown\", \"id\": \"TEST\", \"action\": \"TSET\", \"reason\": \"TEST\", \"msg\": \"HOST SCORING\"}","predecoder":{"timestamp":"Jan 17 17:52:09","hostname":"xxxxxxxxxxx"},"decoder":{},"location":"192.168.203.50"}'

----- and this is my rule -----

<group name="vsyslog,">
<rule id="117000" level="0">
<decoded_as>json</decoded_as>
<field name="location">192.168.203.50</field>
<field name="predecoder.hostname">xxxxxxxxxxx</field>
<description>v: Messages.</description>
</rule>
<rule id="117004" level="5">
<if_sid>117000</if_sid>
<field name="log_type">^host_lockdown$</field>
<description>v: $(name)</description>
</rule>
</group>

-------------------------------------------------------------------------------

But, i cannot enter in rule 117004

2022-03-03 15:14:46,110 wazuh-logtest[INFO] **Phase 1: Completed pre-decoding.
2022-03-03 15:14:46,110 wazuh-logtest[INFO] full event: '{"timestamp":"2022-01-17T17:52:09.749+0100","agent":{"id":"000","name":"vm01"},"manager":{"name":"vm01"},"id":"1642438329.280612553","full_log":"Jan 17 17:52:09 xxxxxxxxx json_host_lockdown -: {\"log_type\": \"host_lockdown\", \"id\": \"TEST\", \"action\": \"TSET\", \"reason\": \"TEST\", \"msg\": \"HOST SCORING\"}","predecoder":{"timestamp":"Jan 17 17:52:09","hostname":"xxxxxxxxx"},"decoder":{},"location":"192.168.203.50"}'
2022-03-03 15:14:46,110 wazuh-logtest[INFO]
2022-03-03 15:14:46,110 wazuh-logtest[INFO] **Phase 2: Completed decoding.
2022-03-03 15:14:46,110 wazuh-logtest[INFO] name: 'json'
2022-03-03 15:14:46,111 wazuh-logtest[INFO] agent.id: '000'
2022-03-03 15:14:46,111 wazuh-logtest[INFO] agent.name: 'vm01'
2022-03-03 15:14:46,111 wazuh-logtest[INFO] full_log: 'Jan 17 17:52:09 xxxxxxxxx json_host_lockdown -: {"log_type": "host_lockdown", "id": "TEST", "action": "TSET", "reason": "TEST", "msg": "HOST SCORING"}'
2022-03-03 15:14:46,111 wazuh-logtest[INFO] id: '1642438329.280612553'
2022-03-03 15:14:46,111 wazuh-logtest[INFO] location: '192.168.203.50'
2022-03-03 15:14:46,111 wazuh-logtest[INFO] manager.name: 'vm01'
2022-03-03 15:14:46,111 wazuh-logtest[INFO] predecoder.hostname: 'xxxxxxxxx'
2022-03-03 15:14:46,111 wazuh-logtest[INFO] predecoder.timestamp: 'Jan 17 17:52:09'
2022-03-03 15:14:46,111 wazuh-logtest[INFO] timestamp: '2022-01-17T17:52:09.749+0100'
2022-03-03 15:14:46,111 wazuh-logtest[INFO]
2022-03-03 15:14:46,111 wazuh-logtest[INFO] **Phase 3: Completed filtering (rules).
2022-03-03 15:14:46,111 wazuh-logtest[INFO] id: '117000'
2022-03-03 15:14:46,111 wazuh-logtest[INFO] level: '0'
2022-03-03 15:14:46,111 wazuh-logtest[INFO] description: 'v:Messages.'
2022-03-03 15:14:46,111 wazuh-logtest[INFO] groups: '['syslog']'
2022-03-03 15:14:46,111 wazuh-logtest[INFO] firedtimes: '1'
2022-03-03 15:14:46,111 wazuh-logtest[INFO] mail: 'False'

Could you suggest me the solution?

Thanks

Christian Borla

unread,

Mar 3, 2022, 1:27:20 PM3/3/22

to Wazuh mailing list

Hi Kpex
I hope you are doing fine!
Does the example log from archive.json file? I guess yes, because it include Wazuh information too, as predecoder and decoder information.
The real log is the full_log section:

Jan 17 17:52:09 xxxxxxxxx json_host_lockdown -: {"log_type": "host_lockdown", "id": "TEST", "action": "TSET", "reason": "TEST", "msg": "HOST SCORING"}

It looks like a syslog format message with a json after "-:" I think it will be necessary create a decoder too, to process json section.

But if you want to make it works with your custom rules as the example log is, you can update the rule as following.

<match type="pcre2">\\"log_type\\":\s+\\"host_lockdown\\"</match>

In match type section \\ are necessery to scape \

The log-test result is:

{"timestamp":"2022-01-17T17:52:09.749+0100","agent":{"id":"000","name":"vm01"},"manager":{"name":"vm01"},"id":"1642438329.280612553","full_log":"Jan 17 17:52:09 xxxxxx json_host_lockdown -: {\"log_type\": \"host_lockdown\", \"id\": \"TEST\", \"action\": \"TSET\", \"reason\": \"TEST\", \"msg\": \"HOST SCORING\"}","predecoder":{"timestamp":"Jan 17 17:52:09","hostname":"xxxxxxxxxxx"},"decoder":{},"location":"192.168.203.50"}

**Phase 1: Completed pre-decoding.

full event: '{"timestamp":"2022-01-17T17:52:09.749+0100","agent":{"id":"000","name":"vm01"},"manager":{"name":"vm01"},"id":"1642438329.280612553","full_log":"Jan 17 17:52:09 xxxxxx json_host_lockdown -: {\"log_type\": \"host_lockdown\", \"id\": \"TEST\", \"action\": \"TSET\", \"reason\": \"TEST\", \"msg\": \"HOST SCORING\"}","predecoder":{"timestamp":"Jan 17 17:52:09","hostname":"xxxxxxxxxxx"},"decoder":{},"location":"192.168.203.50"}'

**Phase 2: Completed decoding.
name: 'json'
agent.id: '000'
agent.name: 'vm01'
full_log: 'Jan 17 17:52:09 xxxxxx json_host_lockdown -: {"log_type": "host_lockdown", "id": "TEST", "action": "TSET", "reason": "TEST", "msg": "HOST SCORING"}'
id: '1642438329.280612553'
location: '192.168.203.50'
manager.name: 'vm01'
predecoder.hostname: 'xxxxxxxxxxx'

predecoder.timestamp: 'Jan 17 17:52:09'

timestamp: '2022-01-17T17:52:09.749+0100'

**Phase 3: Completed filtering (rules).

id: '117004'
level: '5'
description: 'v: '
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.

It's working, but as I mentioned at beginning, maybe it's not the correct example log.
Let me know if this information is useful to you.

Regards.

Message has been deleted

Kpex

unread,

Mar 8, 2022, 6:15:15 AM3/8/22

to Wazuh mailing list

Hello Christian,

but the log i sent you was wrong.

The correct version of what my appliance sent is that:

swappliancename_json_v2 -: {"version": "6.16", "detection_id": 785, "category": "RECONNAISSANCE", "severity": 5.0, "threat": 50, "certainty": 95, "d_type": "rpc_recon_1to1", "d_type_vname": "RPC Targeted Recon", "triaged": false, "headend_addr": " ipappliance ", "dvchost": " ipappliance ", "href": "https://ipappliance/detections/785?detail_id=20693", "dd_dst_ip": "192.168.235.110", "dd_dst_port": 445, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.234.250", "host_ip": "192.168.234.250", "dd_proto": "", " swappliancename_timestamp": "1646670737"}

So, in this case, maybe i need to create a decoder before create a rule, isn't it ?

Could you help me?

thanks.

Christian Borla

unread,

Mar 8, 2022, 4:33:44 PM3/8/22

to Wazuh mailing list

Hi Kpex
I hope you are doing fine!

It will be easier if full log were a json, but to process full log as you have, it will necessary create some decoders. Add them into /var/ossec/etc/decoders/local_decoder.xml and restart the manager.

<decoder name="swappliancename_json">
<prematch>swappliancename_json</prematch>
</decoder>

<decoder name="swappliancename_json">
<parent>swappliancename_json</parent>
<regex type="pcre2">(?i)"version":\s+\"([^"]*)\",\s+"detection_id":\s+([^,]*),\s+"category":\s+\"([^"]*)\",\s+"severity":\s+([^,]*),\s+"threat":\s+([^,]*),\s+"certainty":\s+([^,]*),\s+"d_type":\s+\"([^"]*)\",\s+"d_type_vname":\s+\"([^"]*)\",\s+"triaged":\s+false,\s+"headend_addr":\s+\"([^"]*)\",\s+"dvchost":\s+\"([^"]*)\",\s+"href":\s+\"([^"]*)\",\s+"dd_dst_ip":\s+\"([^"]*)\",\s+"dd_dst_port":\s+([^,]*),\s+"dd_dst_dns":\s+\"([^"]*)\",\s+"dd_bytes_sent":\s+null,\s+"dd_bytes_rcvd":\s+null,\s+"host_name":\s+\"([^"]*)\",\s+"host_ip":\s+\"([^"]*)\",\s+"dd_proto":\s+\"([^"]*)\",\s+"\s+swappliancename_timestamp":\s+\"([^"]*)\"</regex>
<order>version, detection_id, category, severity, threat, certainty, d_type, d_type_vname, triaged, headend_addr, dvchost, href, dd_dst_ip, dd_dst_port, dd_dst_dns, dd_bytes_sent, dd_bytes_rcvd, host_name, host_ip, dd_proto, swappliancename_timestamp</order>
</decoder>

I did a simple rule to trigger an alert.

<rule id="100000" level="5">
<decoded_as>swappliancename_json</decoded_as>
<description>swappliancename_json alert triggered</description>
<options>no_full_log</options>
</rule>

log test result:

swappliancename_json_v2 -: {"version": "6.16", "detection_id": 785, "category": "RECONNAISSANCE", "severity": 5.0, "threat": 50, "certainty": 95, "d_type": "rpc_recon_1to1", "d_type_vname": "RPC Targeted Recon", "triaged": false, "headend_addr": " ipappliance ", "dvchost": " ipappliance ", "href": "https://ipappliance/detections/785?detail_id=20693", "dd_dst_ip": "192.168.235.110", "dd_dst_port": 445, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.234.250", "host_ip": "192.168.234.250", "dd_proto": "", " swappliancename_timestamp": "1646670737"}

**Phase 1: Completed pre-decoding.

**Phase 2: Completed decoding.
name: 'swappliancename_json'
category: 'RECONNAISSANCE'
certainty: '95'
d_type: 'rpc_recon_1to1'
d_type_vname: 'RPC Targeted Recon'
dd_bytes_sent: '192.168.234.250'
dd_dst_dns: 'IP-192.168.234.250'
dd_dst_ip: '445'
detection_id: '785'
dvchost: 'https://ipappliance/detections/785?detail_id=20693'
headend_addr: ' ipappliance '
host_name: '1646670737'
href: '192.168.235.110'
severity: '5.0'
threat: '50'
triaged: ' ipappliance '
version: '6.16'

**Phase 3: Completed filtering (rules).

id: '100000'
level: '5'
description: 'swappliancename_json alert triggered'

groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.

Let me know if this information is useful to you.
Regards.

Reply all

Reply to author

Forward