Help with decoder for Aruba Clearpass
192 views
Skip to first unread message
Luiz Farah
Mar 7, 2024, 9:03:25 AM3/7/24
to Wazuh | Mailing List
Hi,
Could you help me create an Aruba Clearpass log decoder? Is my first decoder. Sorry
I have an example of the log I'm capturing here:
Thanks !!!
10:41:51.105848 IP 10.1.200.205.48015 > 10.1.1.198.514: SYSLOG local0.debug, length: 529
E..-'.@.@.3)
...
...........<135>2024-03-07 10:41:51,99 10.1.200.205 Syslog 2185593 1 0 Common.Username=x...@gmail.com,Common.Service=SVC-WLAN-PORTAL_MAC-AUTH,Common.Roles=RL-VISITANTE, [User Authenticated],RADIUS.Auth-Source=Local:localhost,RADIUS.Auth-Method=MAC-AUTH,Common.System-Posture-Token=UNKNOWN,Common.Enforcement-Profiles=PRF-ACCESS_VISITANTE, PRF-UPDATE_ENDPOINT_USERNAME, PRF-SESSION_TIMEOUT-24Hrs,Common.Host-MAC-Address=1234aae94e6a,Common.NAS-IP-Address=10.10.254.60,Common.Error-Code=0,Common.Request-Timestamp=2024-03-07 10:41:46-03
10:41:51.105851 IP 10.1.200.205.48015 > 10.1.1.198.514: SYSLOG local0.debug, length: 534
E..2'.@.@.3#
...
.........Nm<135>2024-03-07 10:41:51,99 10.1.200.205 Syslog 2185594 1 0 Common.Username=xxxxx...@gmail.com,Common.Service=SVC-WLAN-PORTAL_MAC-AUTH,Common.Roles=RL-VISITANTE, [User Authenticated],RADIUS.Auth-Source=Local:localhost,RADIUS.Auth-Method=MAC-AUTH,Common.System-Posture-Token=UNKNOWN,Common.Enforcement-Profiles=PRF-ACCESS_VISITANTE, PRF-UPDATE_ENDPOINT_USERNAME, PRF-SESSION_TIMEOUT-24Hrs,Common.Host-MAC-Address=432106ff346e,Common.NAS-IP-Address=10.21.254.200,Common.Error-Code=0,Common.Request-Timestamp=2024-03-07 10:40:37-03
10:41:51.105860 IP 10.1.200.205.48015 > 10.1.1.198.514: SYSLOG local0.debug, length: 483
E...'.@.@.3T
...
..........f<135>2024-03-07 10:41:51,99 10.1.200.205 Syslog 2185596 1 0 Common.Username=erick...@xxxx.br,Common.Service=SVC-WIRELESS_DOT1X-CORP,Common.Roles=RL-CORPORATIVO, [User Authenticated],RADIUS.Auth-Source=AD:xxxx.br,RADIUS.Auth-Method=EAP-PEAP,EAP-MSCHAPv2,Common.System-Posture-Token=UNKNOWN,Common.Enforcement-Profiles=PRF-ACCESS_CORPORATIVO,Common.Host-MAC-Address=d288eb2e1234,Common.NAS-IP-Address=10.10.254.60,Common.Error-Code=0,Common.Request-Timestamp=2024-03-07 10:41:43-03
Could you help me create an Aruba Clearpass log decoder? Is my first decoder. Sorry
I have an example of the log I'm capturing here:
Thanks !!!
10:41:51.105848 IP 10.1.200.205.48015 > 10.1.1.198.514: SYSLOG local0.debug, length: 529
E..-'.@.@.3)
...
...........<135>2024-03-07 10:41:51,99 10.1.200.205 Syslog 2185593 1 0 Common.Username=x...@gmail.com,Common.Service=SVC-WLAN-PORTAL_MAC-AUTH,Common.Roles=RL-VISITANTE, [User Authenticated],RADIUS.Auth-Source=Local:localhost,RADIUS.Auth-Method=MAC-AUTH,Common.System-Posture-Token=UNKNOWN,Common.Enforcement-Profiles=PRF-ACCESS_VISITANTE, PRF-UPDATE_ENDPOINT_USERNAME, PRF-SESSION_TIMEOUT-24Hrs,Common.Host-MAC-Address=1234aae94e6a,Common.NAS-IP-Address=10.10.254.60,Common.Error-Code=0,Common.Request-Timestamp=2024-03-07 10:41:46-03
10:41:51.105851 IP 10.1.200.205.48015 > 10.1.1.198.514: SYSLOG local0.debug, length: 534
E..2'.@.@.3#
...
.........Nm<135>2024-03-07 10:41:51,99 10.1.200.205 Syslog 2185594 1 0 Common.Username=xxxxx...@gmail.com,Common.Service=SVC-WLAN-PORTAL_MAC-AUTH,Common.Roles=RL-VISITANTE, [User Authenticated],RADIUS.Auth-Source=Local:localhost,RADIUS.Auth-Method=MAC-AUTH,Common.System-Posture-Token=UNKNOWN,Common.Enforcement-Profiles=PRF-ACCESS_VISITANTE, PRF-UPDATE_ENDPOINT_USERNAME, PRF-SESSION_TIMEOUT-24Hrs,Common.Host-MAC-Address=432106ff346e,Common.NAS-IP-Address=10.21.254.200,Common.Error-Code=0,Common.Request-Timestamp=2024-03-07 10:40:37-03
10:41:51.105860 IP 10.1.200.205.48015 > 10.1.1.198.514: SYSLOG local0.debug, length: 483
E...'.@.@.3T
...
..........f<135>2024-03-07 10:41:51,99 10.1.200.205 Syslog 2185596 1 0 Common.Username=erick...@xxxx.br,Common.Service=SVC-WIRELESS_DOT1X-CORP,Common.Roles=RL-CORPORATIVO, [User Authenticated],RADIUS.Auth-Source=AD:xxxx.br,RADIUS.Auth-Method=EAP-PEAP,EAP-MSCHAPv2,Common.System-Posture-Token=UNKNOWN,Common.Enforcement-Profiles=PRF-ACCESS_CORPORATIVO,Common.Host-MAC-Address=d288eb2e1234,Common.NAS-IP-Address=10.10.254.60,Common.Error-Code=0,Common.Request-Timestamp=2024-03-07 10:41:43-03
Diego Gustavo Oliva
Mar 7, 2024, 10:53:01 AM3/7/24
to Wazuh | Mailing List
Hello Luiz,
No need to apologize, we are happy to help you with the decoder.
Please allow me some time to work on it and I will be providing the resulting decoder very soon.
Please allow me some time to work on it and I will be providing the resulting decoder very soon.
Thanks,
[Wazuh] Diego.-
[Wazuh] Diego.-
Diego Gustavo Oliva
Mar 7, 2024, 1:23:14 PM3/7/24
to Wazuh | Mailing List
Dear Luiz,
I have prepared the below decoder for you. I need to remark that I have processed your log as a single line.
In your sample log, there are different lines, I would need a single-line sample log to make the decoder accurate.
Please make sure you share the log exactly as you receive it in the log file.
In case your log is multi-line we would need to make some adjustments.
You can follow the below steps for one-liner log decoding:
1) I created
ArubaClearpass.xml under folder /var/ossec/etc/decoders
[root@wazuh-manager decoders]# vi ArubaClearpass.xml
>>> paste following contents <<<
<!--SAMPLE LOG:
10:41:51.105848 IP 10.1.200.205.48015 > 10.1.1.198.514: SYSLOG local0.debug, length: 529E..-'.@.@.3)..............<135>2024-03-07 10:41:51,99 10.1.200.205 Syslog 2185593 1 0 Common.Username=x...@gmail.com,Common.Service=SVC-WLAN-PORTAL_MAC-AUTH,Common.Roles=RL-VISITANTE, [User Authenticated],RADIUS.Auth-Source=Local:localhost,RADIUS.Auth-Method=MAC-AUTH,Common.System-Posture-Token=UNKNOWN,Common.Enforcement-Profiles=PRF-ACCESS_VISITANTE, PRF-UPDATE_ENDPOINT_USERNAME, PRF-SESSION_TIMEOUT-24Hrs,Common.Host-MAC-Address=1234aae94e6a,Common.NAS-IP-Address=10.10.254.60,Common.Error-Code=0,Common.Request-Timestamp=2024-03-07 10:41:46-03
-->
<decoder name="ArubaClearpass">
<prematch>^\d+:\d+:\d+.\d+ IP</prematch>
</decoder>
<decoder name="ArubaClearpass_child">
<parent>ArubaClearpass</parent>
<regex>^\d+:\d+:\d+.\d+ IP (\d+.\d+.\d+.\d+).\d+ > (\d+.\d+.\d+.\d+).\d+: SYSLOG</regex>
<order>log.source.ip, log.destination.ip</order>
</decoder>
10:41:51.105848 IP 10.1.200.205.48015 > 10.1.1.198.514: SYSLOG local0.debug, length: 529E..-'.@.@.3)..............<135>2024-03-07 10:41:51,99 10.1.200.205 Syslog 2185593 1 0 Common.Username=x...@gmail.com,Common.Service=SVC-WLAN-PORTAL_MAC-AUTH,Common.Roles=RL-VISITANTE, [User Authenticated],RADIUS.Auth-Source=Local:localhost,RADIUS.Auth-Method=MAC-AUTH,Common.System-Posture-Token=UNKNOWN,Common.Enforcement-Profiles=PRF-ACCESS_VISITANTE, PRF-UPDATE_ENDPOINT_USERNAME, PRF-SESSION_TIMEOUT-24Hrs,Common.Host-MAC-Address=1234aae94e6a,Common.NAS-IP-Address=10.10.254.60,Common.Error-Code=0,Common.Request-Timestamp=2024-03-07 10:41:46-03
-->
<decoder name="ArubaClearpass">
<prematch>^\d+:\d+:\d+.\d+ IP</prematch>
</decoder>
<decoder name="ArubaClearpass_child">
<parent>ArubaClearpass</parent>
<regex>^\d+:\d+:\d+.\d+ IP (\d+.\d+.\d+.\d+).\d+ > (\d+.\d+.\d+.\d+).\d+: SYSLOG</regex>
<order>log.source.ip, log.destination.ip</order>
</decoder>
>>> save and quit <<<
2) Including the sample log in the same decoder file, is a good practice. That way you can watch the sample log while building the decoder part by part.
3) In the provided decoder we are capturing the fields inside (), which in this case are log.source.ip and log.destination.ip
You can capture more data by adding more () in the "regex" and adding new fields in the "order" section.
You can capture more data by adding more () in the "regex" and adding new fields in the "order" section.
4) You can refer to this guide for detailed information on the decoder syntax:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
5) This is how decoding looks when using /var/ossec/bin/wazuh-logtest tool:
[root@wazuh-manager decoders]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.7.2
Type one log per line
10:41:51.105848 IP 10.1.200.205.48015 > 10.1.1.198.514: SYSLOG local0.debug, length: 529E..-'.@.@.3)..............<135>2024-03-07 10:41:51,99 10.1.200.205 Syslog 2185593 1 0 Common.Username=x...@gmail.com,Common.Service=SVC-WLAN-PORTAL_MAC-AUTH,Common.Roles=RL-VISITANTE, [User Authenticated],RADIUS.Auth-Source=Local:localhost,RADIUS.Auth-Method=MAC-AUTH,Common.System-Posture-Token=UNKNOWN,Common.Enforcement-Profiles=PRF-ACCESS_VISITANTE, PRF-UPDATE_ENDPOINT_USERNAME, PRF-SESSION_TIMEOUT-24Hrs,Common.Host-MAC-Address=1234aae94e6a,Common.NAS-IP-Address=10.10.254.60,Common.Error-Code=0,Common.Request-Timestamp=2024-03-07 10:41:46-03
Starting wazuh-logtest v4.7.2
Type one log per line
10:41:51.105848 IP 10.1.200.205.48015 > 10.1.1.198.514: SYSLOG local0.debug, length: 529E..-'.@.@.3)..............<135>2024-03-07 10:41:51,99 10.1.200.205 Syslog 2185593 1 0 Common.Username=x...@gmail.com,Common.Service=SVC-WLAN-PORTAL_MAC-AUTH,Common.Roles=RL-VISITANTE, [User Authenticated],RADIUS.Auth-Source=Local:localhost,RADIUS.Auth-Method=MAC-AUTH,Common.System-Posture-Token=UNKNOWN,Common.Enforcement-Profiles=PRF-ACCESS_VISITANTE, PRF-UPDATE_ENDPOINT_USERNAME, PRF-SESSION_TIMEOUT-24Hrs,Common.Host-MAC-Address=1234aae94e6a,Common.NAS-IP-Address=10.10.254.60,Common.Error-Code=0,Common.Request-Timestamp=2024-03-07 10:41:46-03
**Phase 1: Completed pre-decoding.
full event: '10:41:51.105848 IP 10.1.200.205.48015 > 10.1.1.198.514: SYSLOG local0.debug, length: 529E..-'.@.@.3)..............<135>2024-03-07 10:41:51,99 10.1.200.205 Syslog 2185593 1 0 Common.Username=x...@gmail.com,Common.Service=SVC-WLAN-PORTAL_MAC-AUTH,Common.Roles=RL-VISITANTE, [User Authenticated],RADIUS.Auth-Source=Local:localhost,RADIUS.Auth-Method=MAC-AUTH,Common.System-Posture-Token=UNKNOWN,Common.Enforcement-Profiles=PRF-ACCESS_VISITANTE, PRF-UPDATE_ENDPOINT_USERNAME, PRF-SESSION_TIMEOUT-24Hrs,Common.Host-MAC-Address=1234aae94e6a,Common.NAS-IP-Address=10.10.254.60,Common.Error-Code=0,Common.Request-Timestamp=2024-03-07 10:41:46-03'
**Phase 2: Completed decoding.
name: 'ArubaClearpass'
log.destination.ip: '10.1.1.198'
log.source.ip: '10.1.200.205'
**Phase 3: Completed filtering (rules).
id: '1002'
level: '2'
description: 'Unknown problem somewhere in the system.'
groups: '['syslog', 'errors']'
firedtimes: '1'
gpg13: '['4.3']'
mail: 'False'
^C
[root@wazuh-manager decoders]#
I hope you find this useful, do not hesitate to ping us again if extra help is needed... we are always happy to help.
Regards,
[Wazuh] Diego.-
[Wazuh] Diego.-
Luiz Farah
Mar 7, 2024, 6:45:47 PM3/7/24
to Wazuh | Mailing List
Very good ! Worked perfectly. I just had to change the file owner and permissions. Thanks !!!
I understand that I capture what is inside () and the name of the parameter is defined in that 'order by' correct?.
One question remains if I also want to capture the value of 'Common.Username' and 'Timestamp'... do I have to create regex until the field of this parameter? Or is there an easier way to capture the values?
Thank you very much Diego!!!
I understand that I capture what is inside () and the name of the parameter is defined in that 'order by' correct?.
One question remains if I also want to capture the value of 'Common.Username' and 'Timestamp'... do I have to create regex until the field of this parameter? Or is there an easier way to capture the values?
Thank you very much Diego!!!
Luiz Farah
Mar 8, 2024, 9:47:34 AM3/8/24
to Wazuh | Mailing List
Diego, i have captured this log from "sudo tcpdump -i ens160 port 514 -nn -A -s1514 > /home/lfarah/aruba2.txt" in wazuh server. This is a ideal ?
Em quinta-feira, 7 de março de 2024 às 15:23:14 UTC-3, Diego Gustavo Oliva escreveu:
Diego Gustavo Oliva
Mar 8, 2024, 4:20:53 PM3/8/24
to Wazuh | Mailing List
Hello again Luiz,
you can try adding \.+ which means looking for anything after SYSLOG until it reaches the next word you are looking to extract:
<regex>^\d+:\d+:\d+.\d+ IP (\d+.\d+.\d+.\d+).\d+ > (\d+.\d+.\d+.\d+).\d+: SYSLOG\.+Common.Username=(\.+),Common.Service</regex>
<order>log.source.ip, log.destination.ip, log.username</order>
I would have to test in my lab to provide the definitive answer, this Monday, but you can test it in the meantime if you want.
You are correct Luiz, the things between () are the ones you capture and they are stored in the <order> section (in the order the are captured).
I will continue working on your request on Monday.
I will continue working on your request on Monday.
Regards,
Diego.-
Diego Gustavo Oliva
Mar 11, 2024, 8:15:12 AM3/11/24
to Wazuh | Mailing List
Hi Luiz,
Here is another example of the decoder where I look up to "Common.Username" and capture it, then I jump to "Common.Host-MAC-Address" ald also capture its value:
<decoder name="ArubaClearpass">
<prematch>^\d+:\d+:\d+.\d+ IP</prematch>
</decoder>
<decoder name="ArubaClearpass_child">
<parent>ArubaClearpass</parent>
<prematch>^\d+:\d+:\d+.\d+ IP</prematch>
</decoder>
<decoder name="ArubaClearpass_child">
<parent>ArubaClearpass</parent>
<regex>^\d+:\d+:\d+.\d+ IP (\d+.\d+.\d+.\d+).\d+ > (\d+.\d+.\d+.\d+).\d+: SYSLOG\.+Common.Username=(\.+),Common.Service=\.+,Common.Host-MAC-Address=(\w+)</regex>
<order>log.source.ip, log.dest.ip, log.username, log.mac</order>
</decoder>
<order>log.source.ip, log.dest.ip, log.username, log.mac</order>
</decoder>
We use the option \.+ which means looking for any character one or more times until we reach the string
",Common.Host-MAC-Address="
There are different ways of doing it, you need to experiment with regex variants and test behavior with wazuh-logtest utility (/var/ossec/bin/wazuh-logtest).
Regards,
Diego.-
Diego Gustavo Oliva
Mar 11, 2024, 8:58:12 AM3/11/24
to Wazuh | Mailing List
Luiz,
Regarding the second question about your custom file "
/home/lfarah/aruba2.txt
", please refer to this guide for help in configuring additional log files in Wazuh:
Best regards,
Diego.-
Reply all
Reply to author
Forward
0 new messages