Decoder
164 views
Skip to first unread message
Tomasz Buziak
Nov 27, 2022, 2:16:47 PM11/27/22
to Wazuh mailing list
Hi,
I have simple decoder rule for srcip and user or srcip, but log message with only ip, not decode ip address.
<!--
07/29/2022 14:55:25 iLO 5: SSH login: administrator - 192.168.9.100(DNS name not found).
11/18/2022 22:19:25 iLO 5: SSH login failure from: 192.168.9.137(DNS name not found).-->
<decoder name="ilo">
<prematch>iLO \d+: \.*</prematch>
</decoder>
<decoder name="ilo_1">
<parent>ilo</parent>
<prematch>iLO \d+: \.*</prematch>
<regex offset="after_prematch">^\.*: (\w+) - (\d+.\d+.\d+.\d+)</regex>
<order>user, srcip</order>
</decoder>
<decoder name="ilo_2">
<parent>ilo</parent>
<prematch>iLO \d+: \.*</prematch>
<regex offset="after_prematch">^\.+: (\d+.\d+.\d+.\d+)</regex>
<order>srcip</order>
</decoder>
Mariano Koremblum
Nov 28, 2022, 12:14:31 AM11/28/22
to Wazuh mailing list
Hi Buziak,
I fixed your decoders, take into account that sibling decoders must all have the same name (you can use the parent’s name as well).
Here are the decoders:
<decoder name="ilo">
<prematch type="pcre2">iLO \d+: [^:]+:</prematch>
</decoder>
<decoder name="ilo_child">
<parent>ilo</parent>
<regex offset="after_parent">(\S+) - (\d+.\d+.\d+.\d+)</regex>
<order>user, srcip</order>
</decoder>
<decoder name="ilo_child">
<parent>ilo</parent>
<regex offset="after_parent">(\d+.\d+.\d+.\d+)</regex>
<order>srcip</order>
</decoder>
And here is the output after evaluating the decoders with our wazuh-logtest tool:
# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.10
Type one log per line
11/18/2022 22:19:25 iLO 5: SSH login failure from: 192.168.9.137(DNS name not found).
**Phase 1: Completed pre-decoding.
full event: '11/18/2022 22:19:25 iLO 5: SSH login failure from: 192.168.9.137(DNS name not found).'
**Phase 2: Completed decoding.
name: 'ilo'
srcip: '192.168.9.137'
**Phase 3: Completed filtering (rules).
id: '2501'
level: '5'
description: 'syslog: User authentication failure.'
groups: '['syslog', 'access_control', 'authentication_failed']'
firedtimes: '1'
gdpr: '['IV_35.7.d', 'IV_32.2']'
gpg13: '['7.8']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.14', 'AC.7']'
pci_dss: '['10.2.4', '10.2.5']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
07/29/2022 14:55:25 iLO 5: SSH login: administrator - 192.168.9.100(DNS name not found).
**Phase 1: Completed pre-decoding.
full event: '07/29/2022 14:55:25 iLO 5: SSH login: administrator - 192.168.9.100(DNS name not found).'
**Phase 2: Completed decoding.
name: 'ilo'
dstuser: 'administrator'
srcip: '192.168.9.100'
Best regards,
Mariano Koremblum
Tomasz Buziak
Nov 28, 2022, 3:15:26 AM11/28/22
to Mariano Koremblum, Wazuh mailing list
thx
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3a1ca59d-c08a-4473-b45a-93e3ffe80e46n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages