Decoder for Aruba Switch 2530 and similar
282 views
Skip to first unread message
Matthias Stukenberg
Apr 19, 2023, 5:08:27 AM4/19/23
to Wazuh mailing list
Dear all,
I am trying to write my first Decoder for Aruba Switche 2530 and similar. I have got these log entries (examples):
2023 Apr 19 09:53:41 192.168.150.244->192.168.150.244 Apr 19 09:53:38 192.168.150.244 00076 ports: port 20 is now on-line
2023 Apr 19 09:54:10 192.168.150.244->192.168.150.244 Apr 19 09:54:06 192.168.150.244 03362 auth: User 'xxx.yyy' logged in from 172.23.20.213 to SSH session
2023 Apr 19 09:54:12 192.168.150.244->192.168.150.244 Apr 19 09:54:08 192.168.150.244 00179 mgr: SME SSH from 172.23.20.213 - MANAGER Mode
2023 Apr 19 09:54:20 192.168.150.244->192.168.150.244 Apr 19 09:54:16 192.168.150.244 03363 auth: User 'xxx.yyy' logged out of SSH session from 172.23.20.213
2023 Apr 19 09:54:10 192.168.150.244->192.168.150.244 Apr 19 09:54:06 192.168.150.244 03362 auth: User 'xxx.yyy' logged in from 172.23.20.213 to SSH session
2023 Apr 19 09:54:12 192.168.150.244->192.168.150.244 Apr 19 09:54:08 192.168.150.244 00179 mgr: SME SSH from 172.23.20.213 - MANAGER Mode
2023 Apr 19 09:54:20 192.168.150.244->192.168.150.244 Apr 19 09:54:16 192.168.150.244 03363 auth: User 'xxx.yyy' logged out of SSH session from 172.23.20.213
I try to decode the Login event, but got no available decoder when I test the stuff. The decoder is not very fancy, or readable, but according to my regex tests the thing schould match:
<decoder name="ArubaSwitch">
<prematch>^\d\d\d\d [A-Z][a-z]{2} [0-3][0-9] [0-2][0-9]:[0-5][0-9]:[0-5][0-9] \d\d\d.\d\d\d.\d\d\d.\d\d\d->\d\d\d.\d\d\d.\d\d\d.\d\d\d [A-Z][a-z]{2} [0-3][0-9] [0-5][0-9]:[0-5][0-9]:[0-5][0-9] </prematch>
</decoder>
<decoder name="ArubaSwitchLogin">
<parent>ArubaSwitch</parent>
<regex>\d\d\d\d [A-Z][a-z]{2} [0-3][0-9] [0-2][0-9]:[0-5][0-9]:[0-5][0-9] \d\d\d.\d\d\d.\d\d\d.\d\d\d->\d\d\d.\d\d\d.\d\d\d.\d\d\d [A-Z][a-z]{2} [0-3][0-9] [0-5][0-9]:[0-5][0-9]:[0-5][0-9] \d\d\d.\d\d\d.\d\d\d.\d\d\d \d+ auth: User '(\w+)' logged in from '(\d+.\d+.\d+.\d+)'</regex>
<order>user, srcip</order>
</decoder>
<prematch>^\d\d\d\d [A-Z][a-z]{2} [0-3][0-9] [0-2][0-9]:[0-5][0-9]:[0-5][0-9] \d\d\d.\d\d\d.\d\d\d.\d\d\d->\d\d\d.\d\d\d.\d\d\d.\d\d\d [A-Z][a-z]{2} [0-3][0-9] [0-5][0-9]:[0-5][0-9]:[0-5][0-9] </prematch>
</decoder>
<decoder name="ArubaSwitchLogin">
<parent>ArubaSwitch</parent>
<regex>\d\d\d\d [A-Z][a-z]{2} [0-3][0-9] [0-2][0-9]:[0-5][0-9]:[0-5][0-9] \d\d\d.\d\d\d.\d\d\d.\d\d\d->\d\d\d.\d\d\d.\d\d\d.\d\d\d [A-Z][a-z]{2} [0-3][0-9] [0-5][0-9]:[0-5][0-9]:[0-5][0-9] \d\d\d.\d\d\d.\d\d\d.\d\d\d \d+ auth: User '(\w+)' logged in from '(\d+.\d+.\d+.\d+)'</regex>
<order>user, srcip</order>
</decoder>
Can anyone assist me with this and provide a hint?
Isaiah Daboh
Apr 19, 2023, 12:02:39 PM4/19/23
to Wazuh mailing list
Hello,
From your <prematch>, the decoder will not match the events stated.
Note that if the log is Syslog-like, then prematch only analyzes the log after the Syslog-like header.
You can test the decoder as described here.
Regards,
Matthias Stukenberg
Apr 20, 2023, 5:06:54 AM4/20/23
to Wazuh mailing list
Thank you, I made a little bit progress but I think I got another issue with the ' charachter enclosing the username xxx.yyy
<order>user, srcip</order>
</decoder>
What my decoder looks like:
<decoder name="ArubaSwitchLogin">
<prematch>03362 auth:</prematch>
</decoder>
<decoder name="ArubaSwitchLoginParse">
<parent>ArubaSwitchLogin</parent>
<regex>User "[A-Za-z0-9]+(?:\.[A-Za-z0-9]+)*" logged in from "(\d+.\d+.\d+.\d+)" to SSH session</regex>
<prematch>03362 auth:</prematch>
</decoder>
<decoder name="ArubaSwitchLoginParse">
<parent>ArubaSwitchLogin</parent>
<regex>User "[A-Za-z0-9]+(?:\.[A-Za-z0-9]+)*" logged in from "(\d+.\d+.\d+.\d+)" to SSH session</regex>
<order>user, srcip</order>
</decoder>
my testresult of the logline:
**Messages:
WARNING: (7003): 'c77161a0' token expires
INFO: (7202): Session initialized with token '7e52b9b3'
**Phase 1: Completed pre-decoding. full event: 'Apr 20 09:37:56 192.168.150.244 03362 auth: User 'xxx.yyy' logged in from 172.23.20.213 to SSH session'
timestamp: 'Apr 20 09:37:56'
hostname: '192.168.150.244'
**Phase 2: Completed decoding.
name: 'ArubaSwitchLogin'
**Phase 3: Completed filtering (rules).
id: '100005'
level: '5'
description: 'ArubaSwitch grouping rule'
groups: '["local","syslog","sshd"]'
firedtimes: '1'
mail: 'false'
**Alert to be generated.
As it seems the fields user and srcip do not get mapped. as soon as I want to escape the ' character the decoder will not save and gives me an error.
Matthias Stukenberg
Apr 24, 2023, 3:54:00 AM4/24/23
to Wazuh mailing list
shameless self bump
Reply all
Reply to author
Forward
0 new messages