Custom Decoder
458 views
Skip to first unread message
Kotory
Sep 20, 2022, 8:17:25 AM9/20/22
to Wazuh mailing list
Hi guys.
First of all - thank you for outstanding piece of software. I'm really impressed with sheer amount of functionality it provides.
Now to my topic.
I've built a small virtual environment for testing purpose before implementing any changes into live system.
I'm trying to figure out how optimally to build my custom decoder and rules for firewall (OPNsense to be specific)
What I did so far
1 - enabled remote syslog collection and configured log destination in OPNsense.
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.48.0/24</allowed-ips>
<local_ip>192.168.48.150</local_ip>
</remote>
logs are hitting Wazuh. There are plenty of em in archive.log with enabled <logall>
2 - tried to configure custom decoder according to the logs from archive.log
log sample:
2022 Sep 20 10:54:09 OPNsense.localdomain->192.168.48.250 Sep 20 10:54:09 OPNsense.localdomain filterlog[46729]: 71,,,fae559338f65e11c53669fc3642c93c2,em0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.48.250,192.168.48.150,10254,514,0,S,509612760,,65228,,mss;nop;wscale;sackOK;TS
And here comes the problem. As far as I'm aware the red part of the log is header from manager itself while the green one is actual log.
It would be convenient to <prematch> against 'OPNsense.localdomain' part, since it's present in every log but this part is parsed out during predecoding - means I can't use it to prematch my own decoder.
**Phase 1: Completed pre-decoding.
full event: 'Sep 20 10:54:09 OPNsense.localdomain filterlog[46729]: 71,,,fae559338f65e11c53669fc3642c93c2,em0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.48.250,192.168.48.150,10254,514,0,S,509612760,,65228,,mss;nop;wscale;sackOK;TS'
timestamp: 'Sep 20 10:54:09'
hostname: 'OPNsense.localdomain'
program_name: 'filterlog'
What i left with to prematch against is pretty much useless, since this part will be vastly different from log to log:
71,,,fae559338f65e11c53669fc3642c93c2,em0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.48.250,192.168.48.150,10254,514,0,S,509612760,,65228,,mss;nop;wscale;sackOK;TS
Since I can't match my decoder against hostname I've tried to work around with <program_name> but there are plenty of different names in this field as well.
I ended up with something like that with logical "or" construction which kinda works but it doesn't look pretty at all.
<decoder name="OPNsense-fw">
<program_name>dhclient|/usr/sbin/cron|filterlog|syslog-ng</program_name>
</decoder>
<rule id="176000" level="4">
<decoded_as>OPNsense-fw</decoded_as>
<description>OPNsense-FW [Parent Test Rule]</description>
</rule>
Is there more convenient way to make it work?
For instance enrich the log with custom label to prematch against or partially disable predecoding so i can prematch against OPNsense.localdomain string?
Thank you.
First of all - thank you for outstanding piece of software. I'm really impressed with sheer amount of functionality it provides.
Now to my topic.
I've built a small virtual environment for testing purpose before implementing any changes into live system.
I'm trying to figure out how optimally to build my custom decoder and rules for firewall (OPNsense to be specific)
What I did so far
1 - enabled remote syslog collection and configured log destination in OPNsense.
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.48.0/24</allowed-ips>
<local_ip>192.168.48.150</local_ip>
</remote>
logs are hitting Wazuh. There are plenty of em in archive.log with enabled <logall>
2 - tried to configure custom decoder according to the logs from archive.log
log sample:
2022 Sep 20 10:54:09 OPNsense.localdomain->192.168.48.250 Sep 20 10:54:09 OPNsense.localdomain filterlog[46729]: 71,,,fae559338f65e11c53669fc3642c93c2,em0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.48.250,192.168.48.150,10254,514,0,S,509612760,,65228,,mss;nop;wscale;sackOK;TS
And here comes the problem. As far as I'm aware the red part of the log is header from manager itself while the green one is actual log.
It would be convenient to <prematch> against 'OPNsense.localdomain' part, since it's present in every log but this part is parsed out during predecoding - means I can't use it to prematch my own decoder.
**Phase 1: Completed pre-decoding.
full event: 'Sep 20 10:54:09 OPNsense.localdomain filterlog[46729]: 71,,,fae559338f65e11c53669fc3642c93c2,em0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.48.250,192.168.48.150,10254,514,0,S,509612760,,65228,,mss;nop;wscale;sackOK;TS'
timestamp: 'Sep 20 10:54:09'
hostname: 'OPNsense.localdomain'
program_name: 'filterlog'
What i left with to prematch against is pretty much useless, since this part will be vastly different from log to log:
71,,,fae559338f65e11c53669fc3642c93c2,em0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.48.250,192.168.48.150,10254,514,0,S,509612760,,65228,,mss;nop;wscale;sackOK;TS
Since I can't match my decoder against hostname I've tried to work around with <program_name> but there are plenty of different names in this field as well.
I ended up with something like that with logical "or" construction which kinda works but it doesn't look pretty at all.
<decoder name="OPNsense-fw">
<program_name>dhclient|/usr/sbin/cron|filterlog|syslog-ng</program_name>
</decoder>
<rule id="176000" level="4">
<decoded_as>OPNsense-fw</decoded_as>
<description>OPNsense-FW [Parent Test Rule]</description>
</rule>
Is there more convenient way to make it work?
For instance enrich the log with custom label to prematch against or partially disable predecoding so i can prematch against OPNsense.localdomain string?
Thank you.
Jose Antonio Izquierdo
Sep 20, 2022, 8:28:57 AM9/20/22
to Wazuh mailing list
Hi Kotory,
Usually the problem is that the expected log we will collect by syslog is not the same you test in wazuh-logtest.So, let's review the archives logs to verify the full log you should use for decoding and/or rules.
Use the ossec.conf in your manager and set the log_all tag to yes as json.
When done and manager restarted, verify your remote logs to see how they are decoded (check full_log) and you should find the right log to use for decoding/rules.
Share with us the archives,json (/var/ossec/logs/archives/archives.json) entries if you need further help.
Thanks
Jose.
Message has been deleted
Kotory
Sep 20, 2022, 8:49:47 AM9/20/22
to Wazuh mailing list
Thank you for quick response.
I assumed my test logs were the right one since they are decoded and alerts are generated.
Here is log sample from archive.json
{"timestamp":"2022-09-20T12:32:16.417+0000","rule":{"level":4,"description":"OPNsense-FW [Parent Test Rule]","id":"176000","firedtimes":2,"mail":false,"groups":["OPNsense"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1663677136.728793","full_log":"Sep 20 12:31:21 OPNsense.localdomain dhclient[21400]: DHCPACK from 192.168.48.254","predecoder":{"program_name":"dhclient","timestamp":"Sep 20 12:31:21","hostname":"OPNsense.localdomain"},"decoder":{"name":"OPNsense-fw"},"data":{"FULL_LOG":"DHCPACK from 192.168.48.254"},"location":"192.168.48.250"}
It is decoded and alert is generated. But the way i worked around the decoder doesn't look to me like the right one
Here is my dashboard
I assumed my test logs were the right one since they are decoded and alerts are generated.
Here is log sample from archive.json
{"timestamp":"2022-09-20T12:32:16.417+0000","rule":{"level":4,"description":"OPNsense-FW [Parent Test Rule]","id":"176000","firedtimes":2,"mail":false,"groups":["OPNsense"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1663677136.728793","full_log":"Sep 20 12:31:21 OPNsense.localdomain dhclient[21400]: DHCPACK from 192.168.48.254","predecoder":{"program_name":"dhclient","timestamp":"Sep 20 12:31:21","hostname":"OPNsense.localdomain"},"decoder":{"name":"OPNsense-fw"},"data":{"FULL_LOG":"DHCPACK from 192.168.48.254"},"location":"192.168.48.250"}
It is decoded and alert is generated. But the way i worked around the decoder doesn't look to me like the right one
Here is my dashboard
Jose Antonio Izquierdo
Sep 20, 2022, 1:58:28 PM9/20/22
to Wazuh mailing list
Hi. Sorry for my previous answer.
Then you can create/use rules for each service too.
The problem is that an OS (OPNSense) sends you standard Syslog messages for different services.
We manage those services as independent ones, and I think you should do the same.
Use children decoders for each program_name you need to analyze.
Parent decoder - be sure you capture your OPNsense logs. The program name field's use looks the right way per your logs.
|
---- children dhclient decoder - decode fields for dhclient as needed...
|
---- children cron decoder
|
---- children filterlog decoder
Then you can create/use rules for each service too.
With this approach, you can manage each service log correctly. On the other hand, you will need to create a vast decoder/rule structure.
Ping me if you want me to help you work this way.
Thanks
Jose.
Vivek Kumar
Sep 6, 2023, 7:01:50 AM9/6/23
to Wazuh | Mailing List
Hi Kotory
Did you manage to get logs for OPNsense on wazuh .. can you possibly share the decoder code.
i am new to wazuh and have OPNsense in my environment , would be great help if you can share the decoder codes for OPNsense.
Regards
Vivek
Reply all
Reply to author
Forward
0 new messages