new local decoder for switch aruba

[Fabio Miotti]

Hello

i need to create local decoder for switch aruba

2021 Aug 31 15:19:46 2021->172.16.0.20 Aug 31 16:19:46 2021 IRF-HP5710-CORE %%10WEB/5/LOGIN: admin logged in from 172.16.15.15.

2021 Aug 31 14:42:44 2021->172.16.0.20 Aug 31 15:42:44 2021 IRF-HP5710-CORE %%10SHELL/5/SHELL_LOGIN: admin logged in from 172.16.15.15.

you can help me please?

it's first time i need to create decoder

Thanks

[Jose Cruz Lopez]

Hello,

Of course, we can help you, the first time facing a decoder can be scary, but do not worry they are not a big deal.

The first time we recommend with decoders is to head to our documentation and check what you need to add a new one.

These references may be helpful:

• https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
• https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
• https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html
• https://documentation.wazuh.com/current/user-manual/ruleset/testing.html

Also, it may be a good idea to check current decoders to have some examples of what we want to achieve: https://github.com/wazuh/wazuh/tree/master/ruleset/decoders

Now is time to get into labour. The first thing I would recommend is to check what return have those logs in the logtest facility is in /var/ossec/bin/wazuh-logtest (if you doesn't have the last 4.2 version, the name will be ossec-logtest), this is a powerful ally when creating rules and decoders, here you can have more information about it: https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/how-it-works.html

Now, knowing what you need, the following step is to create the custom decoder, the first thing you need is a parent decoder notice that your log structure is: date -> IP date data %% data : admin logged in from IP

To create the necessary regex to make the decoder work properly, we use regex101: https://regex101.com/ 

Here you can test your logs and extract the fields you need.

After every field implementation, we recommend testing it using the logtest facility.

Once you have all the fields you want to be extracted, you completed your first custom decoder!

If you need any additional help along the process or have any further questions, please do not hesitate to ask.

Best regards,

[Fabio Miotti]

Hi Jose

i'm writing you about this new decoder.

i have created 2 different decoders,one for switch hp5710 and one for hp 5406 zl and they are working correctly.

the third decoder for switch aruba 2930,i have this strange problem:

i launch sudo /var/ossec/bin/ossec-logtest   and it reads correctly the decoder . see the log

but in reallty,it doesn't send me never email. in fact in /alerts.log there is not alert but it's present in archives.log .

why?

**Phase 1: Completed pre-decoding.
       full event: '2021 Sep 17 14:15:04 172.16.0.21->172.16.0.21 Sep 17 16:15:03 172.16.0.21 03362 auth:  ST1-CMDR: User 'admin' logged in from 172.16.15.15 to SSH session'
       timestamp: '2021 Sep 17 14:15:04'
       hostname: 'wazuh'
       program_name: '(null)'
       log: '172.16.0.21->172.16.0.21 Sep 17 16:15:03 172.16.0.21 03362 auth:  ST1-CMDR: User 'admin' logged in from 172.16.15.15 to SSH session'

**Phase 2: Completed decoding.
       decoder: 'hp2930'

**Phase 3: Completed filtering (rules).
       Rule id: '100120'
       Level: '7'
       Description: 'Aruba 2930 Sala Server user logged in.'
**Alert to be generated.

[Jose Cruz Lopez]

Hello again,

It seems that the alert trigger correctly and also appears on archives.log.
The alert doesn't trigger if you're using the wazuh-logtest, if it doesn't trigger when it should normally, there may be another kind of problem in your installation.

Also, check the email alerts in our documentation to see if it's configured correctly https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/index.html.

I hope this could help you, if the problem persists, please do not hesitate to ask us again.
Best regards.

[Fabio Miotti]

hello

i don't think the problem is about the conf of oosec.conf because i receive the email from alerts from other local decoders

the problem is only with this decoder:

<decoder name="hp2930">
<prematch>172.16.0.21</prematch>
</decoder>

<decoder name="hp29302">
<parent>hp2930</parent>
<regex> (\w\w\w \d+) (\d\d:\d\d:\d\d) \d+.\d+.\d+.\d+ \d+ \w+:  \w+: \w+ '(\w+)' \w+ \w+ \w+ (\d+.\d+.\d+.\d+) (\.*)</regex>
<order>date, time, srcuser, srcip</order>
</decoder>

if i launch this tool /var/ossec/bin/ossec-logtest:     2021 Sep 17 10:34:06 172.16.0.21->172.16.0.21 Sep 17 12:34:06 172.16.0.21 03362 auth:  ST1-CMDR: User 'admin' logged in from 172.16.15.15 to WEB_UI session

**Phase 1: Completed pre-decoding.
       full event: '2021 Sep 17 10:34:06 172.16.0.21->172.16.0.21 Sep 17 12:34:06 172.16.0.21 03362 auth:  ST1-CMDR: User 'admin' logged in from 172.16.15.15 to WEB_UI session'
       timestamp: '2021 Sep 17 10:34:06'
       hostname: 'wazuh'
       program_name: '(null)'
       log: '172.16.0.21->172.16.0.21 Sep 17 12:34:06 172.16.0.21 03362 auth:  ST1-CMDR: User 'admin' logged in from 172.16.15.15 to WEB_UI session'

**Phase 2: Completed decoding.
       decoder: 'hp2930'

       date: 'Sep 17'
       time: '12:34:06'
       srcuser: 'admin'
       srcip: '172.16.15.15'

**Phase 3: Completed filtering (rules).
       Rule id: '100120'
       Level: '7'
       Description: 'Aruba 2930 Sala Server user logged in.'
**Alert to be generated.

[Jose Cruz Lopez]

Hello again!

I find a few strange things in this decoder:

The first one is that the decoder only triggers when the IP is 172.16.0.21, so if it comes from a different source, it won't trigger.

The second one is that on the regex you capture 5 groups, but in order only to get 4, the last one is missing, but the problem shouldn't come from here.

Also, for those logs to be read as logs, the file where they are stored must appear as a <localfile> block in the ossec.conf file, if not they won't generate alerts.

Also notice, the default alert level to send an email is 12, but if you don't see the alerts in the alerts.json file the problem is before the email alerts.

Please check that all the logs came with the same IP, either way, it won't trigger the decoder.

I hope this could help you, if not please ask us again!

Best regards.

[Jose Cruz Lopez]

Hello again,

Making some research, I found out that in Syslog decoders, the field program_name or type is mandatory. Your decoder is missing this field, the problem could be here too, please check with it and tell if it works, if not please also send your rules in order to make additional research with this specific scenario.

Thank you for your patience!

Best regards.

[Fabio Miotti]

Hello Jose

why do you tell me about 5 fields, i have only 4 declared fields <order>date, time, srcuser, srcip</order>
as i have told you, in archives.log i see the log from 172.16.0.21 but i don't see any alerts in alerts.log

in ossec.conf there  i have put the switch 172.16.0.21

<remote>
  <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>172.16.0.21</allowed-ips>
   </remote>

in ossec.conf i have this thresholds:

 <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>6</email_alert_level>
  </alerts>

[Juan Carlos]

Hello Fabio,

There are a few things that should be clarified here. The logs of the archives.log file include a header with information on when and where the manager received the log from, these should not be included in the regular expressions that match these events.

For the events you've provided so far I highlight the header in red here:

2021 Aug 31 15:19:46 2021->172.16.0.20 Aug 31 16:19:46 2021 IRF-HP5710-CORE %%10WEB/5/LOGIN: admin logged in from 172.16.15.15.
2021 Aug 31 14:42:44 2021->172.16.0.20 Aug 31 15:42:44 2021 IRF-HP5710-CORE %%10SHELL/5/SHELL_LOGIN: admin logged in from 172.16.15.15.

2021 Sep 17 14:15:04 172.16.0.21->172.16.0.21 Sep 17 16:15:03 172.16.0.21 03362 auth:  ST1-CMDR: User 'admin' logged in from 172.16.15.15 to SSH session

2021 Sep 17 10:34:06 172.16.0.21->172.16.0.21 Sep 17 12:34:06 172.16.0.21 03362 auth:  ST1-CMDR: User 'admin' logged in from 172.16.15.15 to WEB_UI session

After this the analysis engine will also consume the parts highlighted in green in its pre-decoding process as an attempt to extract hostname and program name information for logs following the syslog standard.

Your decoders and rules should only use the remaining portion of the log for identifying the type of log.

Given that the last two logs you've provided are almost identical the following decoder may be overly restrictive, but it is best to avoid having an overreaching ruleset that may wrongly identify messages from other devices as its own.

If not all messages from your device follow the pattern then adjust accordingly:

<decoder name="hp2930">
<prematch>^\d+\s+\w+:\s+ST1-CMDR:</prematch>

</decoder>

<decoder name="hp29302">
<parent>hp2930</parent>

<regex>\d+\s+\w+:\s+ST1-CMDR:\s+User\s+'(\w+)'\s+\.+from\s+(\S+)</regex>
<order>srcuser, srcip</order>
</decoder>

Please let us know if there is any other queries we may assist with.

Best Regards,

Juan Carlos Tello

[Fabio Miotti]

Hi Juan

thank you very much for your preciuos help.

you have solved me a big problem and i think for other people to manage famous switch hp