Don't see any data from TMG proxy
144 views
Skip to first unread message
Nataliia
Nov 21, 2022, 11:35:04 AM11/21/22
to Wazuh mailing list
Hi Team,
I am trying to get logs from TMG proxy. I installed agent on the TMG proxy server. Logs from TMG are collected to the folder on TMG server (D:\Logs\*). For getting logs to Wazuh I configured localfile option in ossec.conf:
<localfile>
<log_format>syslog</log_format>
<location>D:\Logs\*</location>
<out_format>TMG-LOG: $(log)</out_format>
</localfile>
<log_format>syslog</log_format>
<location>D:\Logs\*</location>
<out_format>TMG-LOG: $(log)</out_format>
</localfile>
And configured local decoder and local rules.
Decoder:
<decoder name="tmg-log">
<prematch>^TMG-LOG</prematch> <!--SHO-TMG01 instead of ^TMG-LOG -->
</decoder>
<decoder name="tmg-log">
<parent>tmg-log</parent>
<regex>(\d+.\d+.\d+.\d+)</regex>
<order>srcip</order>
</decoder>
<decoder name="tmg-log">
<parent>tmg-log</parent>
<regex>SHO-TMG\d+\s+-\s+(\S+)\s+\d+.\d+.\d+.\d+\s+(\d+)\s+\d+\s+\d+\s+\d+\s+(\S+)</regex>
<order>url,dstport,protocol</order>
</decoder>
<decoder name="tmg-log">
<parent>tmg-log</parent>
<regex>Inet\s+(\d+)\s+(\S+\s\S+\s\S+\s\S+)|(\S+\s\S+\s\S+)|(\S+\s\S+)|(\S+)</regex>
<order>id,rule_name</order>
</decoder>
<prematch>^TMG-LOG</prematch> <!--SHO-TMG01 instead of ^TMG-LOG -->
</decoder>
<decoder name="tmg-log">
<parent>tmg-log</parent>
<regex>(\d+.\d+.\d+.\d+)</regex>
<order>srcip</order>
</decoder>
<decoder name="tmg-log">
<parent>tmg-log</parent>
<regex>SHO-TMG\d+\s+-\s+(\S+)\s+\d+.\d+.\d+.\d+\s+(\d+)\s+\d+\s+\d+\s+\d+\s+(\S+)</regex>
<order>url,dstport,protocol</order>
</decoder>
<decoder name="tmg-log">
<parent>tmg-log</parent>
<regex>Inet\s+(\d+)\s+(\S+\s\S+\s\S+\s\S+)|(\S+\s\S+\s\S+)|(\S+\s\S+)|(\S+)</regex>
<order>id,rule_name</order>
</decoder>
Rules:
<rule id="102000" level="0">
<decoded_as>tmg-log</decoded_as>
<description>TMG messages grouped.</description>
</rule>
<rule id="102001" level="5">
<if_sid>102000</if_sid>
<id>^12233</id>
<description>Access denied by rule - Blocked P2P/File Sharing</description>
</rule>
<rule id="102002" level="5">
<if_sid>102000</if_sid>
<id>^200|^0</id>
<description>Acces allowed by rule - Allow Web Access for All Users</description>
</rule>
<decoded_as>tmg-log</decoded_as>
<description>TMG messages grouped.</description>
</rule>
<rule id="102001" level="5">
<if_sid>102000</if_sid>
<id>^12233</id>
<description>Access denied by rule - Blocked P2P/File Sharing</description>
</rule>
<rule id="102002" level="5">
<if_sid>102000</if_sid>
<id>^200|^0</id>
<description>Acces allowed by rule - Allow Web Access for All Users</description>
</rule>
Log sample (with header which is added by Wazuh):
2022 Nov 21 17:03:54 (sho-tmg01) any->\Logs\ISALOG_20221121_WEB_000.w3c 10.20.4.118 anonymous Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 2022-11-21 14:52:25 SHO-TMG01 - kws2-1.web.telegram.org 149.154.167.99 443 0 2620 18698 SSL-tunnel - kws2-1.web.telegram.org:443 - Inet 0 Allow Web Access for All Users Req ID: 115251bc Internal External 0x0 Allowed - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - 10.20.29.40 Feature disabled Web Proxy
In rule test I see that alert to be generated. And when I enable logall option, logs from this server are shown in archives.log.
But I don't see any log in the Discover.
Can you help me to solve this issue?
Julian Bustamante Narvaez
Nov 21, 2022, 12:30:13 PM11/21/22
to Wazuh mailing list
Hi, how are you?, I'll be working on your query.
- Can you send me the ossec.conf file (agent and admin).
- Can you send me your /var/ossec/logs/alerts/alerts.json file (from admin).
- Can you send me a screenshot of the discovery logs..
Regards
Nataliia
Nov 22, 2022, 7:43:15 AM11/22/22
to Wazuh mailing list
Hi Julian,
<location>D:\Logs\*</location>
<out_format>TMG-LOG: $(log)</out_format>
</localfile>
I changed localfile in agent ossec.conf by adding "<out_format>TMG-LOG: $(log)</out_format>":
<localfile>
<location>D:\Logs\*</location>
<log_format>syslog</log_format>
<out_format>TMG-LOG: $(log)</out_format>
</localfile>
And then I stop to see any logs in Discovery from this server. When I deleted this string it still no one log from this server (earlier I saw eventchanel ang security logs).
I restarted agent but nothing changed. In the Wazuh I see that agent connected.
Thera are this strings in the agent logs (I mofified server IP address):
2022/11/22 14:34:26 wazuh-agent: ERROR: (1216): Unable to connect to 'XXX.XXX.XXX.XXX:1514/tcp': 'No connection could be made because the target machine actively refused it.'.
2022/11/22 14:34:36 wazuh-agent: INFO: Trying to connect to server (
XXX.XXX.XXX.XXX :1514/tcp).
2022/11/22 14:34:37 wazuh-agent: ERROR: (1216): Unable to connect to ' XXX.XXX.XXX.XXX :1514/tcp': 'No connection could be made because the target machine actively refused it.'.
2022/11/22 14:34:47 wazuh-agent: INFO: Trying to connect to server XXX.XXX.XXX.XXX :1514/tcp).
2022/11/22 14:34:47 wazuh-agent: INFO: (4102): Connected to the server ( XXX.XXX.XXX.XXX :1514/tcp).
2022/11/22 14:34:47 wazuh-agent: INFO: Server responded. Releasing lock.
2022/11/22 14:34:50 wazuh-agent: INFO: Agent is now online. Process unlocked, continuing...
2022/11/22 14:34:37 wazuh-agent: ERROR: (1216): Unable to connect to ' XXX.XXX.XXX.XXX :1514/tcp': 'No connection could be made because the target machine actively refused it.'.
2022/11/22 14:34:47 wazuh-agent: INFO: Trying to connect to server XXX.XXX.XXX.XXX :1514/tcp).
2022/11/22 14:34:47 wazuh-agent: INFO: (4102): Connected to the server ( XXX.XXX.XXX.XXX :1514/tcp).
2022/11/22 14:34:47 wazuh-agent: INFO: Server responded. Releasing lock.
2022/11/22 14:34:50 wazuh-agent: INFO: Agent is now online. Process unlocked, continuing...
I attached ossec.conf files as you asked (some sensitive data was modified). When issue with connection to Wazuh server will be solved I send you alerts.json file and screenshot of the discovery logs.
понеділок, 21 листопада 2022 р. о 19:30:13 UTC+2 julian.b...@wazuh.com пише:
Nataliia
Nov 22, 2022, 9:38:58 AM11/22/22
to Wazuh mailing list
After some time logs from eventchannel and security was going as well.
{"timestamp":"2022-11-22T15:45:45.199+0200","agent":{"id":"005","name":"sho-tmg01","ip":" ***.***.***.*** "},"manager":{"name":"wazuh-manager"},"id":"1669124745.59915533","full_log":"SHO-TMG01\t2022-11-22\t13:33:56\tTCP\t ***.***.***.*** :58379\t ***.***.***.*** :8080\t ***.***.***.*** \tInternal\tLocal Host\tEstablish\t0x0\t-\tHTTP Proxy\t0\t0\t0\t0\t-\t-\t-\t-\t743827\t24240840\t-\t-\t::\t-\t1048575\t-","decoder":{},"location":"\\Logs\\ISALOG_20221122_FWS_000.w3c"}
{"timestamp":"2022-11-22T15:45:45.217+0200","agent":{"id":"005","name":"sho-tmg01","ip":" ***.***.***.*** "},"manager":{"name":"wazuh-manager"},"id":"1669124745.59915533","full_log":"SHO-TMG01\t2022-11-22\t13:33:56\tTCP\t ***.***.***.*** :61483\t ***.***.***.*** :8080\t ***.***.***.*** \tInternal\tLocal Host\tEstablish\t0x0\t-\tHTTP Proxy\t0\t0\t0\t0\t-\t-\t-\t-\t666156\t24240842\t-\t-\t::\t-\t1048575\t-","decoder":{},"location":"\\Logs\\ISALOG_20221122_FWS_000.w3c"}
{"timestamp":"2022-11-22T15:45:45.221+0200","rule":{"level":2,"description":"Unknown problem somewhere in the system.","id":"1002","firedtimes":1,"mail":false,"groups":["syslog","errors"],"gpg13":["4.3"]},"agent":{"id":"005","name":"sho-tmg01","ip":" ***.***.***.*** "},"manager":{"name":"wazuh-manager"},"id":"1669124745.59915533","full_log":"SHO-TMG01\t2022-11-22\t13:33:56\tTCP\t ***.***.***.*** :61254\t ***.***.***.*** :8080\t ***.***.***.*** \tInternal\tLocal Host\tDenied\t0xc0040017\tNone - see Result Code\tHTTP Proxy\t0\t0\t0\t0\t-\t-\t-\t-\t0\t0\t-\t-\t::\t-\t1048575\t-","decoder":{},"location":"\\Logs\\ISALOG_20221122_FWS_000.w3c"}
{"timestamp":"2022-11-22T15:50:01.402+0200","agent":{"id":"005","name":"sho-tmg01","ip":" ***.***.***.** "},"manager":{"name":"wazuh-manager"},"id":"1669125001.60061884","full_log":" ***.***.***.** \tanonymous\tMozilla/5.0\t2022-11-22\t13:37:03\tSHO-TMG01\t-\t149.154.167.151\t149.154.167.151\t80\t172\t501\t321\thttp\tPOST\thttp://149.154.167.151:80/api\tapplication/octet-stream\tInet\t200\tAllow Web Access for All Users\tReq ID: 1178a8fd \tInternal\tExternal\t0x700\tAllowed\t-\t-\t-\t-\tAllowed\tMalware Inspection Disabled\tUnknown\t-\t0\t-\t0\t-\t-\tFeature disabled\tWeb Proxy\t149.154.167.151\t63975\t-","decoder":{"name":"cylance_threats"},"data":{"cylance_threats":{"file_name":" ***.***.***.** \tanonymous\tMozilla/5.0\t2022-11-22\t13:37:03\tSHO-TMG01\t-\t149.154.167.151\t149.154.167.151","file_status":"80","cylance_score":"172","signature_status":"501\t321\thttp\tPOST\thttp://149.154.167.151:80/api\tapplication/octet-stream\tInet\t200\tAllow Web Access for All Users\tReq ID: 1178a8fd ","av_industry":"Internal","global_quarantined":"External","safelisted":"0x700","signed":"Allowed"}},"location":"\\Logs\\ISALOG_20221122_WEB_000.w3c"}
And here is logs from archives.log file:
2022 Nov 22 15:57:20 (sho-tmg01) any->\Logs\ISALOG_20221122_FWS_000.w3c SHO-TMG01 2022-11-22 13:41:22 TCP ***.***.***.** :56047 ***.***.***.** :8080 10.20.5.229 Internal Local Host Terminate 0x80074e20 - HTTP Proxy 5545 5545 8034 8034 62000 62000 - - 717566 24266280 - - :: - 1048575 -
2022 Nov 22 15:57:20 (sho-tmg01) any->\Logs\ISALOG_20221122_WEB_000.w3c ***.***.***.** anonymous - 2022-11-22 13:41:21 SHO-TMG01 - ic3.events.data.microsoft.com 40.74.98.192 443 0 2383 5194 SSL-tunnel - ic3.events.data.microsoft.com:443 - Inet 0 Allow Web Access for All Users Req ID: 1178ceca Internal External 0x9 Allowed - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - ***.***.***.** Feature disabled Web Proxy ic3.events.data.microsoft.com 49183 -
2022 Nov 22 15:57:20 (sho-tmg01) any->\Logs\ISALOG_20221122_FWS_000.w3c SHO-TMG01 2022-11-22 13:41:22 TCP ***.***.***.** :56053 ***.***.***.** :8080 ***.***.***.** Internal Local Host Terminate 0x80074e20 - HTTP Proxy 5681 5681 11511 11511 62000 62000 - - 717566 24266290 - - :: - 1048575 -
2022 Nov 22 15:57:20 (sho-tmg01) any->\Logs\ISALOG_20221122_FWS_000.w3c SHO-TMG01 2022-11-22 13:41:22 TCP ***.***.***.** :50627 ***.***.***.** :8080 ***.***.***.** Internal Local Host Establish 0x0 - HTTP Proxy 0 0 0 0 - - - - 742423 24270456 - - :: - 1048575 -
2022 Nov 22 15:57:21 (sho-tmg01) any->\Logs\ISALOG_20221122_WEB_000.w3c ***.***.***.** anonymous Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 2022-11-22 13:41:21 SHO-TMG01 http://cad.buderus.de/pages/catalogs/buderus_deu_de/groups/62913b95ddf40f6a442ad12d7d803505 cad.buderus.de 54.73.26.109 80 25047 580 218 http GET http://cad.buderus.de/socket.io/?EIO=4&transport=polling&t=OIVaW3D&sid=RWqumZpna6Nn5f95AAPY text/plain; charset=UTF-8 Inet 200 Allow Web Access for All Users Req ID: 1178eab0 Internal External 0x580 Allowed - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - - Feature disabled None cad.buderus.de 60440 -
2022 Nov 22 15:57:21 (sho-tmg01) any->\Logs\ISALOG_20221122_FWS_000.w3c SHO-TMG01 2022-11-22 13:41:22 TCP ***.***.***.** :58361 ***.***.***.** :8080 ***.***.***.** Internal Local Host Terminate 0x80074e21 - HTTP Proxy 3988 3988 7592 7592 2000 2000 - - 205992 24270308 - - :: - 1048575 -
2022 Nov 22 15:57:21 (sho-tmg01) any->\Logs\ISALOG_20221122_WEB_000.w3c ***.***.***.** anonymous - 2022-11-22 13:41:21 SHO-TMG01 - gateway.icloud.com ***.***.***.** 443 0 0 590 SSL-tunnel - gateway.icloud.com:443 - Inet 407 Blocked P2P/File Sharing Req ID: 1178fae5 Internal External 0x0 Allowed - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - - Feature disabled Web Proxy gateway.icloud.com 56527 -
2022 Nov 22 15:57:21 (sho-tmg01) any->\Logs\ISALOG_20221122_FWS_000.w3c SHO-TMG01 2022-11-22 13:41:22 TCP ***.***.***.** :58360 ***.***.***.** :8080 ***.***.***.** Internal Local Host Terminate 0x80074e21 - HTTP Proxy 6805 6805 7728 7728 2000 2000 - - 205992 24270301 - - :: - 1048575 -
2022 Nov 22 15:57:21 (sho-tmg01) any->\Logs\ISALOG_20221122_WEB_000.w3c ***.***.***.** ENT\User.Name - 2022-11-22 13:41:21 SHO-TMG01 - gateway.icloud.com ***.***.***.** 443 0 0 2887 SSL-tunnel - gateway.icloud.com:443 - Inet 12233 Blocked P2P/File Sharing Req ID: 1178fae6 Internal External 0x80 Denied - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - - Feature disabled None gateway.icloud.com 56527 -
2022 Nov 22 15:57:21 (sho-tmg01) any->\Logs\ISALOG_20221122_WEB_000.w3c ***.***.***.** anonymous Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 2022-11-22 13:41:21 SHO-TMG01 http://cad.buderus.de/pages/catalogs/buderus_deu_de/groups/62913b95ddf40f6a442ad12d7d803505 cad.buderus.de 54.73.26.109 80 62 671 203 http POST http://cad.buderus.de/socket.io/?EIO=4&transport=polling&t=OIVacAs&sid=RWqumZpna6Nn5f95AAPY text/html Inet 200 Allow Web Access for All Users Req ID: 1178fae3 Internal External 0x780 Allowed - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - - Feature disabled None cad.buderus.de 60440 -
This is sample of logs in
alerts.json file:
For this type of logs I have not configured rules yet:
{"timestamp":"2022-11-22T15:45:45.154+0200","agent":{"id":"005","name":"sho-tmg01","ip":"***.***.***.***"},"manager":{"name":"wazuh-manager"},"id":"1669124745.59915533","full_log":"SHO-TMG01\t2022-11-22\t13:33:56\tTCP\t
***.***.***.*** :64994\t
***.***.***.*** :8080\t
***.***.***.*** \tInternal\tLocal Host\tTerminate\t0x80074e20\t-\tHTTP Proxy\t347\t347\t3055\t3055\t-\t-\t-\t-\t717343\t24240834\t-\t-\t::\t-\t1048575\t-","decoder":{},"location":"\\Logs\\ISALOG_20221122_FWS_000.w3c"}
{"timestamp":"2022-11-22T15:45:45.199+0200","agent":{"id":"005","name":"sho-tmg01","ip":" ***.***.***.*** "},"manager":{"name":"wazuh-manager"},"id":"1669124745.59915533","full_log":"SHO-TMG01\t2022-11-22\t13:33:56\tTCP\t ***.***.***.*** :58379\t ***.***.***.*** :8080\t ***.***.***.*** \tInternal\tLocal Host\tEstablish\t0x0\t-\tHTTP Proxy\t0\t0\t0\t0\t-\t-\t-\t-\t743827\t24240840\t-\t-\t::\t-\t1048575\t-","decoder":{},"location":"\\Logs\\ISALOG_20221122_FWS_000.w3c"}
{"timestamp":"2022-11-22T15:45:45.217+0200","agent":{"id":"005","name":"sho-tmg01","ip":" ***.***.***.*** "},"manager":{"name":"wazuh-manager"},"id":"1669124745.59915533","full_log":"SHO-TMG01\t2022-11-22\t13:33:56\tTCP\t ***.***.***.*** :61483\t ***.***.***.*** :8080\t ***.***.***.*** \tInternal\tLocal Host\tEstablish\t0x0\t-\tHTTP Proxy\t0\t0\t0\t0\t-\t-\t-\t-\t666156\t24240842\t-\t-\t::\t-\t1048575\t-","decoder":{},"location":"\\Logs\\ISALOG_20221122_FWS_000.w3c"}
{"timestamp":"2022-11-22T15:45:45.221+0200","rule":{"level":2,"description":"Unknown problem somewhere in the system.","id":"1002","firedtimes":1,"mail":false,"groups":["syslog","errors"],"gpg13":["4.3"]},"agent":{"id":"005","name":"sho-tmg01","ip":" ***.***.***.*** "},"manager":{"name":"wazuh-manager"},"id":"1669124745.59915533","full_log":"SHO-TMG01\t2022-11-22\t13:33:56\tTCP\t ***.***.***.*** :61254\t ***.***.***.*** :8080\t ***.***.***.*** \tInternal\tLocal Host\tDenied\t0xc0040017\tNone - see Result Code\tHTTP Proxy\t0\t0\t0\t0\t-\t-\t-\t-\t0\t0\t-\t-\t::\t-\t1048575\t-","decoder":{},"location":"\\Logs\\ISALOG_20221122_FWS_000.w3c"}
And for this types of logs rules are configured:
{"timestamp":"2022-11-22T16:17:06.656+0200","agent":{"id":"005","name":"sho-tmg01","ip":"
***.***.***.** "},"manager":{"name":"wazuh-manager"},"id":"1669126626.61947789","full_log":"
***.***.***.** \tanonymous\t-\t2022-11-22\t14:01:34\tSHO-TMG01\t-\tecs.office.com\t
***.***.***.** \t443\t0\t1918\t46763\tSSL-tunnel\t-\tecs.office.com:443\t-\tInet\t0\tAllow Web Access for All Users\tReq ID: 117a4b1a \tInternal\tExternal\t0x8\tAllowed\t-\t-\t-\t-\tAllowed\tMalware Inspection Disabled\tUnknown\t-\t0\t-\t0\t-\t10.20.29.40\tFeature disabled\tWeb Proxy\tecs.office.com\t50287\t-","decoder":{"name":"cylance_threats"},"data":{"cylance_threats":{"file_name":"
***.***.***.** \tanonymous\t-\t2022-11-22\t14:01:34\tSHO-TMG01\t-\tecs.office.com\t
***.***.***.** ","file_status":"443","cylance_score":"0","signature_status":"1918\t46763\tSSL-tunnel\t-\tecs.office.com:443\t-\tInet\t0\tAllow Web Access for All Users\tReq ID: 117a4b1a ","av_industry":"Internal","global_quarantined":"External","safelisted":"0x8","signed":"Allowed"}},"location":"\\Logs\\ISALOG_20221122_WEB_000.w3c"}
{"timestamp":"2022-11-22T15:50:01.402+0200","agent":{"id":"005","name":"sho-tmg01","ip":" ***.***.***.** "},"manager":{"name":"wazuh-manager"},"id":"1669125001.60061884","full_log":" ***.***.***.** \tanonymous\tMozilla/5.0\t2022-11-22\t13:37:03\tSHO-TMG01\t-\t149.154.167.151\t149.154.167.151\t80\t172\t501\t321\thttp\tPOST\thttp://149.154.167.151:80/api\tapplication/octet-stream\tInet\t200\tAllow Web Access for All Users\tReq ID: 1178a8fd \tInternal\tExternal\t0x700\tAllowed\t-\t-\t-\t-\tAllowed\tMalware Inspection Disabled\tUnknown\t-\t0\t-\t0\t-\t-\tFeature disabled\tWeb Proxy\t149.154.167.151\t63975\t-","decoder":{"name":"cylance_threats"},"data":{"cylance_threats":{"file_name":" ***.***.***.** \tanonymous\tMozilla/5.0\t2022-11-22\t13:37:03\tSHO-TMG01\t-\t149.154.167.151\t149.154.167.151","file_status":"80","cylance_score":"172","signature_status":"501\t321\thttp\tPOST\thttp://149.154.167.151:80/api\tapplication/octet-stream\tInet\t200\tAllow Web Access for All Users\tReq ID: 1178a8fd ","av_industry":"Internal","global_quarantined":"External","safelisted":"0x700","signed":"Allowed"}},"location":"\\Logs\\ISALOG_20221122_WEB_000.w3c"}
And here is logs from archives.log file:
2022 Nov 22 15:57:20 (sho-tmg01) any->\Logs\ISALOG_20221122_WEB_000.w3c
***.***.***.** anonymous Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 2022-11-22 13:41:21 SHO-TMG01 - ads.themoneytizer.com 37.19.218.108 443 0 459 5577 SSL-tunnel - ads.themoneytizer.com:443 - Inet 0 Allow Web Access for All Users Req ID: 1178fa44 Internal External 0xc Allowed - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 -
***.***.***.** Feature disabled Web Proxy ads.themoneytizer.com 64222 -
2022 Nov 22 15:57:20 (sho-tmg01) any->\Logs\ISALOG_20221122_FWS_000.w3c SHO-TMG01 2022-11-22 13:41:22 TCP ***.***.***.** :56047 ***.***.***.** :8080 10.20.5.229 Internal Local Host Terminate 0x80074e20 - HTTP Proxy 5545 5545 8034 8034 62000 62000 - - 717566 24266280 - - :: - 1048575 -
2022 Nov 22 15:57:20 (sho-tmg01) any->\Logs\ISALOG_20221122_WEB_000.w3c ***.***.***.** anonymous - 2022-11-22 13:41:21 SHO-TMG01 - ic3.events.data.microsoft.com 40.74.98.192 443 0 2383 5194 SSL-tunnel - ic3.events.data.microsoft.com:443 - Inet 0 Allow Web Access for All Users Req ID: 1178ceca Internal External 0x9 Allowed - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - ***.***.***.** Feature disabled Web Proxy ic3.events.data.microsoft.com 49183 -
2022 Nov 22 15:57:20 (sho-tmg01) any->\Logs\ISALOG_20221122_FWS_000.w3c SHO-TMG01 2022-11-22 13:41:22 TCP ***.***.***.** :56053 ***.***.***.** :8080 ***.***.***.** Internal Local Host Terminate 0x80074e20 - HTTP Proxy 5681 5681 11511 11511 62000 62000 - - 717566 24266290 - - :: - 1048575 -
2022 Nov 22 15:57:20 (sho-tmg01) any->\Logs\ISALOG_20221122_FWS_000.w3c SHO-TMG01 2022-11-22 13:41:22 TCP ***.***.***.** :50627 ***.***.***.** :8080 ***.***.***.** Internal Local Host Establish 0x0 - HTTP Proxy 0 0 0 0 - - - - 742423 24270456 - - :: - 1048575 -
2022 Nov 22 15:57:21 (sho-tmg01) any->\Logs\ISALOG_20221122_WEB_000.w3c ***.***.***.** anonymous Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 2022-11-22 13:41:21 SHO-TMG01 http://cad.buderus.de/pages/catalogs/buderus_deu_de/groups/62913b95ddf40f6a442ad12d7d803505 cad.buderus.de 54.73.26.109 80 25047 580 218 http GET http://cad.buderus.de/socket.io/?EIO=4&transport=polling&t=OIVaW3D&sid=RWqumZpna6Nn5f95AAPY text/plain; charset=UTF-8 Inet 200 Allow Web Access for All Users Req ID: 1178eab0 Internal External 0x580 Allowed - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - - Feature disabled None cad.buderus.de 60440 -
2022 Nov 22 15:57:21 (sho-tmg01) any->\Logs\ISALOG_20221122_FWS_000.w3c SHO-TMG01 2022-11-22 13:41:22 TCP ***.***.***.** :58361 ***.***.***.** :8080 ***.***.***.** Internal Local Host Terminate 0x80074e21 - HTTP Proxy 3988 3988 7592 7592 2000 2000 - - 205992 24270308 - - :: - 1048575 -
2022 Nov 22 15:57:21 (sho-tmg01) any->\Logs\ISALOG_20221122_WEB_000.w3c ***.***.***.** anonymous - 2022-11-22 13:41:21 SHO-TMG01 - gateway.icloud.com ***.***.***.** 443 0 0 590 SSL-tunnel - gateway.icloud.com:443 - Inet 407 Blocked P2P/File Sharing Req ID: 1178fae5 Internal External 0x0 Allowed - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - - Feature disabled Web Proxy gateway.icloud.com 56527 -
2022 Nov 22 15:57:21 (sho-tmg01) any->\Logs\ISALOG_20221122_FWS_000.w3c SHO-TMG01 2022-11-22 13:41:22 TCP ***.***.***.** :58360 ***.***.***.** :8080 ***.***.***.** Internal Local Host Terminate 0x80074e21 - HTTP Proxy 6805 6805 7728 7728 2000 2000 - - 205992 24270301 - - :: - 1048575 -
2022 Nov 22 15:57:21 (sho-tmg01) any->\Logs\ISALOG_20221122_WEB_000.w3c ***.***.***.** ENT\User.Name - 2022-11-22 13:41:21 SHO-TMG01 - gateway.icloud.com ***.***.***.** 443 0 0 2887 SSL-tunnel - gateway.icloud.com:443 - Inet 12233 Blocked P2P/File Sharing Req ID: 1178fae6 Internal External 0x80 Denied - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - - Feature disabled None gateway.icloud.com 56527 -
2022 Nov 22 15:57:21 (sho-tmg01) any->\Logs\ISALOG_20221122_WEB_000.w3c ***.***.***.** anonymous Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 2022-11-22 13:41:21 SHO-TMG01 http://cad.buderus.de/pages/catalogs/buderus_deu_de/groups/62913b95ddf40f6a442ad12d7d803505 cad.buderus.de 54.73.26.109 80 62 671 203 http POST http://cad.buderus.de/socket.io/?EIO=4&transport=polling&t=OIVacAs&sid=RWqumZpna6Nn5f95AAPY text/html Inet 200 Allow Web Access for All Users Req ID: 1178fae3 Internal External 0x780 Allowed - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - - Feature disabled None cad.buderus.de 60440 -
вівторок, 22 листопада 2022 р. о 14:43:15 UTC+2 Nataliia пише:
Julian Bustamante Narvaez
Nov 23, 2022, 12:52:58 AM11/23/22
to Wazuh mailing list
Hi, I already set up my environment with a dashboard.
I first tried the rule and decoder to see the alert, but I don't see the alert with its full log.
i try with this full log and it works-->
<decoded_as>tmg-log</decoded_as>
<description>TMG messages grouped.</description>
</rule>
</decoder>
<decoder name="tmg-log">
<parent>tmg-log</parent>
<order>srcip</order>
</decoder>
<decoder name="tmg-log">
<parent>tmg-log</parent>
<decoder name="tmg-log">
<parent>tmg-log</parent>
<location>/home/vagrant/test.txt</location>
<log_format>syslog</log_format>
I first tried the rule and decoder to see the alert, but I don't see the alert with its full log.
i try with this full log and it works-->
SHO-TMG01 - kws2-1.web.telegram.org 149.154.167.99 443 0 2620 18698 SSL-tunnel - kws2-1.web.telegram.org:443 - Inet 0 Allow Web Access for All Users Req ID: 115251bc Internal External 0x0 Allowed - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - 10.20.29.40 Feature disabled Web Proxy
tested full log with /var/ossec/bin/wazuh-logtest (see image)
# /var/ossec/bin/wazuh-logtest
SHO-TMG01 - kws2-1.web.telegram.org 149.154.167.99 443 0 2620 18698 SSL-tunnel - kws2-1.web.telegram.org:443 - Inet 0 Allow Web Access for All Users Req ID: 115251bc Internal External 0x0 Allowed - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - 10.20.29.40 Feature disabled Web Proxy
**Phase 1: Completed pre-decoding.
full event: 'SHO-TMG01 - kws2-1.web.telegram.org 149.154.167.99 443 0 2620 18698 SSL-tunnel - kws2-1.web.telegram.org:443 - Inet 0 Allow Web Access for All Users Req ID: 115251bc Internal External 0x0 Allowed - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - 10.20.29.40 Feature disabled Web Proxy'
**Phase 2: Completed decoding.
name: 'tmg-log'
dstport: '443'
id: ''
protocol: 'SSL-tunnel'
srcip: '149.154.167.99'
url: 'kws2-1.web.telegram.org'
**Phase 3: Completed filtering (rules).
id: '102000'
level: '5'
description: 'TMG messages grouped.'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
full event: 'SHO-TMG01 - kws2-1.web.telegram.org 149.154.167.99 443 0 2620 18698 SSL-tunnel - kws2-1.web.telegram.org:443 - Inet 0 Allow Web Access for All Users Req ID: 115251bc Internal External 0x0 Allowed - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - 10.20.29.40 Feature disabled Web Proxy'
**Phase 2: Completed decoding.
name: 'tmg-log'
dstport: '443'
id: ''
protocol: 'SSL-tunnel'
srcip: '149.154.167.99'
url: 'kws2-1.web.telegram.org'
**Phase 3: Completed filtering (rules).
id: '102000'
level: '5'
description: 'TMG messages grouped.'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
-------------------------------------------------------------------------------------------------------------------------------------
first try only with this rule and this decoder:
put inside /var/ossec/etc/rules/local_rules.xml file<rule id="102000" level="5">
<decoded_as>tmg-log</decoded_as>
<description>TMG messages grouped.</description>
</rule>
---------- -----------------------------------------------------------------------------------------------------------------------------
put inside /var/ossec/etc/decoders/local_decoder.xml file
<decoder name="tmg-log">
<prematch>^SHO-TMG01</prematch> <!--SHO-TMG01 instead of ^TMG-LOG -->
<prematch>^SHO-TMG01</prematch> <!--SHO-TMG01 instead of ^TMG-LOG -->
</decoder>
<decoder name="tmg-log">
<parent>tmg-log</parent>
<regex type="pcre2">(\d+.\d+.\d+.\d+)</regex>
<order>srcip</order>
</decoder>
<decoder name="tmg-log">
<parent>tmg-log</parent>
<regex type="pcre2">SHO-TMG\d+\s+-\s+(\S+)\s+\d+.\d+.\d+.\d+\s+(\d+)\s+\d+\s+\d+\s+\d+\s+(\S+)</regex>
<order>url,dstport,protocol</order>
</decoder>
<order>url,dstport,protocol</order>
</decoder>
<decoder name="tmg-log">
<parent>tmg-log</parent>
<regex type="pcre2">Inet\s+(\d+)\s+(\S+\s\S+\s\S+\s\S+)|(\S+\s\S+\s\S+)|(\S+\s\S+)|(\S+)</regex>
<order>id,rule_name</order>
</decoder>
----------------------------------------------------------------------------------------------------------------------------------------------------<order>id,rule_name</order>
</decoder>
I trigger the alert when I write the full log (and save) inside the file test.txt
in the ossec.conf agent your should put
<localfile><location>/home/vagrant/test.txt</location>
<log_format>syslog</log_format>
</localfile>
you can testing this way, if alert is shown in discovery panel. you can already try with custom settings.
I attach the screenshots that the alert is generated.
Regards
Nataliia
Nov 24, 2022, 2:13:38 PM11/24/22
to Wazuh mailing list
Hi Julian,
If I change prematch to ^SHO-TMG01:
<decoder name="tmg-log">
<prematch>^SHO-TMG01</prematch> <!--SHO-TMG01 instead of ^TMG-LOG -->
<prematch>^SHO-TMG01</prematch> <!--SHO-TMG01 instead of ^TMG-LOG -->
</decoder>
It is only logs type FWS shown in discovery, like on the screenshot "tmg3.JPG", which I attached.
It's because they start from "SHO-TMG01":
2022 Nov 22 15:57:21 (sho-tmg01) any->\Logs\ISALOG_20221122_FWS_000.w3c SHO-TMG01 2022-11-22 13:41:22 TCP ***.***.***.** :58361 ***.***.***.** :8080 ***.***.***.** Internal Local Host Terminate 0x80074e21 - HTTP Proxy 3988 3988 7592 7592 2000 2000 - - 205992 24270308 - - :: - 1048575 -
Logs type WEB start from IP, so they doesn't match decoder prematch which you sent:
2022 Nov 22 15:57:21 (sho-tmg01) any->\Logs\ISALOG_20221122_WEB_000.w3c ***.***.***.** anonymous - 2022-11-22 13:41:21 SHO-TMG01 - gateway.icloud.com ***.***.***.** 443 0 0 590 SSL-tunnel - gateway.icloud.com:443 - Inet 407 Blocked P2P/File Sharing Req ID: 1178fae5 Internal External 0x0 Allowed - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - - Feature disabled Web Proxy gateway.icloud.com 56527 -
середа, 23 листопада 2022 р. о 07:54:46 UTC+2 julian.b...@wazuh.com пише:
Nataliia
Nov 24, 2022, 2:16:54 PM11/24/22
to Wazuh mailing list
I added screenshot of ruletest with WEB type of logs:
10.25.33.143 anonymous - 2022-11-22 13:41:21 SHO-TMG01 - gateway.icloud.com 192.63.65.10 443 0 0 590 SSL-tunnel - gateway.icloud.com:443 - Inet 407 Blocked P2P/File Sharing Req ID: 1178fae5 Internal External 0x0 Allowed - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - - Feature disabled Web Proxy gateway.icloud.com 56527 -
As a result
No decoder matched.
четвер, 24 листопада 2022 р. о 21:13:38 UTC+2 Nataliia пише:
Julian Bustamante Narvaez
Nov 27, 2022, 11:09:12 PM11/27/22
to Wazuh mailing list
Hi, i hope you are well.
Here I leave a way for your request,
Here I leave a way for your request,
<rule id="102000" level="5">
<decoded_as>tmg-fws</decoded_as>
<description>TMG FWS messages grouped.</description>
</rule>
<description>TMG FWS messages grouped.</description>
</rule>
<rule id="103000" level="5">
<decoded_as>tmg-web</decoded_as>
<description>TMG WEB messages grouped.</description>
</rule>
<decoded_as>tmg-web</decoded_as>
<description>TMG WEB messages grouped.</description>
</rule>
<prematch>^SHO-TMG</prematch> <!--SHO-TMG01 instead of ^TMG-LOG -->
</decoder>
<decoder name="tmg-fws">
<parent>tmg-fws</parent><regex type="pcre2">SHO-TMG\d+\s+\d+-\d+-\d+\s+\d+:\d+\d+:\d+\s+(\S+)\s+((?:\d{1,3}\.){3}\d{1,3})\s+:(\d+)</regex>
<order>protocol,ipsrc,ipport</order>
</decoder>
<decoder name="tmg-web">
<prematch>\d+.\d+.\d+.\d+\s+\w+</prematch> <!--SHO-TMG01 instead of ^TMG-LOG -->
</decoder>
<decoder name="tmg-web">
<parent>tmg-web</parent>
<regex type="pcre2">(?:\d{1,3}\.){3}\d{1,3}\s+\w+\s+-\s+\d+-\d+-\d+\s+\d+:\d+:\d+\s+[\w-]+\s+-\s+(\S+)\s+((?:\d{1,3}\.){3}\d{1,3})\s+(\d+)</regex>
<order>ip1,url,ip2,dstport</order>
</decoder>
fulllog for test:
192.168.56.90 anonymous - 2022-11-22 13:41:21 SHO-TMG01 - gateway.icloud.com 10.100.123.123 443 0 0 590 SSL-tunnel - gateway.icloud.com:443 - Inet 407 Blocked P2P/File Sharing Req ID: 1178fae5 Internal External 0x0 Allowed - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - - Feature disabled Web Proxy gateway.icloud.com 56527 -
SHO-TMG01 2022-11-22 13:41:22 TCP 192.168.56.103 :58361 192.168.56.103 :8080 192.168.56.103 Internal Local Host Terminate 0x80074e21 - HTTP Proxy 3988 3988 7592 7592 2000 2000 - - 205992 24270308 - - :: - 1048575 -
let me know if this was helpful
Regards
Nataliia
Nov 28, 2022, 11:14:40 AM11/28/22
to Wazuh mailing list
Hi Julian,
<id>^12233</id>
<description>Access denied by rule - Blocked P2P/File Sharing</description>
</rule>
Hope you are well.
I added decoders and rules which you wrote and now logs are alerting. Thank you for it.
Then I added one more decoder:
<decoder name="tmg-web">
<parent>tmg-web</parent>
<parent>tmg-web</parent>
<regex type="pcre2">Inet\s+(\d+)\s+(\S+\s\S+\s\S+\s\S+)|(\S+\s\S+\s\S+)|(\S+\s\S+)|(\S+)</regex>
<order>id,rule_name</order>
</decoder>
<order>id,rule_name</order>
</decoder>
And rules (for rules about messages was grouped I set level to "0"):
<rule id="103001" level="5">
<if_sid>103000</if_sid>
<id>^12202</id>
<description>Access denied by rule - Block srv subnet inet</description>
</rule>
<rule id="103002" level="5">
<if_sid>103000</if_sid>
<if_sid>103000</if_sid>
<id>^12202</id>
<description>Access denied by rule - Block srv subnet inet</description>
</rule>
<rule id="103002" level="5">
<if_sid>103000</if_sid>
<id>^12233</id>
<description>Access denied by rule - Blocked P2P/File Sharing</description>
</rule>
<rule id="103003" level="5">
<if_sid>103000</if_sid>
<id>^0</id>
<description>Access allowed by rule - Allow Web Access for All Users</description>
</rule>
<if_sid>103000</if_sid>
<id>^0</id>
<description>Access allowed by rule - Allow Web Access for All Users</description>
</rule>
And ruletest for log 10.10.3.27 anonymous - 2022-08-29 08:04:46 SHO-TMG01 - ocws.officeapps.live.com 52.109.76.74 443 0 5456 7633 SSL-tunnel - ocws.officeapps.live.com:443 - Inet 0 Allow Web Access for All Users Req ID: 11a62889 Internal External 0x8 Allowed - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - 10.30.21.40 Feature disabled Web Proxy ocws.officeapps.live.com 57044 - was not at all correct:
**Phase 2: Completed decoding.
name: 'tmg-web'
id: ''
ip1: 'ocws.officeapps.live.com'
ip2: '443'
url: '52.109.76.74'
**Phase 3: Completed filtering (rules).
id: '103000'
level: '0'
description: 'TMG WEB messages grouped.'
groups: '["tmg"]'
firedtimes: '1'
mail: 'false'
Decoding phase should have showed:
id: '0' ---> (this is number after "Inet")
ip1: '10.10.3.27'
ip2: '52.109.76.74'
url: 'ocws.officeapps.live.com'
port: '443'
rule_name: 'Allow Web Access for All Users'
And as a result alert wasn't generete.
понеділок, 28 листопада 2022 р. о 06:09:12 UTC+2 julian.b...@wazuh.com пише:
Julian Bustamante Narvaez
Nov 29, 2022, 11:04:45 PM11/29/22
to Wazuh mailing list
HI Natalia, i hope you are well.
I modified the decoder and left the same rules. the alert if it was generated.
<decoder name="tmg-web">
<prematch>\d+.\d+.\d+.\d+\s+\w+</prematch> <!--SHO-TMG01 instead of ^TMG-LOG -->
</decoder>
<decoder name="tmg-web">
<parent>tmg-web</parent>
<prematch>\d+.\d+.\d+.\d+\s+\w+</prematch> <!--SHO-TMG01 instead of ^TMG-LOG -->
</decoder>
<decoder name="tmg-web">
<parent>tmg-web</parent>
<regex type="pcre2">((?:\d{1,3}\.){3}\d{1,3})\s+\w+\s+-\s+\d+-\d+-\d+\s+\d+:\d+:\d+\s+[\w-]+\s+-\s+(\S+)\s+((?:\d{1,3}\.){3}\d{1,3})\s+(\d+)</regex>
<order>ip1,url,ip2,port</order>
</decoder>
<decoder name="tmg-web">
<parent>tmg-web</parent>
<regex type="pcre2">Inet\s+(\d+)\s+(\S*(?:\s\S*){5}|\S*(?:\s\S*){3}||\S*(?:\s\S*){2}|\S*(?:\s\S*){1})</regex>
<order>id,rule_name</order>
</decoder>
<order>ip1,url,ip2,port</order>
</decoder>
<decoder name="tmg-web">
<parent>tmg-web</parent>
<regex type="pcre2">Inet\s+(\d+)\s+(\S*(?:\s\S*){5}|\S*(?:\s\S*){3}||\S*(?:\s\S*){2}|\S*(?:\s\S*){1})</regex>
<order>id,rule_name</order>
</decoder>
fullog test:
192.168.56.90 anonymous - 2022-11-22 13:41:21 SHO-TMG01 - gateway.icloud.com 10.100.123.123 443 0 0 590 SSL-tunnel - gateway.icloud.com:443 - Inet 122333 Blocked P2P/File Sharing Req ID: 1178fae5 Internal External 0x0 Allowed - - - - Allowed Malware Inspection Disabled Unknown - 0 - 0 - - Feature disabled Web Proxy gateway.icloud.com 56527 -
10.10.3.27 anonymous - 2022-08-29 08:04:46 SHO-TMG01 - ocws.officeapps.live.com 52.109.76.74 443 0 5456 7633 SSL-tunnel - ocws.officeapps.live.com:443
- Inet 0 Allow Web Access for All Users Req ID:
11a62889 Internal External 0x8 Allowed - -
- - Allowed Malware Inspection Disabled Unknown -
0 - 0 - 10.30.21.40 Feature disabled
Web Proxy ocws.officeapps.live.com 57044 -
Regards
Nataliia
Nov 30, 2022, 11:34:22 AM11/30/22
to Wazuh mailing list
Hi Julian,
Hope yoy are well.
I added decoders which you sent and in ruletest I saw that alert to be generated. Thank you!
But I still don't see any of this logs in the discovery. I just see eventchannel and security and alerts "Agent buffer: 'flooded'". I disabled client_buffer on the agent and stopped to see any logs from this agent. Then enabled client_buffer again and changed queue_size to 10000 and events_per_second to 1000 but still any log from agent are shown.
When I returned everything as it was (enable client_buffer, queue_size - 5000, events_per_second - 500) I still don't see any alerts from this agent, even eventchannel and security.
середа, 30 листопада 2022 р. о 06:04:45 UTC+2 julian.b...@wazuh.com пише:
Julian Bustamante Narvaez
Dec 1, 2022, 1:02:41 PM12/1/22
to Wazuh mailing list
Hi how are you?
Since this is a new question, it would be nice if you could ask it in a new thread so that I or another team member can answer it.
This is how traceability remains only for that query
Regards
Reply all
Reply to author
Forward
0 new messages