Wazuh decoders samba 4

623 views
Skip to first unread message

Ricardo

unread,
Oct 21, 2022, 1:13:37 PM10/21/22
to Wazuh mailing list
We are using smb4 as AC DC. So, I looking for decoders but I didn't find anything.  Does anyone know if there something available?


Thanks

Tomasz Buziak

unread,
Oct 21, 2022, 2:56:58 PM10/21/22
to Ricardo, Wazuh mailing list
Hi, 
My rules only catch the authentication process.

In smb.conf [global] you must add log parameters:
log level = 1 auth_audit:5
max log size = 100000
log file = /var/log/samba.log

In ossec.conf on samba host, add new logfile:
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/samba.log</location>
  </localfile>

Decoder:

<decoder name="samba4">
  <prematch>^  Auth: [\.*] user \.*</prematch>
</decoder>

<decoder name="samba4_1">
  <parent>samba4</parent>
  <regex>^  Auth: [(\.*)] user</regex>
  <order>authtype</order>
</decoder>

<decoder name="samba4_1">
  <parent>samba4</parent>
  <regex>user [(\.+)]\\[(\.+)]</regex>
  <order>domain, user</order>
</decoder>

<decoder name="samba4_1">
  <parent>samba4</parent>
  <regex>remote host [ipv4:(\d+.\d+.\d+.\d+):\d+]</regex>
  <order>srcip</order>
</decoder>

<decoder name="samba4_1">
  <parent>samba4</parent>
  <regex>local host [ipv4:(\d+.\d+.\d+.\d+):\d+]</regex>
  <order>dstip</order>
</decoder>

Rules:

<group name="smbd,">
  <rule id="100002" level="0">
    <decoded_as>samba4</decoded_as>
    <description>Grouping for the Samba4 rules.</description>
  </rule>
 
  <rule id="100003" level="3">
    <if_sid>100002</if_sid>
    <field name="authtype">Kerberos KDC,ENC-TS Pre-authentication</field>
    <match>[NT_STATUS_OK]</match>
    <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
    <description>Samba4: successful login (kerberos).</description>
    <mitre>
      <id>T1078</id>
    </mitre>
  </rule>
 
  <rule id="100004" level="3">
    <if_sid>100002</if_sid>
    <field name="authtype">LDAP,simple bind/TLS</field>
    <match>[NT_STATUS_OK]</match>
    <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
    <description>Samba4: successful login (ldap).</description>
    <mitre>
      <id>T1078</id>
    </mitre>
  </rule>
 
    <rule id="100005" level="5">
    <if_sid>100002</if_sid>
    <match>NT_STATUS_WRONG_PASSWORD</match>
    <description>Samba4: authentication failed.</description>
    <mitre>
      <id>T1110</id>
    </mitre>
    <group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
</group>


pt., 21 paź 2022 o 19:13 Ricardo <ric.ge...@gmail.com> napisał(a):
We are using smb4 as AC DC. So, I looking for decoders but I didn't find anything.  Does anyone know if there something available?


Thanks

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/15587e69-b7a0-41ec-93a3-8a594d74e6d7n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages