Creating new decoder and rule to detect pfsense login

mauro....@cmcc.it

unread,

May 10, 2023, 11:35:35 AM5/10/23

to Wazuh mailing list

Dear Users,

I'm trying to create a new decoder and a new rule to parse the pfsense logs that I already passed to Wazuh v.4.4.

I'm following the instructions provided in this case by Mauricio: https://groups.google.com/g/wazuh/c/t2c6Uudi4Fs

So, I create a basic decoder, the needed basic rule, but I'm struggling to understand the correct regex.

Could you please help me to solve my issue?

Is there a dedicated online guide to write regex in the decoder config file?

Surfing on Google I found a lot of different way to write a regex, but it seems

that not all of them are "compatible" with Wazuh.

Sorry, but I'm a newbie...

Thank you very much in advance,

Mauro

- This is the log line I'm trying to parse:

2023-05-10T09:52:13+02:00 pfsense php-fpm[68044]: /snort/snort_blocked.php: Successful login for user 'admin' from: 192.168.240.3 (Local Database)

- This is the output of Wazuh-logtest-legacy

[root@curiosity decoders]# /var/ossec/bin/wazuh-logtest-legacy

2023/05/10 15:30:44 wazuh-testrule: WARNING: (7613): Rule ID '31101' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.

2023/05/10 15:30:44 wazuh-testrule: INFO: Started (pid: 2715).

Since Wazuh v4.1.0 this binary is deprecated. Use wazuh-logtest instead

wazuh-testrule: Type one log per line.

2023-05-10T09:52:13+02:00 pfsense php-fpm[68044]: /snort/snort_blocked.php: Successful login for user 'admin' from: 192.168.240.3 (Local Database)

**Phase 1: Completed pre-decoding.

full event: '2023-05-10T09:52:13+02:00 pfsense php-fpm[68044]: /snort/snort_blocked.php: Successful login for user 'admin' from: 192.168.240.3 (Local Database)'

timestamp: '2023-05-10T09:52:13+02:00'

hostname: 'pfsense'

program_name: 'php-fpm'

log: '/snort/snort_blocked.php: Successful login for user 'admin' from: 192.168.240.3 (Local Database)'

**Phase 2: Completed decoding.

No decoder matched.

- This is the content of the local_decoder.xml file:

<program_name>local_decoder_example</program_name>

</decoder>

</decoder>

<parent>pfsense-custom</parent>

<order>user, srcip</order>

</decoder>

- This is the content of local_rules.xml file:

<decoded_as>pfsense-custom</decoded_as>

<description>PFsense alert: $(description)</description>

</rule>

</group>

Diego Mendez Sakugawa

unread,

May 11, 2023, 8:17:13 AM5/11/23

to Wazuh mailing list

Hello Mauro,

Could you please try the following configuration and verify if it works for you?

Decoders:

<decoder name="pfsense-custom">
<program_name>php-fpm</program_name>
</decoder>

<decoder name="pfsense-custom">
<parent>pfsense-custom</parent>
<regex offset="after_parent">\w+\p\w+\p \.+ '(\w+)' \.+ (\d+.\d+.\d+.\d+) \.+</regex>
<order>user,srcip</order>
</decoder>

Rule:

<group name="pfsense-custom">
<rule id="100002" level="5">
<decoded_as>pfsense-custom</decoded_as>

<description>PFsense alert: Login from $(dstuser) - $(srcip)</description>
</rule>
</group>

Please find here the official documentation for regex in Wazuh: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

Let me know if you have any remaining questions.

Looking forward to your response!

Mauro Tridici

unread,

May 12, 2023, 6:13:16 AM5/12/23

to Diego Mendez Sakugawa, Wazuh mailing list

Hello Diego,

thank you very much for your help and support.

It is working now and I’m happy :)

Many thanks again.

Have a great day.

Mauro

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/q6QXEFgJ8aM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3cc73a9b-6e6a-413c-8992-abf995d5df66n%40googlegroups.com.

Reply all

Reply to author

Forward