Mikrotik decoder
615 views
Skip to first unread message
Unai
Oct 16, 2023, 7:20:43 AM10/16/23
to Wazuh | Mailing List
Hi all,
**Phase 1: Completed pre-decoding.
full event: 'Oct 11 09:17:03 infraMonforte Mikrotik: user dude logged in from 192.168.1.193 via winbox'
timestamp: 'Oct 11 09:17:03'
hostname: 'infraMonforte'
program_name: 'Mikrotik'
**Phase 2: Completed decoding.
No decoder matched
I'm new to Wazuh and i still don't use the decoders well.
I'm trying to make a decoder and rule for this log from a mikrotik router. This log is what i see in archives.log.
2023 Oct 11 07:17:41 infraMonforte->10.10.72.1 Oct 11 09:17:03 infraMonforte Mikrotik: user dude logged in from 192.168.1.193 via winbox
For what i understand Wazuh uses "Oct 11 09:17:03 infraMonforte Mikrotik: user dude logged in from 192.168.1.193 via winbox". If i try this one i get this:
Oct 11 09:17:03 infraMonforte Mikrotik: user dude logged in from 192.168.1.193 via winbox
**Phase 1: Completed pre-decoding.
full event: 'Oct 11 09:17:03 infraMonforte Mikrotik: user dude logged in from 192.168.1.193 via winbox'
timestamp: 'Oct 11 09:17:03'
hostname: 'infraMonforte'
program_name: 'Mikrotik'
**Phase 2: Completed decoding.
No decoder matched
If i add something in Oct it works fine:
Ocst 11 09:17:03 infraMonforte Mikrotik: user dude logged in from 192.168.1.193 via winbox
**Phase 1: Completed pre-decoding.
full event: 'Ocst 11 09:17:03 infraMonforte Mikrotik: user dude logged in from 192.168.1.193 via winbox'
**Phase 2: Completed decoding.
name: 'mikrotik'
parent: 'mikrotik'
action: 'in'
dstuser: 'dude'
router: 'infraMonforte'
srcip: '192.168.1.193'
via: 'winbox'
**Phase 3: Completed filtering (rules).
id: '100201'
level: '5'
description: 'Login from dude to infraMonforte'
groups: '['mikrotik']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
**Phase 1: Completed pre-decoding.
full event: 'Ocst 11 09:17:03 infraMonforte Mikrotik: user dude logged in from 192.168.1.193 via winbox'
**Phase 2: Completed decoding.
name: 'mikrotik'
parent: 'mikrotik'
action: 'in'
dstuser: 'dude'
router: 'infraMonforte'
srcip: '192.168.1.193'
via: 'winbox'
**Phase 3: Completed filtering (rules).
id: '100201'
level: '5'
description: 'Login from dude to infraMonforte'
groups: '['mikrotik']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
These are the decoders and rules i have:
<decoder name="Naturgy_Test3">
<prematch> AccesNaturgy </prematch>
</decoder>
<decoder name="Naturgy_Test_3">
<parent>Naturgy_Test3</parent>
<prematch>\S+ \S+ logged \S+, \S+ \S+ \S+ \S+ \S+ from \S+</prematch>
<regex>(\S+) (\S+) logged (\S+), (\S+) (\S+) (\S+) (\S+) (\S+) from (\S+)</regex>
<order>router,user,action,secsconn,bytesin,bytesout,packetsin,packetsout,srcip</order>
</decoder>
<prematch> AccesNaturgy </prematch>
</decoder>
<decoder name="Naturgy_Test_3">
<parent>Naturgy_Test3</parent>
<prematch>\S+ \S+ logged \S+, \S+ \S+ \S+ \S+ \S+ from \S+</prematch>
<regex>(\S+) (\S+) logged (\S+), (\S+) (\S+) (\S+) (\S+) (\S+) from (\S+)</regex>
<order>router,user,action,secsconn,bytesin,bytesout,packetsin,packetsout,srcip</order>
</decoder>
<group name="naturgy,">
<rule id="100100" level="0" noalert="1">
<decoded_as>Naturgy_Test3</decoded_as>
<description>Naturgy test</description>
</rule>
<rule id="100101" level="5">
<if_sid>100100</if_sid>
<regex>\S+ logged \S+, \S+ \S+ \S+ \S+ \S+ from \S+</regex>
<description>Naturgy acces</description>
</rule>
</group>
<rule id="100100" level="0" noalert="1">
<decoded_as>Naturgy_Test3</decoded_as>
<description>Naturgy test</description>
</rule>
<rule id="100101" level="5">
<if_sid>100100</if_sid>
<regex>\S+ logged \S+, \S+ \S+ \S+ \S+ \S+ from \S+</regex>
<description>Naturgy acces</description>
</rule>
</group>
Can someone help me?
Thanks
Unai
Oct 16, 2023, 7:52:08 AM10/16/23
to Wazuh | Mailing List
Sorry, i put wrong decoders and rules. These are the good ones:
<decoder name="mikrotik">
<prematch> Mikrotik: </prematch>
</decoder>
<decoder name="login_mikrotik">
<parent>mikrotik</parent>
<prematch>\S+ Mikrotik: user \S+ logged \S+ from \S+ via \S+</prematch>
<regex>(\S+) Mikrotik: user (\S+) logged (\S+) from (\S+) via (\S+)</regex>
<order>router,dstuser,action,srcip,via</order>
</decoder>
<prematch> Mikrotik: </prematch>
</decoder>
<decoder name="login_mikrotik">
<parent>mikrotik</parent>
<prematch>\S+ Mikrotik: user \S+ logged \S+ from \S+ via \S+</prematch>
<regex>(\S+) Mikrotik: user (\S+) logged (\S+) from (\S+) via (\S+)</regex>
<order>router,dstuser,action,srcip,via</order>
</decoder>
<group name="mikrotik">
<rule id="100200" level="4" noalert="1">
<decoded_as>mikrotik</decoded_as>
<description>mikrotik</description>
</rule>
<rule id="100201" level="5">
<if_sid>100200</if_sid>
<regex>\S+ Mikrotik: user \S+ logged \S+ from \S+ via \S+</regex>
<description>Login from $(dstuser) to $(router)</description>
</rule>
</group>
<rule id="100200" level="4" noalert="1">
<decoded_as>mikrotik</decoded_as>
<description>mikrotik</description>
</rule>
<rule id="100201" level="5">
<if_sid>100200</if_sid>
<regex>\S+ Mikrotik: user \S+ logged \S+ from \S+ via \S+</regex>
<description>Login from $(dstuser) to $(router)</description>
</rule>
</group>
Othniel Ebolum
Oct 16, 2023, 4:57:52 PM10/16/23
to Wazuh | Mailing List
Hi Unai,
</decoder>
<decoder name="login_mikrotik">
<parent>mikrotik</parent>
Hope you are doing well.
I tried replicating your decoders and rules on my environment and noticed the same thing.
The issue comes from the way the prematch within the parent decoder was established. Using the intended log provided i created a decoder that works
<decoder name="mikrotik">
<program_name>^Mikrotik</program_name>
<program_name>^Mikrotik</program_name>
</decoder>
<decoder name="login_mikrotik">
<parent>mikrotik</parent>
<prematch>^user</prematch>
<regex>(\S+) logged (\S+) from (\S+) via (\S+)</regex>
<order>dstuser,action,srcip,via</order>
</decoder>
<regex>(\S+) logged (\S+) from (\S+) via (\S+)</regex>
<order>dstuser,action,srcip,via</order>
</decoder>
You can take your time and go through the documentation here to learn to play around with creating decoders with acceptable syntax.
Major changes i made were:
1. the parent decoder referenced the program name
1. the parent decoder referenced the program name
2. the prematch within the child decoder was specified to user
3. the regex was adjusted slightly and the router taken off as well from the order.
I also made changes to the rule as i saw it was unnecessary and additional regex when there is no extra valid reason:
<group name="mikrotik">
<rule id="100200" level="4" noalert="1">
<decoded_as>mikrotik</decoded_as>
<description>mikrotik</description>
</rule>
<rule id="100201" level="5">
<if_sid>100200</if_sid>
<rule id="100200" level="4" noalert="1">
<decoded_as>mikrotik</decoded_as>
<description>mikrotik</description>
</rule>
<rule id="100201" level="5">
<if_sid>100200</if_sid>
<description>Login from $(dstuser) via $(via)</description>
</rule>
</group>
</rule>
</group>
Hope this gives you a lil more insight on how the decoders and rules work. you can go through the documentation provided above and test out different scenarios.
Best Regards,
Unai
Oct 17, 2023, 2:34:15 AM10/17/23
to Wazuh | Mailing List
Thank you so much! Now it works. I will check the docs.
Reply all
Reply to author
Forward
0 new messages