Decoders and Rules for web gateway

KnaT

unread,

May 25, 2023, 5:43:49 AM5/25/23

to Wazuh mailing list

Hi everyone,

I have some logs below and get troubles about Decoder and Rules for these:

bvbgate3.baovietbank.vn: <Thu, 25 May 2023 09:21:19,ICT> [EVT_URL_BLOCKING|LOG_CRIT] Blocked URL log tk_username=10.33.142.168,tk_date_field=2023-05-25 09:21:19+0700,tk_protocol=https,tk_url=https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard,tk_malicious_entity=,tk_file_name=ListAccounts,tk_entity_name=,tk_action=,tk_scan_type=user defined,tk_blocked_by=rule,tk_rule_name=@accounts.google.com*,tk_opp_id=0,tk_group_name=None,tk_category=URL Blocking,tk_uid=0003382715-3fa4ad1a022205239b1f,tk_filter_action=1

bvbgate3.baovietbank.vn: <Thu, 25 May 2023 09:21:18,ICT> [EVT_URL_ACCESS_TRACKING|LOG_INFO] Access tracking log tk_username=10.33.142.185,tk_url=https://group-wpa.chat.zalo.me/,tk_size=156,tk_date_field=2023-05-25 09:21:18+0700,tk_protocol=https,tk_mime_content=text/javascript,tk_server=bvbgate3.baovietbank.vn,tk_client_ip=10.33.142.185,tk_server_ip=49.213.78.101,tk_domain=group-wpa.chat.zalo.me,tk_path=/,tk_file_name=,tk_operation=POST,tk_uid=0003382682-eadfb48b41b4b290a11d,tk_category=4,tk_category_type=1

Please help me for that.

Thanks!

Sandra Ocando

unread,

May 25, 2023, 9:30:48 AM5/25/23

to KnaT, Wazuh mailing list

Hello KnaT,

I'm attaching a custom decoder file for your logs using sibling decoders. Check our Sibling decoders documentation to learn more.

Here are the results of testing your logs with the new decoder using wazuh-logtest:

# /var/ossec/bin/wazuh-logtest

Starting wazuh-logtest v4.4.2

Type one log per line

bvbgate3.baovietbank.vn: <Thu, 25 May 2023 09:21:19,ICT> [EVT_URL_BLOCKING|LOG_CRIT] Blocked URL log tk_username=10.33.142.168,tk_date_field=2023-05-25 09:21:19+0700,tk_protocol=https,tk_url=https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard,tk_malicious_entity=,tk_file_name=ListAccounts,tk_entity_name=,tk_action=,tk_scan_type=user defined,tk_blocked_by=rule,tk_rule_name=@accounts.google.com*,tk_opp_id=0,tk_group_name=None,tk_category=URL Blocking,tk_uid=0003382715-3fa4ad1a022205239b1f,tk_filter_action=1

**Phase 1: Completed pre-decoding.

full event: 'bvbgate3.baovietbank.vn: <Thu, 25 May 2023 09:21:19,ICT> [EVT_URL_BLOCKING|LOG_CRIT] Blocked URL log tk_username=10.33.142.168,tk_date_field=2023-05-25 09:21:19+0700,tk_protocol=https,tk_url=https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard,tk_malicious_entity=,tk_file_name=ListAccounts,tk_entity_name=,tk_action=,tk_scan_type=user defined,tk_blocked_by=rule,tk_rule_name=@accounts.google.com*,tk_opp_id=0,tk_group_name=None,tk_category=URL Blocking,tk_uid=0003382715-3fa4ad1a022205239b1f,tk_filter_action=1'

**Phase 2: Completed decoding.

name: 'bvbgate'

event_description: 'EVT_URL_BLOCKING'

severity: 'LOG_CRIT'

tk_blocked_by: 'rule'

tk_category: 'URL Blocking'

tk_date_field: '2023-05-25 09:21:19+0700'

tk_file_name: 'ListAccounts'

tk_group_name: 'None'

tk_opp_id: '0'

tk_protocol: 'https'

tk_rule_name: '@accounts.google.com*'

tk_uid: '0003382715-3fa4ad1a022205239b1f'

tk_url: 'https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard'

tk_username: '10.33.142.168'

bvbgate3.baovietbank.vn: <Thu, 25 May 2023 09:21:18,ICT> [EVT_URL_ACCESS_TRACKING|LOG_INFO] Access tracking log tk_username=10.33.142.185,tk_url=https://group-wpa.chat.zalo.me/,tk_size=156,tk_date_field=2023-05-25 09:21:18+0700,tk_protocol=https,tk_mime_content=text/javascript,tk_server=bvbgate3.baovietbank.vn,tk_client_ip=10.33.142.185,tk_server_ip=49.213.78.101,tk_domain=group-wpa.chat.zalo.me,tk_path=/,tk_file_name=,tk_operation=POST,tk_uid=0003382682-eadfb48b41b4b290a11d,tk_category=4,tk_category_type=1

**Phase 1: Completed pre-decoding.

full event: 'bvbgate3.baovietbank.vn: <Thu, 25 May 2023 09:21:18,ICT> [EVT_URL_ACCESS_TRACKING|LOG_INFO] Access tracking log tk_username=10.33.142.185,tk_url=https://group-wpa.chat.zalo.me/,tk_size=156,tk_date_field=2023-05-25 09:21:18+0700,tk_protocol=https,tk_mime_content=text/javascript,tk_server=bvbgate3.baovietbank.vn,tk_client_ip=10.33.142.185,tk_server_ip=49.213.78.101,tk_domain=group-wpa.chat.zalo.me,tk_path=/,tk_file_name=,tk_operation=POST,tk_uid=0003382682-eadfb48b41b4b290a11d,tk_category=4,tk_category_type=1'

**Phase 2: Completed decoding.

name: 'bvbgate'

event_description: 'EVT_URL_ACCESS_TRACKING'

severity: 'LOG_INFO'

tk_category: '4'

tk_client_ip: '10.33.142.185'

tk_date_field: '2023-05-25 09:21:18+0700'

tk_domain: 'group-wpa.chat.zalo.me'

tk_mime_content: 'text/javascript'

tk_operation: 'POST'

tk_path: '/'

tk_protocol: 'https'

tk_server: 'bvbgate3.baovietbank.vn'

tk_server_ip: '49.213.78.101'

tk_size: '156'

tk_uid: '0003382682-eadfb48b41b4b290a11d'

tk_url: 'https://group-wpa.chat.zalo.me/'

tk_username: '10.33.142.185'

You can add the decoder file under /var/ossec/etc/decoders/ and modify it according to your needs. Make sure that the file has the right ownership and permissions:

chown wazuh:wazuh /var/ossec/etc/decoders/bvbgate.xml

chmod 660 /var/ossec/etc/decoders/bvbgate.xml

Don’t forget to restart the manager after editing decoders and rules so changes can take effect.

To learn more about how to create custom rules and decoders, check the Custom rules and decoders documentation.

Let us know if you have any questions.

Best regards,

Sandra.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cb0de5c7-57c9-4165-a321-49171bb959can%40googlegroups.com.

bvbgate.xml

KnaT

unread,

May 28, 2023, 9:34:29 PM5/28/23

to Wazuh mailing list

Hi Sandra,

It's worked for me now. Thanks for your support

I appreciate that.

Best Regards,

TA

Reply all

Reply to author

Forward