Parsers for modsecurity?
Blason R
Jonathan Martín Valera
Hi,
Well, first of all, what I would do would be to test the desired log in the wazuh-logtest tool to see if the log is decoded correctly and matches any rules. You can find the related information here https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/how-it-works.html#use-cases-test-log-from-wazuh-logtest-tool
If the log is not decoded or has not matched any rule, then it will be necessary to create the necessary decoder and/or rule that fits your use case.
Here are links to help you in the process of creating decoders and rules:
• Creating decoders and rules from scratch: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
• Sibling decoders: flexible extraction of information: https://wazuh.com/blog/sibling-decoders-flexible-extraction-of-information/
• Custom rules and decoders: https://documentation.wazuh.com/4.0/user-manual/ruleset/custom.html
• Testing decoders and rules: https://documentation.wazuh.com/4.0/user-manual/ruleset/testing.html
On the other hand, you can also take a look at the wazuh-ruleset repository where you will find the decoders and rules that wazuh comes with by default. https://github.com/wazuh/wazuh-ruleset
https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0260-nginx_rules.xml#L85
Note: The files in that repository will be migrated in future versions to the
wazuh/wazuhrepository itself https://github.com/wazuh/wazuh/tree/master/ruleset.
If you need more help, you can share some log and alert conditions about your use case, and I can check it.
Best regards.
Blason R
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0a3455d9-ce85-433d-8ebd-33a12f07d4f0n%40googlegroups.com.