created decoder

[Dmitry Lev Ari]

Hey guys,

I have been trying to create a decoder for my meraki fire walland seems its not working so well, maybe someone can show me where is my mistake and example?

e.g tired to follow pfsense decoders & fortigates without luck.

Here is my log example -

2022 May 17 09:02:00 dmitry-ThinkPad->102.168.1.1 151353523.1324234 IL_TLV_RTR_01 ip_flow_start src=192.168.1.3 dst=1.1.1.1 protocol=udp sport=123 dport=321 translated_dst_ip=192.168.0.1 translated_port=53

What i tired to create:

<decoder name="meraki">
  <program_name>^meraki</program_name>
</decoder>

<decoder name="meraki">
  <parent>meraki</parent>
  <regex>src '(\d+.\d+.\d+.\d+)' dst '(\d+.\d+.\d+.\d+)' protocol '(\S+)' sport '(\S+)' dport '(\S+)' translated_dst_ip '(\d+.\d+.\d+.\d+)' translated_port '(\S+)'</regex>
  <order>timestamp, src, dst, protocol, sport, dport, translated_dst_ip, translated_port</order>
</decoder>

But something is not working.

i never worked with regex before so no leads on the problem.

Thanks for the help,

[Julia Magán Rodríguez]

Hello,

The event you shared seems to come from /var/ossec/logs/archives/archives.log, as it has the header 2022 May 17 09:02:00 dmitry-ThinkPad->102.168.1.1, so the actual event would be:

151353523.1324234 IL_TLV_RTR_01 ip_flow_start src=192.168.1.3 dst=1.1.1.1 protocol=udp sport=123 dport=321 translated_dst_ip=192.168.0.1 translated_port=53

If we test the event with wazuh-logtest we can see:

151353523.1324234 IL_TLV_RTR_01 ip_flow_start src=192.168.1.3 dst=1.1.1.1 protocol=udp sport=123 dport=321 translated_dst_ip=192.168.0.1 translated_port=53

**Phase 1: Completed pre-decoding.
    full event: '151353523.1324234 IL_TLV_RTR_01 ip_flow_start src=192.168.1.3 dst=1.1.1.1 protocol=udp sport=123 dport=321 translated_dst_ip=192.168.0.1 translated_port=53'

**Phase 2: Completed decoding.
    No decoder matched.

151353523.1324234 is Unix Epoch Timestamp. Unfortunately, the Wazuh pre-decoder does not yet support Unix Epoch timestamps. Also, meraki is not the program_name , so your decoder isn’t correct. We could create a decoder for the event with that timestamp, but it could give problems later with Wazuh Indexer and Wazuh Dashboard.

A possible solution would be:

• Store the logs in a plaintext file. I simulated this step but you can follow this guide about forwarding syslog events to a file.
• Monitor that file using a localfile block in your ossec.conf file. You’ll need to add <out_format>, so now it has the syslog timestamp, MerakiFirewall as hostname, and flows as program_name (you can change Meraki and hostd to whatever you want, it is an extra header that is added to the event with more information.):

  <localfile>
    <log_format>syslog</log_format>
    <location>/tmp/test.log</location>
    <out_format>$(timestamp) MerakiFirewall flows: $(log)</out_format>
  </localfile>

Now, the event we get is the following:

2022 May 17 10:23:49 MerakiFirewall->/tmp/test.log May 17 10:23:49 MerakiFirewall flows: 151353523.1324234 IL_TLV_RTR_01 ip_flow_start src=192.168.1.3 dst=1.1.1.1.1 protocol=udp sport=123 dport=321 translated_dst_ip=192.168.0.1 translated_port=53

And removing the header that is not used by analysisd, the event to test with wazuh-logtest is the following:

May 17 10:23:49 MerakiFirewall flows: 151353523.1324234 IL_TLV_RTR_01 ip_flow_start src=192.168.1.3 dst=1.1.1.1.1 protocol=udp sport=123 dport=321 translated_dst_ip=192.168.0.1 translated_port=53

If we test it, we get:

[root@localhost vagrant]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.0
Write one log per line

May 17 10:23:49 MerakiFirewall flows: 151353523.1324234 IL_TLV_RTR_01 ip_flow_start src=192.168.1.3 dst=1.1.1.1.1 protocol=udp sport=123 dport=321 translated_dst_ip=192.168.0.1 translated_port=53

**Phase 1: Pre-decoding completed.
    event complete: 'May 17 10:23:49 MerakiFirewall flows: 151353523.1324234 IL_TLV_RTR_01 ip_flow_start src=192.168.1.1.3 dst=1.1.1.1.1 protocol=udp sport=123 dport=321 translated_dst_ip=192.168.0.1 translated_port=53'
    timestamp: 'May 17 10:23:49'
    hostname: 'MerakiFirewall' hostname: 'MerakiFirewall
    program_name: 'flows'

**Phase 2: Decoding completed.
    No decoder has matched.

From here, we can create our decoder:

<decoder name="cisco_meraki_flows">
  <program_name>flows</program_name>
</decoder>

And the result in wazuh-logtest is:

May 17 10:23:49 MerakiFirewall flows: 151353523.1324234 IL_TLV_RTR_01 ip_flow_start src=192.168.1.3 dst=1.1.1.1 protocol=udp sport=123 dport=321 translated_dst_ip=192.168.0.1 translated_port=53

**Phase 1: Completed pre-decoding.
    full event: 'May 17 10:23:49 MerakiFirewall flows: 151353523.1324234 IL_TLV_RTR_01 ip_flow_start src=192.168.1.3 dst=1.1.1.1 protocol=udp sport=123 dport=321 translated_dst_ip=192.168.0.1 translated_port=53'
    timestamp: 'May 17 10:23:49'
    hostname: 'MerakiFirewall'
    program_name: 'flows'

**Phase 2: Completed decoding.
    name: 'cisco_meraki_flows'

Finally, we will create child decoders to obtain the event information. I recommend you create separate decoders for each field, so if one is missing, it won’t affect the others:

<decoder name="cisco_meraki_flows_child">
  <parent>cisco_meraki_flows</parent>
  <regex>src=(\S+)</regex>
  <order>srcip</order>
</decoder>

<decoder name="cisco_meraki_flows_child">
  <parent>cisco_meraki_flows</parent>
  <regex>dst=(\S+)</regex>
  <order>dstip</order>
</decoder>

Let’s test the log again:

May 17 10:23:49 MerakiFirewall flows: 151353523.1324234 IL_TLV_RTR_01 ip_flow_start src=192.168.1.3 dst=1.1.1.1 protocol=udp sport=123 dport=321 translated_dst_ip=192.168.0.1 translated_port=53

**Phase 1: Completed pre-decoding.
    full event: 'May 17 10:23:49 MerakiFirewall flows: 151353523.1324234 IL_TLV_RTR_01 ip_flow_start src=192.168.1.3 dst=1.1.1.1 protocol=udp sport=123 dport=321 translated_dst_ip=192.168.0.1 translated_port=53'
    timestamp: 'May 17 10:23:49'
    hostname: 'MerakiFirewall'
    program_name: 'flows'

**Phase 2: Completed decoding.
    name: 'cisco_meraki_flows'
    dstip: '1.1.1.1'
    srcip: '192.168.1.3'

As you can see, we have obtained srcip and dstip.

You can see more information about decoders here and about wazuh-logtest here.

​