Re: Need help to create Decoder and Rule URGENT
416 views
Skip to first unread message
Message has been deleted
Abdullah Al Noman
Jun 1, 2023, 4:57:42 AM6/1/23
to Wazuh mailing list
Hello Valton,
Thank you for using Wazuh.
Let me go through your query. I will get back to you as early as possible.
Regards,
Thank you for using Wazuh.
Let me go through your query. I will get back to you as early as possible.
Regards,
On Thursday, June 1, 2023 at 11:37:58 AM UTC+3 Valton T. wrote:
Hi Everyone Hope u doing fine.I 'm really wanting help to create decoder and rule for this nginx custom errorlog but the problem is that it only gets it as an nginx errorlog but I'm wanting to trigger an different rule with other description and ip address not the srcip that is as a default:the log : 2023/06/01 10:33:56 [error] 262918#262918: *532931 [lua] main.lua:303: Event: Challenged IP, Address: 45.76.202.163, User Hash: NDUuNzYuMjAyLjE2M3w0NS43Ni4yMDIuMTYzfHlvdXJfc2VjcmV0X3Bhc3NwaHJhc2VfaGVyZQ==, client: 172.68.118.140, server: xx.com, request: "GET /category/sporti/ HTTP/1.1", host: "www.removed.com"I maanger to create but it is still only triggering the errorlog default rule but i do not want that since this is an custom WAFPlease consider as urgent
Abdullah Al Noman
Jun 1, 2023, 6:04:57 AM6/1/23
to Wazuh mailing list
Hello Valton,
Perform the steps below to add a custom decoder and rule to your Wazuh server for the log you provided.
Step 1: Open the existing nginx decoder file /var/ossec/ruleset/decoders/0170-nginx_decoders.xml and comment the decoder nginx-errorlog-ip as this will allow our custom decoder work. See attached image for reference.
Step 2: Add the following decoder at the end of the same file /var/ossec/ruleset/decoders/0170-nginx_decoders.xml contents:
<decoder name="nginx-custom">
<parent>nginx-errorlog</parent>
<regex type="pcre2">(\S+ \S+) \[(\w+)] (\S+) .? \[(\w+)] (\S+) Event: (.?), Address: (\S+), User Hash: (\S+), client: (\S+), server: (\S+), request: (.*?), host: "(\S+)"</regex>
<order>logtimestamp, log_level, message_id, origin, location, event, ip_address, user_hash, client_ip, server, request, host</order>
</decoder>
Step 3: Save and exit the 0170-nginx_decoders.xml file.
Step 4: Add the following custom rule to the /var/ossec/etc/rules/local_rules.xml file and save it.
<group name="nginx_custom_alert">
<rule id="112000" level="8">
<if_sid>31301</if_sid>
<description>A client with IP $(client_ip) made a request to $(host)</description>
</rule>
</group>
Step 5: Restart your Wazuh manager using systemctl restart wazuh-manager to apply the changes.
Step 6: Run the Wazuh logtest tool /var/ossec/bin/wazuh-logtest and paste your log. You should see the custom decoder has decoded your log and triggered an alert.
See attached image for reference.
To know more about custom decoders and rules, follow the guides below:
Hope this resolves your query. Let me know if you require further help.
Regards,
Perform the steps below to add a custom decoder and rule to your Wazuh server for the log you provided.
Step 1: Open the existing nginx decoder file /var/ossec/ruleset/decoders/0170-nginx_decoders.xml and comment the decoder nginx-errorlog-ip as this will allow our custom decoder work. See attached image for reference.
Step 2: Add the following decoder at the end of the same file /var/ossec/ruleset/decoders/0170-nginx_decoders.xml contents:
<decoder name="nginx-custom">
<parent>nginx-errorlog</parent>
<regex type="pcre2">(\S+ \S+) \[(\w+)] (\S+) .? \[(\w+)] (\S+) Event: (.?), Address: (\S+), User Hash: (\S+), client: (\S+), server: (\S+), request: (.*?), host: "(\S+)"</regex>
<order>logtimestamp, log_level, message_id, origin, location, event, ip_address, user_hash, client_ip, server, request, host</order>
</decoder>
Step 3: Save and exit the 0170-nginx_decoders.xml file.
Step 4: Add the following custom rule to the /var/ossec/etc/rules/local_rules.xml file and save it.
<group name="nginx_custom_alert">
<rule id="112000" level="8">
<if_sid>31301</if_sid>
<description>A client with IP $(client_ip) made a request to $(host)</description>
</rule>
</group>
Step 5: Restart your Wazuh manager using systemctl restart wazuh-manager to apply the changes.
Step 6: Run the Wazuh logtest tool /var/ossec/bin/wazuh-logtest and paste your log. You should see the custom decoder has decoded your log and triggered an alert.
See attached image for reference.
To know more about custom decoders and rules, follow the guides below:
Hope this resolves your query. Let me know if you require further help.
Regards,
Message has been deleted
Abdullah Al Noman
Jun 1, 2023, 9:41:10 AM6/1/23
to Wazuh mailing list
Hello Valton,
I have provided you the decoder and rules for the log you provided. But the second log you provided seems to have different fields. You can decode them by simply modifying the existing or writing another decoder.
If you want to decode logs only with main.lua keyword, you can simply use <prematch> tag in your decoder. Hope the previously shared guides help you to write your desired decoder and rule.
With regards to ignore alerts, you can write a custom rule with level="0" that should ignore all the alerts you don't want to see from the Wazuh dashboard. Follow this Rules classification guide to know more about Wazuh alert levels.
Let me know if you require further clarification.
Regards,
I have provided you the decoder and rules for the log you provided. But the second log you provided seems to have different fields. You can decode them by simply modifying the existing or writing another decoder.
If you want to decode logs only with main.lua keyword, you can simply use <prematch> tag in your decoder. Hope the previously shared guides help you to write your desired decoder and rule.
With regards to ignore alerts, you can write a custom rule with level="0" that should ignore all the alerts you don't want to see from the Wazuh dashboard. Follow this Rules classification guide to know more about Wazuh alert levels.
Let me know if you require further clarification.
Regards,
On Thursday, June 1, 2023 at 3:31:38 PM UTC+3 Valton T. wrote:
A client with IP made a request to2023/06/01 14:03:47 [error] 332#332: *6708100 FastCGI sent in stderr: "PHP message: PHP Notice: Undefined index: path in /var/www/html/wp-content/themes/info24/class/Gutenberg.php on line 353PHP message: PHP Notice: Undefined index: path in /var/www/html/wp-content/themes/info24/class/Gutenberg.php on line 353" while reading response header from upstream, client: 162.158.190.7, server: xxx.com request: "POST //xmlrpc.php HTTP/2.0", upstream: "fastcgi://unix:/var/run/php/php7.4-fpm.sock:", host: "info24al.com"Hi this is how the alert is being showed i do not want to get anything from defualt nginx error message i do not want to even alert them i only need that specified nginx error.log that has included main.lua 2023/06/01 10:33:56 [error] 262918#262918: *532931 [lua] main.lua:303: for example in nginx decoder but this is including also the other nginx error in error.logi hope for understanding
Message has been deleted
Message has been deleted
Abdullah Al Noman
Jun 7, 2023, 5:07:47 AM6/7/23
to Wazuh mailing list
Hello Valton,
Perform the steps below on your Wazuh server to accomplish your goal:
<order>logtimestamp, log_level, message_id, origin, location, event, ip_address, user_hash, client_ip, server, request, host</order>
</decoder>
Once you ingest new logs, you should be able to see the alerts generated the way you want. Find the attached image of a Wazuh logtest result for your reference.
Note: keep this thread for others to get benefited.
Regards,
Perform the steps below on your Wazuh server to accomplish your goal:
Step 1: Add the following decoder to the /var/ossec/ruleset/decoders/0170-nginx_decoders.xml file.
<decoder name="nginx-custom">
<parent>nginx-errorlog</parent>
<parent>nginx-errorlog</parent>
<regex type="pcre2">(\S+ \S+) \[(\w+)] (.*?) .*? \[(\w+)] (.*?) Event: (.*?), Address: (.*?), User Hash: (.*?), client: (.*?), server: (.*?), request: (.*?), host: "(.*?)"</regex>
<order>logtimestamp, log_level, message_id, origin, location, event, ip_address, user_hash, client_ip, server, request, host</order>
</decoder>
Step 2: Add the following content to the /var/ossec/etc/rules/local_rules.xml file.
<group name="ddos">
<rule id="112001" level="13">
<if_sid>31301</if_sid>
<match>Challenged</match>
<description>ANTIDDOS: Challenged this Address $(ip_address)</description>
<mitre>
<id>T1110</id>
</mitre>
</rule>
</group>
Step 3: Restart your Wazuh manager using systemctl restart wazuh-manager.
<rule id="112001" level="13">
<if_sid>31301</if_sid>
<match>Challenged</match>
<description>ANTIDDOS: Challenged this Address $(ip_address)</description>
<mitre>
<id>T1110</id>
</mitre>
</rule>
</group>
Step 3: Restart your Wazuh manager using systemctl restart wazuh-manager.
Once you ingest new logs, you should be able to see the alerts generated the way you want. Find the attached image of a Wazuh logtest result for your reference.
Note: keep this thread for others to get benefited.
Regards,
On Tuesday, June 6, 2023 at 11:02:09 AM UTC+3 Valton T. wrote:
Hi?any updates regarding thisOn Monday, June 5, 2023 at 10:03:05 AM UTC+2 Valton T. wrote:Hi abdullah.I manager to create an different rule but using <match> but now i have this problem the $Address nor the client IP wont show in rule description and i have no Idea why .for example i need to get the ip from Address : 2023/06/01 10:33:56 [error] 262918#262918: *532931 [lua] main.lua:303: Event: Challenged IP, Address: 45.76.202.163, User Hash: NDUuNzYuMjAyLjE2M3w0NS43Ni4yMDIuMTYzfHlvdXJfc2VjcmV0X3Bhc3NwaHJhc2VfaGVyZQ==, client: 172.68.118.140, server: xx.com, request: "GET /category/sporti/ HTTP/1.1", host: ""i also did try with client_ip but stilll sameThanks after we fix this issue maybe u can delete this thread.thanks with respect
Reply all
Reply to author
Forward
Message has been deleted
0 new messages