Custom decoder and rules for kea-dhcp4 logs from pfSense (logs-forwarded through wazuh-agent v4.10.1))
116 views
Skip to first unread message
TWINKAL SIKRI
Mar 14, 2025, 6:51:22 AM3/14/25
to Wazuh | Mailing List
kead-dhcp sent log example:
{"timestamp":"2025-03-13T22:36:29.506+0100","agent":{"id":"005","name":"FW-SIEM","ip":"192.168.100.1"}, "manager":{"name":"tesitwi-SIEM"},"id":"1741901789.3725755", "full_log":"<134>1 2025-03-13T22:36:29.388035+01:00 fw-siem.unicam.it kea-dhcp4 97357 - - INFO [kea-dhcp4.dhcpsrv.0x2172614fd800] EVAL_RESULT Expression pool_lan_0 evaluated to 1", "decoder":{"name":"kea-dhcp"},"location":"/var/log/dhcpd.log"}
{"timestamp":"2025-03-13T22:36:29.507+0100","agent":{"id":"005","name":"FW-SIEM","ip":"192.168.100.1"}, "manager":{"name":"tesitwi-SIEM"},"id":"1741901789.3725755", "full_log":"<134>1 2025-03-13T22:36:29.388545+01:00 fw-siem.unicam.it kea-dhcp4 97357 - - INFO [kea-dhcp4.leases.0x2172614fd800] DHCP4_INIT_REBOOT [hwtype=1 bc:24:11:d1:f0:0a], cid=[ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5], tid=0x6be555a9: client is in INIT-REBOOT state and requests address 192.168.100.100", "decoder":{"parent":"kea-dhcp","name":"kea-dhcp"},"location":"/var/log/dhcpd.log"}
{"timestamp":"2025-03-13T22:36:29.510+0100","agent":{"id":"005","name":"FW-SIEM","ip":"192.168.100.1"}, "manager":{"name":"tesitwi-SIEM"},"id":"1741901789.3725755", "full_log":"<134>1 2025-03-13T22:36:29.389265+01:00 fw-siem.unicam.it kea-dhcp4 97357 - - INFO [kea-dhcp4.leases.0x2172614fd800] DHCP4_LEASE_ALLOC [hwtype=1 bc:24:11:d1:f0:0a], cid=[ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5], tid=0x6be555a9: lease 192.168.100.100 has been allocated for 7200 seconds", "decoder":{"parent":"kea-dhcp","name":"kea-dhcp"},"location":"/var/log/dhcpd.log"}
Current decoder:
<decoder name="kea-dhcp">
<prematch>kea-dhcp4</prematch>
</decoder>
<decoder name="kea-dhcp-lease-alloc">
<parent>kea-dhcp</parent>
<prematch>DHCP4_LEASE_ALLOC</prematch>
<regex type="pcre2">
DHCP4_LEASE_ALLOC.*hwtype=(\d+)\s+([\da-fA-F:]+),\s+cid=\[([^\]]+)\],\s+tid=([^:]+):\s+lease\s+([\d\.]+)\s+has\s+been\s+allocated\s+for\s+(\d+)\s+seconds
</regex>
<order>hwtype,client_mac,client_id,transaction_id,allocated_ip,lease_second</order>
</decoder>
<decoder name="kea-dhcp-init-reboot">
<parent>kea-dhcp</parent>
<prematch>DHCP4_INIT_REBOOT</prematch>
<regex type="pcre2">
DHCP4_INIT_REBOOT.*hwtype=(\d+)\s+([\da-fA-F:]+),\s+cid=\[([^\]]+)\],\s+tid=([^:]+):\s+client\s+is\s+in\s+INIT-REBOOT\s+state\s+and\s+requests\s+address\s+([\d\.]+)
</regex>
<order>hwtype,client_mac,client_id,transaction_id,requested_ip</order>
</decoder>
Current rules for alerts:
<group name="kea-dhcp">
<rule id="90000" level="3">
<decoded_as>kea-dhcp-lease-alloc</decoded_as>
<description>Kea DHCP Lease Allocation: client MAC $(client_mac) ha ricevuto l'IP $(allocated_ip) per $(lease_second) secondi.</description>
<group>kea-dhcp,allocation</group>
</rule>
<rule id="90001" level="3">
<decoded_as>kea-dhcp-init-reboot</decoded_as>
<description>Kea DHCP INIT-REBOOT: client MAC $(client_mac) ha richiesto l'IP $(requested_ip).</description>
<group>kea-dhcp,init-reboot</group>
</rule>
</group>
With this configuration, when the logs reach the wazuh manager, no alerts were triggered.
{"timestamp":"2025-03-13T22:36:29.506+0100","agent":{"id":"005","name":"FW-SIEM","ip":"192.168.100.1"}, "manager":{"name":"tesitwi-SIEM"},"id":"1741901789.3725755", "full_log":"<134>1 2025-03-13T22:36:29.388035+01:00 fw-siem.unicam.it kea-dhcp4 97357 - - INFO [kea-dhcp4.dhcpsrv.0x2172614fd800] EVAL_RESULT Expression pool_lan_0 evaluated to 1", "decoder":{"name":"kea-dhcp"},"location":"/var/log/dhcpd.log"}
{"timestamp":"2025-03-13T22:36:29.507+0100","agent":{"id":"005","name":"FW-SIEM","ip":"192.168.100.1"}, "manager":{"name":"tesitwi-SIEM"},"id":"1741901789.3725755", "full_log":"<134>1 2025-03-13T22:36:29.388545+01:00 fw-siem.unicam.it kea-dhcp4 97357 - - INFO [kea-dhcp4.leases.0x2172614fd800] DHCP4_INIT_REBOOT [hwtype=1 bc:24:11:d1:f0:0a], cid=[ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5], tid=0x6be555a9: client is in INIT-REBOOT state and requests address 192.168.100.100", "decoder":{"parent":"kea-dhcp","name":"kea-dhcp"},"location":"/var/log/dhcpd.log"}
{"timestamp":"2025-03-13T22:36:29.510+0100","agent":{"id":"005","name":"FW-SIEM","ip":"192.168.100.1"}, "manager":{"name":"tesitwi-SIEM"},"id":"1741901789.3725755", "full_log":"<134>1 2025-03-13T22:36:29.389265+01:00 fw-siem.unicam.it kea-dhcp4 97357 - - INFO [kea-dhcp4.leases.0x2172614fd800] DHCP4_LEASE_ALLOC [hwtype=1 bc:24:11:d1:f0:0a], cid=[ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5], tid=0x6be555a9: lease 192.168.100.100 has been allocated for 7200 seconds", "decoder":{"parent":"kea-dhcp","name":"kea-dhcp"},"location":"/var/log/dhcpd.log"}
Current decoder:
<decoder name="kea-dhcp">
<prematch>kea-dhcp4</prematch>
</decoder>
<decoder name="kea-dhcp-lease-alloc">
<parent>kea-dhcp</parent>
<prematch>DHCP4_LEASE_ALLOC</prematch>
<regex type="pcre2">
DHCP4_LEASE_ALLOC.*hwtype=(\d+)\s+([\da-fA-F:]+),\s+cid=\[([^\]]+)\],\s+tid=([^:]+):\s+lease\s+([\d\.]+)\s+has\s+been\s+allocated\s+for\s+(\d+)\s+seconds
</regex>
<order>hwtype,client_mac,client_id,transaction_id,allocated_ip,lease_second</order>
</decoder>
<decoder name="kea-dhcp-init-reboot">
<parent>kea-dhcp</parent>
<prematch>DHCP4_INIT_REBOOT</prematch>
<regex type="pcre2">
DHCP4_INIT_REBOOT.*hwtype=(\d+)\s+([\da-fA-F:]+),\s+cid=\[([^\]]+)\],\s+tid=([^:]+):\s+client\s+is\s+in\s+INIT-REBOOT\s+state\s+and\s+requests\s+address\s+([\d\.]+)
</regex>
<order>hwtype,client_mac,client_id,transaction_id,requested_ip</order>
</decoder>
Current rules for alerts:
<group name="kea-dhcp">
<rule id="90000" level="3">
<decoded_as>kea-dhcp-lease-alloc</decoded_as>
<description>Kea DHCP Lease Allocation: client MAC $(client_mac) ha ricevuto l'IP $(allocated_ip) per $(lease_second) secondi.</description>
<group>kea-dhcp,allocation</group>
</rule>
<rule id="90001" level="3">
<decoded_as>kea-dhcp-init-reboot</decoded_as>
<description>Kea DHCP INIT-REBOOT: client MAC $(client_mac) ha richiesto l'IP $(requested_ip).</description>
<group>kea-dhcp,init-reboot</group>
</rule>
</group>
With this configuration, when the logs reach the wazuh manager, no alerts were triggered.
In this configuration, I recieve no errors when saving the xml files, but I don't get the XML syntax error that I get when I try to change something. I consulted the documentation, but I'm still confused.
P.S. pfSense ce-2-7-2, the wazuh manager is the latest version.
I don't know what I am doing wrong, hope you can help me.
Kind regards,
P.S. pfSense ce-2-7-2, the wazuh manager is the latest version.
I don't know what I am doing wrong, hope you can help me.
Kind regards,
Twinkal
Hossam El Amraoui
Mar 14, 2025, 7:14:39 AM3/14/25
to Wazuh | Mailing List
Let me replicate this and I will get back to you as soon as possible.
Hossam El Amraoui
Mar 14, 2025, 7:56:10 AM3/14/25
to Wazuh | Mailing List
If you want to create a custom decoder(https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html) and a custom rule (https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html) for these logs, you can take a look at our regex syntax section(https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html), decoder syntax(https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html), and rule syntax(https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html)
To test regex patterns and check that they work correctly, you can use pages such as [regex101.com](http://regex101.com/) (you have to take into account that this page, for example, uses the pcre2 regex format). To test the rules you can use the `wazuh-logtest` tool (https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html).
In your case, despite no XML syntax error, the regex did not match the log. I have modified the decoder to:
```
<decoder name="kea-dhcp-lease-alloc">
<prematch>DHCP4_LEASE_ALLOC</prematch>
<regex type="pcre2">DHCP4_LEASE_ALLOC \[hwtype=(\d+)\s+([\da-fA-F:]+)\],\s+cid=\[([^\]]+)\],\s+tid=([^:]+):\s+lease\s+([\d\.]+)\s+has\s+been\s+allocated\s+for\s+(\d+)\s+seconds</regex>
<order>hwtype,client_mac,client_id,transaction_id,allocated_ip,lease_second</order>
</decoder>
<decoder name="kea-dhcp-init-reboot">
<prematch>DHCP4_INIT_REBOOT</prematch>
<regex type="pcre2">DHCP4_INIT_REBOOT \[hwtype=(\d+)\s+([\da-fA-F:]+)\],\s+cid=\[([^\]]+)\],\s+tid=([^:]+):\s+client\s+is\s+in\s+INIT-REBOOT\s+state\s+and\s+requests\s+address\s+([\d\.]+)</regex>
<order>hwtype,client_mac,client_id,transaction_id,requested_ip</order>
</decoder>
```
The rules have been not modified.
`wazuh-logtest` output:
```
root@ubuntu22:/home/vagrant# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.10.1
Type one log per line
<134>1 2025-03-13T22:36:29.389265+01:00 fw-siem.unicam.it kea-dhcp4 97357 - - INFO [kea-dhcp4.leases.0x2172614fd800] DHCP4_LEASE_ALLOC [hwtype=1 bc:24:11:d1:f0:0a], cid=[ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5], tid=0x6be555a9: lease 192.168.100.100 has been allocated for 7200 seconds
**Phase 1: Completed pre-decoding.
full event: '<134>1 2025-03-13T22:36:29.389265+01:00 fw-siem.unicam.it kea-dhcp4 97357 - - INFO [kea-dhcp4.leases.0x2172614fd800] DHCP4_LEASE_ALLOC [hwtype=1 bc:24:11:d1:f0:0a], cid=[ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5], tid=0x6be555a9: lease 192.168.100.100 has been allocated for 7200 seconds'
**Phase 2: Completed decoding.
name: 'kea-dhcp-lease-alloc'
allocated_ip: '192.168.100.100'
client_id: 'ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5'
client_mac: 'bc:24:11:d1:f0:0a'
hwtype: '1'
lease_second: '7200'
transaction_id: '0x6be555a9'
**Phase 3: Completed filtering (rules).
id: '90000'
level: '3'
description: 'Kea DHCP Lease Allocation: client MAC bc:24:11:d1:f0:0a ha ricevuto l'IP 192.168.100.100 per 7200 secondi.'
groups: '['kea-dhcpkea-dhcp', 'allocation']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
<134>1 2025-03-13T22:36:29.388545+01:00 fw-siem.unicam.it kea-dhcp4 97357 - - INFO [kea-dhcp4.leases.0x2172614fd800] DHCP4_INIT_REBOOT [hwtype=1 bc:24:11:d1:f0:0a], cid=[ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5], tid=0x6be555a9: client is in INIT-REBOOT state and requests address 192.168.100.100
**Phase 1: Completed pre-decoding.
full event: '<134>1 2025-03-13T22:36:29.388545+01:00 fw-siem.unicam.it kea-dhcp4 97357 - - INFO [kea-dhcp4.leases.0x2172614fd800] DHCP4_INIT_REBOOT [hwtype=1 bc:24:11:d1:f0:0a], cid=[ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5], tid=0x6be555a9: client is in INIT-REBOOT state and requests address 192.168.100.100'
**Phase 2: Completed decoding.
name: 'kea-dhcp-init-reboot'
client_id: 'ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5'
client_mac: 'bc:24:11:d1:f0:0a'
hwtype: '1'
requested_ip: '192.168.100.100'
transaction_id: '0x6be555a9'
**Phase 3: Completed filtering (rules).
id: '90001'
level: '3'
description: 'Kea DHCP INIT-REBOOT: client MAC bc:24:11:d1:f0:0a ha richiesto l'IP 192.168.100.100.'
groups: '['kea-dhcpkea-dhcp', 'init-reboot']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
```
To test regex patterns and check that they work correctly, you can use pages such as [regex101.com](http://regex101.com/) (you have to take into account that this page, for example, uses the pcre2 regex format). To test the rules you can use the `wazuh-logtest` tool (https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html).
In your case, despite no XML syntax error, the regex did not match the log. I have modified the decoder to:
```
<decoder name="kea-dhcp-lease-alloc">
<prematch>DHCP4_LEASE_ALLOC</prematch>
<regex type="pcre2">DHCP4_LEASE_ALLOC \[hwtype=(\d+)\s+([\da-fA-F:]+)\],\s+cid=\[([^\]]+)\],\s+tid=([^:]+):\s+lease\s+([\d\.]+)\s+has\s+been\s+allocated\s+for\s+(\d+)\s+seconds</regex>
<order>hwtype,client_mac,client_id,transaction_id,allocated_ip,lease_second</order>
</decoder>
<decoder name="kea-dhcp-init-reboot">
<regex type="pcre2">DHCP4_INIT_REBOOT \[hwtype=(\d+)\s+([\da-fA-F:]+)\],\s+cid=\[([^\]]+)\],\s+tid=([^:]+):\s+client\s+is\s+in\s+INIT-REBOOT\s+state\s+and\s+requests\s+address\s+([\d\.]+)</regex>
<order>hwtype,client_mac,client_id,transaction_id,requested_ip</order>
</decoder>
```
The rules have been not modified.
`wazuh-logtest` output:
```
root@ubuntu22:/home/vagrant# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.10.1
Type one log per line
<134>1 2025-03-13T22:36:29.389265+01:00 fw-siem.unicam.it kea-dhcp4 97357 - - INFO [kea-dhcp4.leases.0x2172614fd800] DHCP4_LEASE_ALLOC [hwtype=1 bc:24:11:d1:f0:0a], cid=[ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5], tid=0x6be555a9: lease 192.168.100.100 has been allocated for 7200 seconds
full event: '<134>1 2025-03-13T22:36:29.389265+01:00 fw-siem.unicam.it kea-dhcp4 97357 - - INFO [kea-dhcp4.leases.0x2172614fd800] DHCP4_LEASE_ALLOC [hwtype=1 bc:24:11:d1:f0:0a], cid=[ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5], tid=0x6be555a9: lease 192.168.100.100 has been allocated for 7200 seconds'
**Phase 2: Completed decoding.
name: 'kea-dhcp-lease-alloc'
allocated_ip: '192.168.100.100'
client_id: 'ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5'
client_mac: 'bc:24:11:d1:f0:0a'
hwtype: '1'
lease_second: '7200'
transaction_id: '0x6be555a9'
**Phase 3: Completed filtering (rules).
id: '90000'
level: '3'
description: 'Kea DHCP Lease Allocation: client MAC bc:24:11:d1:f0:0a ha ricevuto l'IP 192.168.100.100 per 7200 secondi.'
groups: '['kea-dhcpkea-dhcp', 'allocation']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
<134>1 2025-03-13T22:36:29.388545+01:00 fw-siem.unicam.it kea-dhcp4 97357 - - INFO [kea-dhcp4.leases.0x2172614fd800] DHCP4_INIT_REBOOT [hwtype=1 bc:24:11:d1:f0:0a], cid=[ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5], tid=0x6be555a9: client is in INIT-REBOOT state and requests address 192.168.100.100
full event: '<134>1 2025-03-13T22:36:29.388545+01:00 fw-siem.unicam.it kea-dhcp4 97357 - - INFO [kea-dhcp4.leases.0x2172614fd800] DHCP4_INIT_REBOOT [hwtype=1 bc:24:11:d1:f0:0a], cid=[ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5], tid=0x6be555a9: client is in INIT-REBOOT state and requests address 192.168.100.100'
**Phase 2: Completed decoding.
name: 'kea-dhcp-init-reboot'
client_id: 'ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5'
client_mac: 'bc:24:11:d1:f0:0a'
hwtype: '1'
requested_ip: '192.168.100.100'
transaction_id: '0x6be555a9'
**Phase 3: Completed filtering (rules).
id: '90001'
level: '3'
description: 'Kea DHCP INIT-REBOOT: client MAC bc:24:11:d1:f0:0a ha richiesto l'IP 192.168.100.100.'
groups: '['kea-dhcpkea-dhcp', 'init-reboot']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
```
On Friday, March 14, 2025 at 11:51:22 AM UTC+1 TWINKAL SIKRI wrote:
TWINKAL SIKRI
Mar 14, 2025, 9:17:50 PM3/14/25
to Wazuh | Mailing List
Sorry for bothering you again, I'm having a new issue.
I've noticed that pfSense was storing logs in the syslog format (RFC 5424 with RFC 3339 microsecond-precision timestamp) and then the logcollector of the wazuh agent was taking these logs.
So, the issue I'm having is that, in this configuration, the only logs that could get decoded were the kea-dhcp4 logs (just because wazuh was using the decoder you helped make) while the other logs in RFC 5424 format (e.g. filter logs or snort logs etc.) couldn't get parsed, because in the provided decoders there are only the ones for the BSD format log (RFC 3164).
If I wanted to get the other logs besides the kea-dhcp4 ones, I had to switch the format in which pfSense stored the logs (syslog -> BSD).
Twinkal
I've noticed that pfSense was storing logs in the syslog format (RFC 5424 with RFC 3339 microsecond-precision timestamp) and then the logcollector of the wazuh agent was taking these logs.
So, the issue I'm having is that, in this configuration, the only logs that could get decoded were the kea-dhcp4 logs (just because wazuh was using the decoder you helped make) while the other logs in RFC 5424 format (e.g. filter logs or snort logs etc.) couldn't get parsed, because in the provided decoders there are only the ones for the BSD format log (RFC 3164).
If I wanted to get the other logs besides the kea-dhcp4 ones, I had to switch the format in which pfSense stored the logs (syslog -> BSD).
I've been trying to change the kea-dhcp4 decoder to parse logs in BSD format but I keep getting XML syntax errors.
BSD format kea-dhcp4 log:
BSD format kea-dhcp4 log:
2025 Mar 14 23:59:24 (FW-SIEM) any->/var/log/dhcpd.log Mar 14 23:59:23 fw-siem kea-dhcp4[73078]: INFO [kea-dhcp4.dhcpsrv.0x18a33e4fca00] EVAL_RESULT Expression pool_lan_0 evaluated to 1
2025 Mar 14 23:59:24 (FW-SIEM) any->/var/log/dhcpd.log Mar 14 23:59:23 fw-siem kea-dhcp4[73078]: INFO [kea-dhcp4.leases.0x18a33e4fca00] DHCP4_INIT_REBOOT [hwtype=1 bc:24:11:d1:f0:0a], cid=[ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5], tid=0xa96ab7f4: client is in INIT-REBOOT state and requests address 192.168.100.100
2025 Mar 14 23:59:24 (FW-SIEM) any->/var/log/dhcpd.log Mar 14 23:59:23 fw-siem kea-dhcp4[73078]: INFO [kea-dhcp4.leases.0x18a33e4fca00] DHCP4_LEASE_ALLOC [hwtype=1 bc:24:11:d1:f0:0a], cid=[ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5], tid=0xa96ab7f4: lease 192.168.100.100 has been allocated for 7200 seconds
2025 Mar 14 23:59:36 (FW-SIEM) any->/var/log/dhcpd.log Mar 14 23:59:35 fw-siem dhcp6c[23053]: Sending Solicit
Decoder:
<decoder name="kea-dhcp4">
<program_name>kea-dhcp4</program_name>
</decoder>
<!-- Decoder for LEASE_ALLOC messages -->
<decoder name="kea-dhcp4-lease-alloc">
<parent>kea-dhcp4</parent>
<prematch>INFO\s+\[[^\]]+\]\s+DHCP4_LEASE_ALLOC</prematch>
<regex type="pcre2">INFO\s+\[[^\]]+\]\s+DHCP4_LEASE_ALLOC\s+\[hwtype=(\d+)\s+([\da-fA-F:]+)\],\s+cid=\[([^\]]+)\],\s+tid=([^:]+):\s+lease\s+([\d\.]+)\s+has\s+been\s+allocated\s+for\s+(\d+)\s+seconds</regex>
<order>hwtype,client_mac,client_id,transaction_id,allocated_ip,lease_second</order>
</decoder>
<!-- Decoder for INIT_REBOOT messages -->
<decoder name="kea-dhcp4-init-reboot">
<parent>kea-dhcp4</parent>
<prematch>INFO\s+\[[^\]]+\]\s+DHCP4_INIT_REBOOT</prematch>
<regex type="pcre2">INFO\s+\[[^\]]+\]\s+DHCP4_INIT_REBOOT\s+\[hwtype=(\d+)\s+([\da-fA-F:]+)\],\s+cid=\[([^\]]+)\],\s+tid=([^:]+):\s+client\s+is\s+in\s+INIT-REBOOT\s+state\s+and\s+requests\s+address\s+([\d\.]+)</regex>
<order>hwtype,client_mac,client_id,transaction_id,requested_ip</order>
</decoder>
<!-- Decoder for EVAL_RESULT messages -->
<decoder name="kea-dhcp4-eval-result">
<parent>kea-dhcp4</parent>
<prematch>INFO\s+\[[^\]]+\]\s+EVAL_RESULT</prematch>
<regex type="pcre2">INFO\s+\[[^\]]+\]\s+EVAL_RESULT\s+Expression\s+(\S+)\s+evaluated\s+to\s+(\d+)</regex>
<order>expression,result</order>
</decoder>
Kind regards,
2025 Mar 14 23:59:24 (FW-SIEM) any->/var/log/dhcpd.log Mar 14 23:59:23 fw-siem kea-dhcp4[73078]: INFO [kea-dhcp4.leases.0x18a33e4fca00] DHCP4_INIT_REBOOT [hwtype=1 bc:24:11:d1:f0:0a], cid=[ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5], tid=0xa96ab7f4: client is in INIT-REBOOT state and requests address 192.168.100.100
2025 Mar 14 23:59:24 (FW-SIEM) any->/var/log/dhcpd.log Mar 14 23:59:23 fw-siem kea-dhcp4[73078]: INFO [kea-dhcp4.leases.0x18a33e4fca00] DHCP4_LEASE_ALLOC [hwtype=1 bc:24:11:d1:f0:0a], cid=[ff:3c:fb:60:65:00:02:00:00:ab:11:87:b9:57:35:01:fe:32:e5], tid=0xa96ab7f4: lease 192.168.100.100 has been allocated for 7200 seconds
2025 Mar 14 23:59:36 (FW-SIEM) any->/var/log/dhcpd.log Mar 14 23:59:35 fw-siem dhcp6c[23053]: Sending Solicit
Decoder:
<decoder name="kea-dhcp4">
<program_name>kea-dhcp4</program_name>
</decoder>
<!-- Decoder for LEASE_ALLOC messages -->
<decoder name="kea-dhcp4-lease-alloc">
<parent>kea-dhcp4</parent>
<prematch>INFO\s+\[[^\]]+\]\s+DHCP4_LEASE_ALLOC</prematch>
<regex type="pcre2">INFO\s+\[[^\]]+\]\s+DHCP4_LEASE_ALLOC\s+\[hwtype=(\d+)\s+([\da-fA-F:]+)\],\s+cid=\[([^\]]+)\],\s+tid=([^:]+):\s+lease\s+([\d\.]+)\s+has\s+been\s+allocated\s+for\s+(\d+)\s+seconds</regex>
<order>hwtype,client_mac,client_id,transaction_id,allocated_ip,lease_second</order>
</decoder>
<!-- Decoder for INIT_REBOOT messages -->
<decoder name="kea-dhcp4-init-reboot">
<parent>kea-dhcp4</parent>
<prematch>INFO\s+\[[^\]]+\]\s+DHCP4_INIT_REBOOT</prematch>
<regex type="pcre2">INFO\s+\[[^\]]+\]\s+DHCP4_INIT_REBOOT\s+\[hwtype=(\d+)\s+([\da-fA-F:]+)\],\s+cid=\[([^\]]+)\],\s+tid=([^:]+):\s+client\s+is\s+in\s+INIT-REBOOT\s+state\s+and\s+requests\s+address\s+([\d\.]+)</regex>
<order>hwtype,client_mac,client_id,transaction_id,requested_ip</order>
</decoder>
<!-- Decoder for EVAL_RESULT messages -->
<decoder name="kea-dhcp4-eval-result">
<parent>kea-dhcp4</parent>
<prematch>INFO\s+\[[^\]]+\]\s+EVAL_RESULT</prematch>
<regex type="pcre2">INFO\s+\[[^\]]+\]\s+EVAL_RESULT\s+Expression\s+(\S+)\s+evaluated\s+to\s+(\d+)</regex>
<order>expression,result</order>
</decoder>
Kind regards,
Twinkal
TWINKAL SIKRI
Mar 15, 2025, 12:58:43 PM3/15/25
to Wazuh | Mailing List
FYI I managed to resolve the issue, I just wanted to share the decoder and the rules:
BSD FORMAT KEA-DHCP4 LOGS DECODER:
<decoder name="kea-dhcp4-lease-alloc">
<parent>kea-dhcp4</parent>
BSD FORMAT KEA-DHCP4 LOGS DECODER:
<decoder name="kea-dhcp4">
<program_name>^kea-dhcp4</program_name>
</decoder>
<program_name>^kea-dhcp4</program_name>
</decoder>
<decoder name="kea-dhcp4-lease-alloc">
<parent>kea-dhcp4</parent>
<prematch>DHCP4_LEASE_ALLOC</prematch>
<regex type="pcre2">DHCP4_LEASE_ALLOC \[hwtype=(\d+)\s+([\da-fA-F:]+)\],\s+cid=\[([^\]]+)\],\s+tid=([^:]+):\s+lease\s+([\d\.]+)\s+has\s+been\s+allocated\s+for\s+(\d+)\s+seconds</regex>
<order>hwtype,client_mac,client_id,transaction_id,allocated_ip,lease_second</order>
</decoder>
<regex type="pcre2">DHCP4_LEASE_ALLOC \[hwtype=(\d+)\s+([\da-fA-F:]+)\],\s+cid=\[([^\]]+)\],\s+tid=([^:]+):\s+lease\s+([\d\.]+)\s+has\s+been\s+allocated\s+for\s+(\d+)\s+seconds</regex>
<order>hwtype,client_mac,client_id,transaction_id,allocated_ip,lease_second</order>
</decoder>
<decoder name="kea-dhcp4-init-reboot">
<parent>kea-dhcp4</parent>
<parent>kea-dhcp4</parent>
<prematch>DHCP4_INIT_REBOOT</prematch>
<regex type="pcre2">DHCP4_INIT_REBOOT \[hwtype=(\d+)\s+([\da-fA-F:]+)\],\s+cid=\[([^\]]+)\],\s+tid=([^:]+):\s+client\s+is\s+in\s+INIT-REBOOT\s+state\s+and\s+requests\s+address\s+([\d\.]+)</regex>
<order>hwtype,client_mac,client_id,transaction_id,requested_ip</order>
</decoder>
<regex type="pcre2">DHCP4_INIT_REBOOT \[hwtype=(\d+)\s+([\da-fA-F:]+)\],\s+cid=\[([^\]]+)\],\s+tid=([^:]+):\s+client\s+is\s+in\s+INIT-REBOOT\s+state\s+and\s+requests\s+address\s+([\d\.]+)</regex>
<order>hwtype,client_mac,client_id,transaction_id,requested_ip</order>
</decoder>
<decoder name="kea-dhcp4-eval">
<parent>kea-dhcp4</parent>
<prematch>EVAL_RESULT</prematch>
<regex type="pcre2">EVAL_RESULT Expression (\S+) evaluated to (\d+)</regex>
<order>expression,result</order>
</decoder>
RULES:
<group name="dhcp,kea,">
<!-- ID delle regole: da 100500 a 100599 (personalizzabile in base alle tue esigenze) -->
<rule id="100500" level="0">
<decoded_as>kea-dhcp4</decoded_as>
<description>kea-dhcp4 message detected.</description>
</rule>
<rule id="100510" level="2">
<if_sid>100500</if_sid>
<field name="expression">\.+</field>
<description>DHCP4 evaluation: Expression $(expression) evaluated to $(result)</description>
</rule>
<rule id="100520" level="3">
<if_sid>100500</if_sid>
<field name="requested_ip">\.+</field>
<description>DHCP4 init-reboot: Device MAC $(client_mac) requested IP $(requested_ip)</description>
</rule>
<rule id="100530" level="3">
<if_sid>100500</if_sid>
<field name="allocated_ip">\.+</field>
<description>DHCP4 lease allocated: MAC $(client_mac) assigned IP $(allocated_ip) for $(lease_second) seconds</description>
</rule>
<!-- Dos -->
<rule id="100540" level="10" frequency="8" timeframe="60">
<if_matched_sid>100520</if_matched_sid>
<same_field>client_mac</same_field>
<description>DHCP4 possible DoS attack: Multiple requests from MAC $(client_mac) in short timeframe</description>
<mitre>
<id>T1498</id> <!-- Network Denial of Service -->
</mitre>
</rule>
<!-- Suspicious -->
<rule id="100550" level="8">
<if_sid>100520</if_sid>
<field name="client_mac">^00:00:00|^ff:ff:ff</field>
<description>DHCP4 suspicious MAC address $(client_mac) detected</description>
<mitre>
<id>T1040</id> <!-- Network Sniffing -->
</mitre>
</rule>
<!-- Alert for IP spoofing -->
<rule id="100560" level="7">
<if_sid>100520</if_sid>
<field name="requested_ip">^127\.|^10\.|^172\.16\.|^192\.168\.</field>
<field name="requested_ip" negate="yes">^192\.168\.100\.</field>
<description>DHCP4 possible IP spoofing: MAC $(client_mac) requested suspicious IP $(requested_ip)</description>
<mitre>
<id>T1557</id> <!-- Man-in-the-Middle -->
</mitre>
</rule>
</group>
Thank you for this amazing device.
<parent>kea-dhcp4</parent>
<prematch>EVAL_RESULT</prematch>
<regex type="pcre2">EVAL_RESULT Expression (\S+) evaluated to (\d+)</regex>
<order>expression,result</order>
</decoder>
RULES:
<group name="dhcp,kea,">
<!-- ID delle regole: da 100500 a 100599 (personalizzabile in base alle tue esigenze) -->
<rule id="100500" level="0">
<decoded_as>kea-dhcp4</decoded_as>
<description>kea-dhcp4 message detected.</description>
</rule>
<rule id="100510" level="2">
<if_sid>100500</if_sid>
<field name="expression">\.+</field>
<description>DHCP4 evaluation: Expression $(expression) evaluated to $(result)</description>
</rule>
<rule id="100520" level="3">
<if_sid>100500</if_sid>
<field name="requested_ip">\.+</field>
<description>DHCP4 init-reboot: Device MAC $(client_mac) requested IP $(requested_ip)</description>
</rule>
<rule id="100530" level="3">
<if_sid>100500</if_sid>
<field name="allocated_ip">\.+</field>
<description>DHCP4 lease allocated: MAC $(client_mac) assigned IP $(allocated_ip) for $(lease_second) seconds</description>
</rule>
<!-- Dos -->
<rule id="100540" level="10" frequency="8" timeframe="60">
<if_matched_sid>100520</if_matched_sid>
<same_field>client_mac</same_field>
<description>DHCP4 possible DoS attack: Multiple requests from MAC $(client_mac) in short timeframe</description>
<mitre>
<id>T1498</id> <!-- Network Denial of Service -->
</mitre>
</rule>
<!-- Suspicious -->
<rule id="100550" level="8">
<if_sid>100520</if_sid>
<field name="client_mac">^00:00:00|^ff:ff:ff</field>
<description>DHCP4 suspicious MAC address $(client_mac) detected</description>
<mitre>
<id>T1040</id> <!-- Network Sniffing -->
</mitre>
</rule>
<!-- Alert for IP spoofing -->
<rule id="100560" level="7">
<if_sid>100520</if_sid>
<field name="requested_ip">^127\.|^10\.|^172\.16\.|^192\.168\.</field>
<field name="requested_ip" negate="yes">^192\.168\.100\.</field>
<description>DHCP4 possible IP spoofing: MAC $(client_mac) requested suspicious IP $(requested_ip)</description>
<mitre>
<id>T1557</id> <!-- Man-in-the-Middle -->
</mitre>
</rule>
</group>
Thank you for this amazing device.
Reply all
Reply to author
Forward
0 new messages