additional decoder for F5

[Fawwas Hamdi]

i hope someone could help me guys im trying to extract data from another data field in f5 decoder that falls under cs3 it looks like this 

im trying to exctract Host, Origin and referer from this data set 

i already try to create decoder look like this 

    <!-- Parent decoder for HTTP request -->
<decoder name="http_request_parent">
  <type>syslog</type>
  <!-- Matches HTTP request lines starting with GET/POST and including the Host field -->
  <prematch type="pcre2">^(POST|GET)\s/.*\sHTTP/1\.\d</prematch>
</decoder>

<!-- Sibling decoders for Host, Origin, and Referer -->
<decoder name="http_request_host">
  <parent>http_request_parent</parent>
  <regex type="pcre2">Host:\s([^\r\n]+)</regex> <!-- Captures Host -->
  <order>Host</order>
</decoder>

<decoder name="http_request_origin">
  <parent>http_request_parent</parent>
  <regex type="pcre2">Origin:\s([^\r\n]+)</regex> <!-- Captures Origin -->
  <order>Origin</order>
</decoder>

alredy test this but only the Host is being decoded and after putting it inside f5 decoder it doesnt extract the field hosts

i hope someone could help me with this issue as im trying to enrich the data that coming from f5 

[Juan Antonio Garcia Ruiz]

Good morning, Fawwas Hamdi, it's a pleasure to assist you.

I have tried to replicate your issue, and I would like to ask for your OS version and Wazuh installation version.

I am also attaching the official Wazuh documentation for decoder syntax.

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html

[Fawwas Hamdi]

Currently deployed wazuh on RHEL 9.4 and Wazuh version

as you can see it is already decoded but not shown in the dashboard 

[Fawwas Hamdi]

wazuh version 4.8.2

[Juan Antonio Garcia Ruiz]

Good morning Fawwas Hamdi, could you share the log you’re using to test the decoders? Thank you very much.

[Fawwas Hamdi]

it seems like my replies is not getting through

[Fawwas Hamdi]

POST /logout HTTP/1.1\r\nHost: test.com\r\nConnection: keep-alive\r\nContent-Length: 368\r\nsec-ch-ua-platform: "Windows"\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36\r\nAccept: application/json, text/plain, */*\r\nsec-ch-ua: "Chromium";v\="130", "Google Chrome";v\="130", "Not?A_Brand";v\="99"\r\nContent-Type: application/json\r\nsec-ch-ua-mobile: ?0\r\nOrigin: https://test.com\r\nSec-Fetch-Site: same-site\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Dest: empty\r\nReferer: https://test.com/\r\nAccept-Encoding: gzip, deflate, br, zstd\r\nAccept-Language: en-US,en;q\=0.9,id;q\=0.8\r\nX-Forwarded-For: 1.1.1.1\r\n\r\n{"_":"FAuth\=12345; FDigest\=12345

[Fawwas Hamdi]

is there any update on this?

[Juan Antonio Garcia Ruiz]

Good morning, I apologize for the delay in responding.

I haven't been able to replicate the error. After creating the decoders, the application prompts for a restart to activate them. It’s possible that this step was not completed.



If that’s not the case, please let me know, and I’ll escalate the issue to the team responsible for this section of the application.

[Fawwas Hamdi]

  <!-- Parent decoder for HTTP request -->
<decoder name="http_request_parent">

  <type>web-log</type>

  <!-- Matches HTTP request lines starting with GET/POST and including the Host field -->

  <prematch type="pcre2">^(POST|GET|PUT|DELETE|HEAD)\s/.*\sHTTP/1\.\d</prematch>

</decoder>

<!-- Sibling decoders for Host, Origin, and Referer -->
<decoder name="http_request_host">
  <parent>http_request_parent</parent>

        <regex type="pcre2">(?s)Host:\s*([a-zA-Z0-9.-]+)</regex>

  <order>Host</order>
</decoder>


<decoder name="http_request_origin">
  <parent>http_request_parent</parent>

   <regex type="pcre2" flags="s" >Origin:\s(https?://[a-zA-Z0-9.-]+)</regex> <!-- Captures Origin -->
  <order>Origin</order>
</decoder>

<decoder name="http_request_origin">
  <parent>http_request_parent</parent>

   <regex type="pcre2" flags="s" >Referer:\s(https?://[a-zA-Z0-9.-]+)</regex> <!-- Captures Origin -->
  <order>Referer</order>
</decoder>

can you use web log instead?

[Fawwas Hamdi]

as you can see i managed to extract the host but not the rest

[Fawwas Hamdi]

POST /logout HTTP/1.1\r\nHost: test.com\r\nConnection: keep-alive\r\nContent-Length: 368\r\nsec-ch-ua-platform: "Windows"\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36\r\nAccept: application/json, text/plain, */*\r\nsec-ch-ua: "Chromium";v\="130", "Google Chrome";v\="130", "Not?A_Brand";v\="99"\r\nContent-Type: application/json\r\nsec-ch-ua-mobile: ?0\r\nOrigin: https://test.com\r\nSec-Fetch-Site: same-site\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Dest: empty\r\nReferer: https://test.com/\r\nAccept-Encoding: gzip, deflate, br, zstd\r\nAccept-Language: en-US,en;q\=0.9,id;q\=0.8\r\nX-Forwarded-For: 1.1.1.1\r\n\r\n{"_":"FAuth\=12345; FDigest\=12345

**Phase 1: Completed pre-decoding.
        full event: 'POST /logout HTTP/1.1\r\nHost: test.com\r\nConnection: keep-alive\r\nContent-Length: 368\r\nsec-ch-ua-platform: "Windows"\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36\r\nAccept: application/json, text/plain, */*\r\nsec-ch-ua: "Chromium";v\="130", "Google Chrome";v\="130", "Not?A_Brand";v\="99"\r\nContent-Type: application/json\r\nsec-ch-ua-mobile: ?0\r\nOrigin: https://test.com\r\nSec-Fetch-Site: same-site\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Dest: empty\r\nReferer: https://test.com/\r\nAccept-Encoding: gzip, deflate, br, zstd\r\nAccept-Language: en-US,en;q\=0.9,id;q\=0.8\r\nX-Forwarded-For: 1.1.1.1\r\n\r\n{"_":"FAuth\=12345; FDigest\=12345'

**Phase 2: Completed decoding.
        name: 'http_request_parent'
        Host: 'test.com'

when i change it to syslog the result is like this

[Fawwas Hamdi]

and i already put this decoder within f5 decoder but nothing happened so far as there is no error as well to the script 

[Juan Antonio Garcia Ruiz]

I’ve got it, sorry for the delay in providing a more precise response. My colleagues have mentioned that the error lies in the name of the sibling decoders, as they must have the same name.

Here I’m attaching a screenshot of the tests and a link to the documentation about sibling decoders. Thank you very much for your time and for using Wazuh.

Siblings Decoders Documentation

**Phase 1: Completed pre-decoding. full event: 'POST /logout HTTP/1.1\r\nHost: test.com\r\nConnection: keep-alive\r\nContent-Length: 368\r\nsec-ch-ua-platform: "Windows"\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36\r\nAccept: application/json, text/plain, */*\r\nsec-ch-ua: "Chromium";v\="130", "Google Chrome";v\="130", "Not?A_Brand";v\="99"\r\nContent-Type: application/json\r\nsec-ch-ua-mobile: ?0\r\nOrigin: https://test.com\r\nSec-Fetch-Site: same-site\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Dest: empty\r\nReferer: https://test.com/\r\nAccept-Encoding: gzip, deflate, br, zstd\r\nAccept-Language: en-US,en;q\=0.9,id;q\=0.8\r\nX-Forwarded-For: 1.1.1.1\r\n\r\n{"_":"FAuth\=12345; FDigest\=12345' **Phase 2: Completed decoding. name: 'http_request_parent' Host: 'test.com' Origin: 'https://test.com' Referer: 'https://test.com' **Phase 3: Completed filtering (rules). id: '31100' level: '0' description: 'Access log messages grouped.' groups: '["web","accesslog"]' firedtimes: '1' mail: 'false'

<!-- Parent decoder for HTTP request -->
<decoder name="http_request_parent">
  <type>web-log</type>

  <!-- Matches HTTP request lines starting with GET/POST and including the Host field -->
  <prematch type="pcre2">^(POST|GET|PUT|DELETE|HEAD)\s/.*\sHTTP/1\.\d</prematch>

</decoder>

<!-- Sibling decoders for Host, Origin, and Referer -->

<decoder name="http_request_origin">
  <parent>http_request_parent</parent>
        <regex type="pcre2">(?s)Host:\s*([a-zA-Z0-9.-]+)</regex>

  <order>Host</order>
</decoder>


<decoder name="http_request_origin">
  <parent>http_request_parent</parent>
   <regex type="pcre2" flags="s" >Origin:\s(https?://[a-zA-Z0-9.-]+)</regex> <!-- Captures Origin -->
  <order>Origin</order>
</decoder>

<decoder name="http_request_origin">
  <parent>http_request_parent</parent>
   <regex type="pcre2" flags="s" >Referer:\s(https?://[a-zA-Z0-9.-]+)</regex> <!-- Captures Origin -->
  <order>Referer</order>
</decoder>

[Fawwas Hamdi]

i already test this decoder and it is working, my other questions is if i put this decoder within the f5 decoder will it work right away? or do i need to make adjustment in the rule as well or not? my main goal is to just present these 3 data within the f5 log results as i wanted to use this 3 data for filtering and reporting

[Fawwas Hamdi]

<group name="custom-http-rules">
  <rule id="1090" level="5">
    <decoded_as>http_request_parent</decoded_as>
    <description>Custom rule for HTTP requests capturing Host, Origin, and Referer fields</description>
    <group>web</group>
    <options>no_full_log</options>
    <!-- Add any additional rule configurations as needed -->
  </rule>
</group>

**Phase 1: Completed pre-decoding.

**Phase 2: Completed decoding.
        name: 'http_request_parent'
        Host: 'test.com'
        Origin: 'https://test.com'
        Referer: 'https://test.com'

**Phase 3: Completed filtering (rules).

        id: '1090'
        level: '5'
        description: 'Custom rule for HTTP requests capturing Host, Origin, and Referer fields'
        groups: '['custom-http-rulesweb']'
        firedtimes: '1'
        mail: 'False'
**Alert to be generated.

already make rules for this and its working, the next step is how to show this data in wazuh dashboard ?

[Juan Antonio Garcia Ruiz]

As mentioned in the guide:  "The Wazuh ruleset, combined with any custom rules, analyzes incoming events. It generates alerts when all specified conditions within a rule are met" (Documentation)

This can be found in the dashboard under the events tabs. You need to add a filter with the rule ID.