Custom decoder for Kaspersky

721 views
Skip to first unread message

Dmitriy Sharov

unread,
Jul 25, 2023, 8:49:23 AM7/25/23
to Wazuh mailing list

Hello Dear Team,   

 

This is the archieve Kaspersky log for which i want to create custom decoder:

 

2023-07-05T08:54:53.000Z aaa-b-name.do-main.corp 1093|1.0.0.0 - KLSRV_HOST_STATUS_WARNING [event@23668 p1="Статус устройства 'PC-NAME' изменился на 'Предупреждение': Статус шифрования данных не соответствует заданному." et="KLSRV_HOST_STATUS_WARNING" etdn="Статус устройства \"Предупреждение\"." hdn=" AAA-B-NAME  " hip="127.0.0.1" gn="Win_servers" kscfqdn="aaa-b-name.do-main.corp"] Статус устройства 'PC-NAME' изменился на 'Предупреждение': Статус шифрования данных не соответствует заданному.

(I've hidden some of the values for privacy reasons)

 

I created this custom decoder for this log:

 

<decoder name="kaspersky_test">
  <prematch type="pcre2">^\d+-\d+-\d+T\d+:\d+:\d+.\d+\w \S+ \d+\|\d.\d.\d.\d - \S+ \[</prematch>
</decoder>

<decoder name="kaspersky_test">
  <parent>kaspersky_test</parent>
  <regex type="pcre2">^(\d+-\d+-\d+T\d+:\d+:\d+.\d+\w) (\S+) (\d+\|\d.\d.\d.\d) - (\S+) \[</regex>
  <order>timestamp,hostname,ProductVersion, stutus</order>
</decoder>

<decoder name="kaspersky_test">
  <parent>kaspersky_test</parent>
  <regex type="pcre2">(\w+@\d+) </regex>
  <order>eventid</order>
</decoder>

<decoder name="kaspersky_test">
  <parent>kaspersky_test</parent>
  <regex type="pcre2"> p1="(\W+\S+\W+)" </regex>
  <order>p1</order>
</decoder>

<decoder name="kaspersky_test">
  <parent>kaspersky_test</parent>
  <regex type="pcre2">et="(\S+)" </regex>
  <order>et</order>
</decoder>

<decoder name="kaspersky_test">
  <parent>kaspersky_test</parent>
  <regex type="pcre2">etdn="(\W+)" </regex>
  <order>etdn</order>
</decoder>

<decoder name="kaspersky_test">
  <parent>kaspersky_test</parent>
  <regex type="pcre2">hdn="(\S+)" </regex>
  <order>hdn</order>
</decoder>

<decoder name="kaspersky_test">
  <parent>kaspersky_test</parent>
  <regex type="pcre2">hip="(\d+.\d.\d.\d)" </regex>
  <order>hip</order>
</decoder>

<decoder name="kaspersky_test">
  <parent>kaspersky_test</parent>
  <regex type="pcre2">gn="(\S+)" </regex>
  <order>gn</order>
</decoder>

<decoder name="kaspersky_test">
  <parent>kaspersky_test</parent>
  <regex type="pcre2">kscfqdn="(\S+)"\] </regex>
  <order>kscfqdn</order>
</decoder>

<decoder name="kaspersky_test">
  <parent>kaspersky_test</parent>
  <regex type="pcre2">(\W+'\S+'\W+) </regex>
  <order>status</order>
</decoder>

_____________________________________________________

 

On the regex101.com i have complete match (Screen_1)

 

But when I run logtest, my decoder doesn't match. (Screen_2)

 

I tried to split log (through comments) and run step by step, but it doesn't work. I have no idea. what i do wrong. 

 

Can you pleas help me?

 

Thank you.

Screen_2.jpg
Screen_1.jpg

Damian Nicastro

unread,
Jul 26, 2023, 5:05:03 PM7/26/23
to Wazuh mailing list
Hello Dmitriy:

I hope you are fine.
Please, give me some time. I will be back with the decoders and some rules for you.
Thanks for your patience

Damian Nicastro

unread,
Jul 27, 2023, 9:21:47 AM7/27/23
to Wazuh mailing list
Hello Dmitriy:

Thanks for your patience.
I have been investigating and the decoders don't match because cyrillic characters are not supported in Wazuh.
Tou can see more details in this Opened issues for that:
I am sorry for the inconvenience.
I hope this helps.
Thanks

Dmitriy Sharov

unread,
Jul 27, 2023, 9:44:46 AM7/27/23
to Wazuh mailing list
Hello @Damian,

Thanks for you reply!
I've been thinking about that, too, but the key fields of Kaspersky logs are in English. 
Besides we can get Windows events with Cyrillic characters in Wazuh. (Screen_1). Or am I wrong and that not the same thing?
Thank you.
четверг, 27 июля 2023 г. в 16:21:47 UTC+3, Damian Nicastro:
Screen_1.jpg

Damian Nicastro

unread,
Jul 27, 2023, 11:27:57 AM7/27/23
to Wazuh mailing list
Hello  Dmitriy
The problem is the cyrillic text, not the key fields.
Regarding the log you are showing is just a log received, it cannot be parsed by Wazuh decoders.
I hope this helps.
Thanks


Dmitriy Sharov

unread,
Jul 28, 2023, 3:25:17 AM7/28/23
to Wazuh mailing list
Hello Damian

Ok, i got it. Thank you!

четверг, 27 июля 2023 г. в 18:27:57 UTC+3, Damian Nicastro:
Message has been deleted

Dmitriy Sharov

unread,
Jul 28, 2023, 11:04:15 AM7/28/23
to Wazuh mailing list
Hello Damian

Can you please help me to create custom decoder for this Kaspersky log:

2023-07-28T13:58:57.000Z desktop-qkcmf7f KES|11.0.0.0 - 000000d4 [event@23668 et="000000d4" tdn="Exploit Prevention" etdn="Task cannot be performed" hdn="DESKTOP-QKCMF7F" hip="192.168.50.39" gn="test" kscfqdn="win-2fthi5tu4nq"] Event type: Task cannot be performed\r\nName: avp.exe\r\nApplication path: C:\Program Files (x86)\Kaspersky Lab\KES.12.1.0\r\nUser: DESKTOP-QKCMF7F\Admin (Active user)\r\nComponent: Exploit Prevention\r\nResult description: Task cannot be started\r\nObject type: Subsystem\r\nObject name: Exploit Prevention\r\nReason: eERROR\r\nError: License is missing

Thanks.

пятница, 28 июля 2023 г. в 10:25:17 UTC+3, Dmitriy Sharov:

Damian Nicastro

unread,
Jul 28, 2023, 1:53:46 PM7/28/23
to Wazuh mailing list
Hello  Dmitriy:

I hope you are fine.
Let me work on it. I will be back to you as soon as possible.
Thanks

Damian Nicastro

unread,
Aug 1, 2023, 1:52:02 PM8/1/23
to Wazuh mailing list
Hello  Dmitriy:

I hope you re fine.
Since this log in not pre-decoded correctly in the wazuh-manger, you will need to add an <out_format> tag in the corresponding <localfile> section in order to change the format of the log:
# vi /var/ossec/etc/ossec.conf
...
<localfile>
    <location>/var/log/kasp.log</location>
    <log_format>syslog</log_format>
    <out_format>kaspersky - $(log)</out_format>
 </localfile>

With this formatting, the log will arrive the wazuh-manager like this:
Kaspersky - 2023-07-28T13:58:57.000Z desktop-qkcmf7f KES|11.0.0.0 - 000000d4 [event@23668 et="000000d4" tdn="Exploit Prevention" etdn="Task cannot be performed" hdn="DESKTOP-QKCMF7F" hip="192.168.50.39" gn="test" kscfqdn="win-2fthi5tu4nq"] Event type: Task cannot be performed\r\nName: avp.exe\r\nApplication path: C:\Program Files (x86)\Kaspersky Lab\KES.12.1.0\r\nUser: DESKTOP-QKCMF7F\Admin (Active user)\r\nComponent: Exploit Prevention\r\nResult description: Task cannot be started\r\nObject type: Subsystem\r\nObject name: Exploit Prevention\r\nReason: eERROR\r\nError: License is missing'

And the decoder will be:
# vi /var/ossec/etc/decoders/kaspersky_custom_decoders.xml
<!--
Kaspersky - 2023-07-28T13:58:57.000Z desktop-qkcmf7f KES|11.0.0.0 - 000000d4 [event@23668 et="000000d4" tdn="Exploit Prevention" etdn="Task cannot be performed" hdn="DESKTOP-QKCMF7F" hip="192.168.50.39" gn="test" kscfqdn="win-2fthi5tu4nq"] Event type: Task cannot be performed\r\nName: avp.exe\r\nApplication path: C:\Program Files (x86)\Kaspersky Lab\KES.12.1.0\r\nUser: DESKTOP-QKCMF7F\Admin (Active user)\r\nComponent: Exploit Prevention\r\nResult description: Task cannot be started\r\nObject type: Subsystem\r\nObject name: Exploit Prevention\r\nReason: eERROR\r\nError: License is missing
-->

<decoder name="Kaspersky">
  <prematch>kaspersky</prematch>
</decoder>

<decoder name="Kaspersky-child">
  <parent>Kaspersky</parent>
  <regex offset="after_parent">(\d+-\d+-\d+)T(\d+:\d+:\d+.\d+)Z (\.+) KES\|(\.+) - </regex>
  <order>date,time,hostname,kes_version</order>
</decoder>

<decoder name="Kaspersky-child">
  <parent>Kaspersky</parent>
  <regex offset="after_regex">(\.+) </regex>
  <order>event</order>
</decoder>

<decoder name="Kaspersky-child">
  <parent>Kaspersky</parent>
  <regex offset="after_regex">[(\.+) et="(\.+)" </regex>
  <order>event2,et</order>
</decoder>


<decoder name="Kaspersky-child">
  <parent>Kaspersky</parent>
  <regex offset="after_regex">tdn="(\.+)" etdn="(\.+)" hdn="(\.+)" hip="(\d+.\d+.\d+.\d+)" gn="(\.+)" kscfqdn="(\.+)"] </regex>
  <order>tdn,etdn,hdn,hip,gn,kscfqdn</order>
</decoder>


<decoder name="Kaspersky-child">
  <parent>Kaspersky</parent>
  <regex offset="after_regex">Event type: (\.+)\\r\\n</regex>
  <order>event_type</order>
</decoder>

<decoder name="Kaspersky-child">
  <parent>Kaspersky</parent>
  <regex offset="after_regex">Name: (\.+)\\r\\n</regex>
  <order>name</order>
</decoder>

<decoder name="Kaspersky-child">
  <parent>Kaspersky</parent>
  <regex offset="after_regex">Application path: (\.+)\\r\\n</regex>
  <order>application_path</order>
</decoder>

<decoder name="Kaspersky-child">
  <parent>Kaspersky</parent>
  <regex offset="after_regex">User: (\.+)\\r\\n</regex>
  <order>user</order>
</decoder>

<decoder name="Kaspersky-child">
  <parent>Kaspersky</parent>
  <regex offset="after_regex">Component: (\.+)\\r\\n</regex>
  <order>component</order>
</decoder>


<decoder name="Kaspersky-child">
  <parent>Kaspersky</parent>
  <regex offset="after_regex">Result description: (\.+)</regex>
  <order>result_description</order>
</decoder>

You can also make some basic rules like:
vi /var/ossec/etc/rules/kaspersky_custom_rules.xml
<group name="kaspersky_custom,">
    <rule id="170000" level="0">
        <decoded_as>Kaspersky</decoded_as>
        <description>Kaspersky messages</description>
    </rule>
    <rule id="170001" level="3">
        <if_sid>170000</if_sid>
        <field name="component">Exploit Prevention</field>
        <description>Kaspersky: $(component)</description>
    </rule>
</group>

Finally, the result will be:
[root@wazuh-server ~]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.4.3
Type one log per line

Kaspersky - 2023-07-28T13:58:57.000Z desktop-qkcmf7f KES|11.0.0.0 - 000000d4 [event@23668 et="000000d4" tdn="Exploit Prevention" etdn="Task cannot be performed" hdn="DESKTOP-QKCMF7F" hip="192.168.50.39" gn="test" kscfqdn="win-2fthi5tu4nq"] Event type: Task cannot be performed\r\nName: avp.exe\r\nApplication path: C:\Program Files (x86)\Kaspersky Lab\KES.12.1.0\r\nUser: DESKTOP-QKCMF7F\Admin (Active user)\r\nComponent: Exploit Prevention\r\nResult description: Task cannot be started\r\nObject type: Subsystem\r\nObject name: Exploit Prevention\r\nReason: eERROR\r\nError: License is missing'

**Phase 1: Completed pre-decoding.
        full event: 'Kaspersky - 2023-07-28T13:58:57.000Z desktop-qkcmf7f KES|11.0.0.0 - 000000d4 [event@23668 et="000000d4" tdn="Exploit Prevention" etdn="Task cannot be performed" hdn="DESKTOP-QKCMF7F" hip="192.168.50.39" gn="test" kscfqdn="win-2fthi5tu4nq"] Event type: Task cannot be performed\r\nName: avp.exe\r\nApplication path: C:\Program Files (x86)\Kaspersky Lab\KES.12.1.0\r\nUser: DESKTOP-QKCMF7F\Admin (Active user)\r\nComponent: Exploit Prevention\r\nResult description: Task cannot be started\r\nObject type: Subsystem\r\nObject name: Exploit Prevention\r\nReason: eERROR\r\nError: License is missing''

**Phase 2: Completed decoding.
        name: 'Kaspersky'
        application_path: 'C:\Program Files (x86)\Kaspersky Lab\KES.12.1.0'
        component: 'Exploit Prevention'
        date: '2023-07-28'
        dstuser: 'DESKTOP-QKCMF7F\Admin (Active user)'
        et: '000000d4'
        etdn: 'Task cannot be performed'
        event: '000000d4'
        event2: 'event@23668'
        event_type: 'Task cannot be performed'
        gn: 'test'
        hdn: 'DESKTOP-QKCMF7F'
        hip: '192.168.50.39'
        hostname: 'desktop-qkcmf7f'
        kes_version: '11.0.0.0'
        kscfqdn: 'win-2fthi5tu4nq'
        name: 'avp.exe'
        result_description: 'Task cannot be started\r\nObject type: Subsystem\r\nObject name: Exploit Prevention\r\nReason: eERROR\r\nError: License is missing''
        tdn: 'Exploit Prevention'
        time: '13:58:57.000'

**Phase 3: Completed filtering (rules).
        id: '170001'
        level: '3'
        description: 'Kaspersky: Exploit Prevention'
        groups: '['kaspersky_custom']'
        firedtimes: '1'
        mail: 'False'
**Alert to be generated.

For more information about custom rules and decoders:

For information about <localfile> configuration:

I hope this helps.
Thanks



Reply all
Reply to author
Forward
0 new messages