I am using Wazuh 4.8.0 via Docker. I integrated the scripts and rules for MISP and in general, everything seems to work - at least as far as MISP returns some information, only Wazuh isn't able to interpret the incoming alert aka log line. So I tried to manually analyze what is happening.
What I did:
I installed a fresh wazuh-docker setup with only the defaults and integrated the three MISP rules (100620-100622). Then I sent the following line (which is identical to the returned information from MISP on a successful search) via the Ruleset Test page to see what happens:
I wonder if there is any kind of MISP-related decoder missing here, but every single tutorial and video I found did not mention any special decoders at all.
So, what is happening here or what am I missing? It would be really nice, if someone has an idea...
Hi!
I am using Wazuh 4.8.0 via Docker. I integrated the scripts and rules for MISP and in general, everything seems to work - at least as far as MISP returns some information, only Wazuh isn't able to interpret the incoming alert aka log line. So I tried to manually analyze what is happening.
What I did: I installed a fresh wazuh-docker setup with only the defaults and integrated the three MISP rules (100620-100622). Then I sent the following line (which is identical to the returned information from MISP on a successful search) via the
Ruleset Test
page to see what happens:1:[001] (machine) 10.90.206.32->misp:{"misp": {"event_id": "179", "category": "Network activity", "value": "zu4f.top", "type": "domain"}}
The result is as follows:
If I change the log line to:
{"misp": {"event_id": "179", "category": "Network activity", "value": "zu4f.top", "type": "domain"}}
the result is like this
I wonder if there is any kind of MISP-related decoder missing here, but every single tutorial and video I found did not mention any special decoders at all.
So, what is happening here or what am I missing? It would be really nice, if someone has an idea...
Regards, Holger