socfortress / Wazuh-Rules

Advanced Wazuh Rules for more accurate threat detection. Feel free to implement within your own Wazuh environment, contribute, or fork!
https://www.socfortress.co
590 stars 169 forks source link

custom-misp.py - Returned raw log line from MISP cannot be decoded #29

Open pandel opened 4 months ago

pandel commented 4 months ago

Hi!

I am using Wazuh 4.8.0 via Docker. I integrated the scripts and rules for MISP and in general, everything seems to work - at least as far as MISP returns some information, only Wazuh isn't able to interpret the incoming alert aka log line. So I tried to manually analyze what is happening.

What I did: I installed a fresh wazuh-docker setup with only the defaults and integrated the three MISP rules (100620-100622). Then I sent the following line (which is identical to the returned information from MISP on a successful search) via the Ruleset Test page to see what happens:

1:[001] (machine) 10.90.206.32->misp:{"misp": {"event_id": "179", "category": "Network activity", "value": "zu4f.top", "type": "domain"}}

The result is as follows:

**Phase 1: Completed pre-decoding.
    full event: '1:[001] (machine) 10.90.206.32->misp:{"misp": {"event_id": "179", "category": "Network activity", "value": "zu4f.top", "type": "domain"}}'

**Phase 2: Completed decoding.
    No decoder matched.

If I change the log line to:

{"misp": {"event_id": "179", "category": "Network activity", "value": "zu4f.top", "type": "domain"}}

the result is like this

**Phase 1: Completed pre-decoding.

**Phase 2: Completed decoding.
    name: 'json'
    misp.category: 'Network activity'
    misp.event_id: '179'
    misp.type: 'domain'
    misp.value: 'zu4f.top'

**Phase 3: Completed filtering (rules).
    id: '100622'
    level: '12'
    description: 'MISP - IoC found in Threat Intel - Category: Network activity, Attribute: zu4f.top'
    groups: '["misp","misp_alert"]'
    firedtimes: '2'
    mail: 'true'
**Alert to be generated.

I wonder if there is any kind of MISP-related decoder missing here, but every single tutorial and video I found did not mention any special decoders at all.

So, what is happening here or what am I missing? It would be really nice, if someone has an idea...

Regards, Holger