Zenidd
commented
4 years ago Hello @vncloudsco.
First of all sorry for the late reply. The following decoders and rule should fit your use case. Feel free to rename any field that has a different header name.
Decoders (Place it on /var/ossec/etc/decoders/0100-local.xml. You should create the 0100-local.xml file as it is not a default file.)
<rule id="100005" level="3">
<decoded_as>custom-decoder2</decoded_as>
<description>ModSecurity grouping rule</description>
</rule>Decoders (Place it on /var/ossec/etc/rules/local_rules.xml)
<decoder name="custom-decoder2">
<prematch>\d\d\d\d/\d\d/\d\d \d\d:\d\d:\d\d [\S+]</prematch>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex>(\d\d\d\d/\d\d/\d\d \d\d:\d\d:\d\d) [(\S+)]</regex>
<order>datetime, log_level</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex offset="after_regex">(\d+#\d+): [client \d+.\d+.\d+.\d+]</regex>
<order>log_id, client</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex>] ModSecurity: (\.+) [</regex>
<order>modsecurity_msg</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex>[file "(\.+)"]</regex>
<order>file</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex>[line "(\.+)"]</regex>
<order>line</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex>[id "(\.+)"]</regex>
<order>id</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex>[msg "(\.+)"]</regex>
<order>msg</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex>[data "(\.+)"]</regex>
<order>data</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex>[severity "(\.+)"]</regex>
<order>severity</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex>[ver "(\.+)"]</regex>
<order>ver</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex>[tag "(\.+)"]</regex>
<order>tag0</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex offset="after_regex">[tag "(\.+)"]</regex>
<order>tag1</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex offset="after_regex">[tag "(\.+)"]</regex>
<order>tag2</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex offset="after_regex">[tag "(\.+)"]</regex>
<order>tag3</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex offset="after_regex">[tag "(\.+)"]</regex>
<order>tag4</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex offset="after_regex">[tag "(\.+)"]</regex>
<order>tag5</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex offset="after_regex">[tag "(\.+)"]</regex>
<order>tag6</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex offset="after_regex">[tag "(\.+)"]</regex>
<order>tag7</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex offset="after_regex">[tag "(\.+)"]</regex>
<order>tag8</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex offset="after_regex">[tag "(\.+)"]</regex>
<order>tag9</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex>[hostname "(\S+)"]</regex>
<order>hostname</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex>[uri "(\.+)"]</regex>
<order>uri</order>
</decoder>
<decoder name="custom-decoder-2">
<parent>custom-decoder2</parent>
<regex>[unique_id "(\.+)"]</regex>
<order>unique_id</order>
</decoder>Example alert using the ossec-logtest binary
**Phase 1: Completed pre-decoding.
full event: '2020/10/08 02:30:27 [error] 13233#0: [client 118.70.131.228] ModSecurity: Warning. detected XSS using libinjection. [file "/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "60"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:vouuuuuuu: \x22><script>alert(1);</script>?param=\x22><script>alert(1);</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname ""] [uri "/"] [unique_id "WcAsAcAzAcAcHcAcAcAcAPXc"]'
timestamp: '(null)'
hostname: 'puppet'
program_name: '(null)'
log: '2020/10/08 02:30:27 [error] 13233#0: [client 118.70.131.228] ModSecurity: Warning. detected XSS using libinjection. [file "/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "60"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:vouuuuuuu: \x22><script>alert(1);</script>?param=\x22><script>alert(1);</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname ""] [uri "/"] [unique_id "WcAsAcAzAcAcHcAcAcAcAPXc"]'
**Phase 2: Completed decoding.
decoder: 'custom-decoder2'
datetime: '2020/10/08 02:30:27'
log_level: 'error'
log_id: '13233#0'
modsecurity_msg: 'Warning. detected XSS using libinjection.'
file: '/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf'
line: '60'
id: '941100'
msg: 'XSS Attack Detected via libinjection'
data: 'Matched Data: XSS data found within ARGS:vouuuuuuu: \x22><script>alert(1);</script>?param=\x22><script>alert(1);</script>'
severity: 'CRITICAL'
ver: 'OWASP_CRS/3.2.0'
tag0: 'application-multi'
tag1: 'language-multi'
tag2: 'platform-multi'
tag3: 'attack-xss'
tag4: 'paranoia-level/1'
tag5: 'OWASP_CRS'
tag6: 'OWASP_CRS/WEB_ATTACK/XSS'
tag7: 'WASCTC/WASC-8'
tag8: 'WASCTC/WASC-22'
tag9: 'OWASP_TOP_10/A3'
uri: '/'
unique_id: 'WcAsAcAzAcAcHcAcAcAcAPXc'
**Phase 3: Completed filtering (rules).
Rule id: '100005'
Level: '3'
Description: 'ModSecurity grouping rule'
**Alert to be generated.Let me know how it goes. Greetings,
JP
vncloudsco
I have read and configured the log according to the instructions here. https://github.com/wazuh/wazuh-documentation/issues/1341
however I noticed that my logs are not fully displayed. Such ingredients I get on wazuh manager
Log structures like the following do not show in wazuh.
why Matched Data not show in wazuh manager?