search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
11.01k stars 1.67k forks source link

Microsoft dhcp-ipv4 decoder: regex for srcip extracts to much data from log #25285

Open VJakoby opened 2 months ago

VJakoby commented 2 months ago
Wazuh version Component Action type
4.7.4 Decoders Improve

Description

The default decoder for microsoft dhcp "ms-dhcp-ipv4" extracts too much data on the srcip field. It does not stop at the end of the IP address, and extracts the rest of the log. When evaluating the regex on a regex-tester, the group 3 can be seen with more information than only the IP.

Service/Product/Module

Decoder: ms-dhcp-ipv4 https://github.com/wazuh/wazuh-ruleset/blob/master/decoders/0380-windows_decoders.xml Regex: ^(\d\d),\d+/\d+/\d\d\d*,\d+:\d+:\d+,(\w+),(\S+)

Errors/Improvements

Current results

data.srcip: 192.168.10.205,6ftya91701.domain.local,000B97A0B41D, (example) 2024-08-20_14-27

Expected results

data.srcip: 192.168.10.205

Resources

Log source / integration

Microsoft DHCP

Log reference

Log examples

15,3/10/2009,8:49:10,NACK,192.168.10.205,,000B97A0B41D, 10,3/10/2009,8:49:10,Assign,192.168.10.205,6ftya91701.domain.local,000B97A0B41D, 12,3/10/2009,15:52:38,Release,192.168.10.205,6ftya91701.domain.local.,000B97A0B41D,

Threats and compliance

VJakoby commented 2 months ago

2024-08-20_14-44 This is how it looks in Wazuh. (Masked IP and MAC due to privacy reasons)

sakib789 commented 2 months ago

As a workaround for now, you can also modify the default decoder

https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html#modify-default-decoders

<decoder name="ms-dhcp-ipv4">
  <prematch>^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,|</prematch>
  <prematch>^\d\d,\d+/\d+/\d\d,\d+:\d+:\d+,</prematch>
  <regex type="pcre2">^(\d\d),\d+/\d+/\d\d\d*,\d+:\d+:\d+,(\w+),(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\.*</regex>
  <order>id,extra_data,srcip</order>
</decoder>
VJakoby commented 2 months ago

As a workaround for now, you can also modify the default decoder

https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html#modify-default-decoders

<decoder name="ms-dhcp-ipv4">
  <prematch>^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,|</prematch>
  <prematch>^\d\d,\d+/\d+/\d\d,\d+:\d+:\d+,</prematch>
  <regex type="pcre2">^(\d\d),\d+/\d+/\d\d\d*,\d+:\d+:\d+,(\w+),(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\.*</regex>
  <order>id,extra_data,srcip</order>
</decoder>

Absolutely. Will work great. The problem will reoccur if we will do an upgrade and the issue is not fixed by default. So i wanted to let you know so its fixed in your end instead of manually needing to change it after each update.