Understanding Wazuh Decoders

Intro

Building The Decoder

Medium: SOCFortress is an awesome company, check them out at https://www.socfortress.co
/var/ossec/bin/wazuh-logtest

Parent Decoder

<decoder name="medium">
<prematch>^Medium:</prematch>
</decoder>
nano /var/ossec/etc/decoders/local_decoder.xml

Child Decoder

<decoder name="medium_child">
<parent>medium</parent>
<regex offset="after_parent">^\s(\.+) is an awesome company, check them out at (https://\.+)</regex>
<order>company,website</order>
</decoder>
nano /var/ossec/etc/decoders/local_decoder.xml
Medium: OpenSecure is an awesome company, check them out at https://www.opensecure.co

Creating Rules

nano /var/ossec/etc/rules/local_rules.xml<group name="medium,socfortress">
<rule id="100021" level="5">
<decoded_as>medium</decoded_as>
<field name="company">SOCFortress</field>
<description>Go check out $(company) at $(website)!</description>
</rule>
</group>
nano /var/ossec/etc/rules/local_rules.xml<group name="medium,socfortress">
<rule id="100022" level="5">
<decoded_as>medium</decoded_as>
<field name="company">OpenSecure</field>
<description>Go check out $(company) at $(website)!</description>
</rule>
</group>
Medium: OpenSecure is an awesome company, check them out at https://www.opensecure.co

pfSense Firewall

1 2022-04-22T13:46:00.769161-05:00 router.localdomain filterlog 48244 - - 107,,,1000005911,mvneta0,match,pass,out,4,0x0,,64,62124,0,none,17,udp,78,104.181.152.45,205.251.194.94,13998,53,58

Parent Decoder

<decoder name="pfsense">
<prematch>^\d \d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d.\d\d\d\d\d\d-\d\d:\d\d</prematch>
</decoder>

Child Decoder

<decoder name="pfsense_router">
<parent>pfsense</parent>
<regex offset="after_parent">^(\.+) filterlog \d\d\d\d\d - - \d\d\d,,,\d\d\d\d\d\d\d\d\d\d,\w\w\w\w\w\w\d,\w\w\w\w\w,(\w\w\w\w),(\.+),\d,\dx\d,,\d\d,\d\d\d\d\d,\d,\w\w\w\w,\d\d,(\.+),\d\d,(\.+),(\.+),</regex>
<order>router,firewallaction,direction,protocol,srcip,dstip</order>
</decoder>

Rule

nano /var/ossec/etc/rules/local_rules.xml<group name="pfsense,syslog">
<rule id="100023" level="5">
<decoded_as>pfsense</decoded_as>
<field name="firewallaction">pass</field>
<description>Traffic from $(srcip) to $(dstip) passed.</description>
</rule>
</group>

Conclusion

Need Help?

--

--

--

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Artificial Intelligence Projects With Source Code In Python

Go Serverless with AWS

Implementing Type classes in Scala 3

Becoming a Backend Web Developer With Python in 2021

How to Generate Redalyc and SciELO Compliant XMLs of Your Journal Content

BigQuery Detailed Dollar Costs Report

Backend Technology

How to fix WSL2 incompatibility with Docker

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

More from Medium

Using Wazuh Stack to run Network Scans

Threat Analysis | T-Pot Multi- Platform Honeypot | AWS EC2 | Cowrie

Elastic Security Fundamental For Dummies : Part 1

Incident Response Part 1: Preparation | EN