wazuh-documentation icon indicating copy to clipboard operation
wazuh-documentation copied to clipboard

Published 20 hours ago verified publisher icon wazuh

Decoders: add mandatory fields when using firewall type

Open jnasselle opened this issue 4 years ago • 3 comments

Hi team!

Currently there is not specification that decoders using <type>firewall</type> must get via regex and order the next fields:

  • action
  • srcip
  • dstip
  • srcport
  • dstport
  • protocol

If any of this fields are not obtained from de log, it will be dropped almost immediately (not shown even in archive.log).

Regards, Nico

jnasselle avatar Dec 15 '20 04:12 jnasselle

I had this same situation testing the logs of an user in the thread https://wazuh.slack.com/archives/C0A933R8E/p1671839257363949.

Basically, an example log like this one

Dec 27 11:24:04 audit kernel: lcb-iptables drop IN= OUT=eno5 SRC=192.168.10.5 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 MARK=0xd4

Is silently dropped and not being printed in archives.log because it's missing some fields. But if we add the destination and source port, the log is processed properly

Dec 27 11:24:04 audit kernel: lcb-iptables drop IN= OUT=eno5 SRC=192.168.10.5 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 SPT=46388 DPT=37628 MARK=0xd4

This might be happening here

https://github.com/wazuh/wazuh/blob/0824af89e8a448866197751e867c8b3ad980dd0b/src/analysisd/analysisd.c#L1953-L1965

pereyra-m avatar Jan 03 '23 21:01 pereyra-m

I had this same situation testing the logs of an user in the thread https://wazuh.slack.com/archives/C0A933R8E/p1671839257363949.

Basically, an example log like this one

Dec 27 11:24:04 audit kernel: lcb-iptables drop IN= OUT=eno5 SRC=192.168.10.5 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 MARK=0xd4

Is silently dropped and not being printed in archives.log because it's missing some fields. But if we add the destination and source port, the log is processed properly

Dec 27 11:24:04 audit kernel: lcb-iptables drop IN= OUT=eno5 SRC=192.168.10.5 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 SPT=46388 DPT=37628 MARK=0xd4

This might be happening here

https://github.com/wazuh/wazuh/blob/0824af89e8a448866197751e867c8b3ad980dd0b/src/analysisd/analysisd.c#L1953-L1965

Hi, how do you finally resolve this issue? I have the same problem usen local_decoder and local_rules, trying to alert this log:

2024 Jan 10 19:55:59 wazusrv->192.168.2.1 Jan 10 16:55:59 kernel: DROP IN=vlan2 OUT= MACSRC=00:a7:42:2b:7a:b4 MACDST=98:fc:11:f8:0d:fc MACPROTO=0800 SRC=80.66.83.84 DST=186.19.254.153 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=34951 PROTO=TCP SPT=57714 DPT=20379 SEQ=1439250821 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0

Rodasa avatar Jan 11 '24 16:01 Rodasa

Hi @Rodasa !

The whole rules engine is being refactored here https://github.com/wazuh/wazuh/issues/11334. This shouldn't happen after the new development, but in the meantime, I suggest you create an issue in the right repository (this is the documentation one) to properly request a workaround

https://github.com/wazuh/wazuh/issues/new?assignees=&labels=&projects=&template=default.md&title=

pereyra-m avatar Jan 15 '24 21:01 pereyra-m