wazuh-ruleset icon indicating copy to clipboard operation
wazuh-ruleset copied to clipboard
verified publisher icon wazuh

Convert IPv4-dependent regexps to work with IPv6 addresses.

Open aquerubin opened this issue 6 years ago • 5 comments

This updates multiple decoders and rules that have \d+.\d+.\d+.\d+ regexp to use the more general \S+.

aquerubin avatar May 06 '19 12:05 aquerubin

Adding |) to the regexp doesn't really extract the IP in the broken syntax case.

Antonio Querubin e-mail: [email protected]

aquerubin avatar Jun 03 '19 12:06 aquerubin

Looks like there is a general issue with json based decoders where the scrip isn't correctly shown / extracted so the issue i'm trying to point out seems to be hidden.

**Phase 1: Completed pre-decoding.
       full event: '{"reqId":"wlioIFa6pOvt6DIAoeHE","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2016-04-12T22:28:20+02:00","method":"POST","url":"\/","user":"--","@source":"ownCloud"}'
       timestamp: '(null)'
       hostname: 'test'
       program_name: '(null)'
       log: '{"reqId":"wlioIFa6pOvt6DIAoeHE","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2016-04-12T22:28:20+02:00","method":"POST","url":"\/","user":"--","@source":"ownCloud"}'

**Phase 2: Completed decoding.
       decoder: 'json'
       reqId: 'wlioIFa6pOvt6DIAoeHE'
       remoteAddr: '127.0.0.1'
       app: 'core'
       message: 'Login failed: 'admin' (Remote IP: '127.0.0.1')'
       level: '2'
       time: '2016-04-12T22:28:20+02:00'
       method: 'POST'
       url: '/'
       user: '--'
       @source: 'ownCloud'

**Phase 3: Completed filtering (rules).
       Rule id: '87301'
       Level: '6'
       Description: 'ownCloud authentication failed.'

-> No srcip at all in the decoder

where something similar with e.g. the sshd decoder (using an example log from there) is showing the srcip correctly:

**Phase 1: Completed pre-decoding.
       full event: 'Apr 14 19:28:21 gorilla sshd[31274]: Connection closed by 192.168.1.33'
       timestamp: 'Apr 14 19:28:21'
       hostname: 'gorilla'
       program_name: 'sshd'
       log: 'Connection closed by 192.168.1.33'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       srcip: '192.168.1.33'

**Phase 3: Completed filtering (rules).
       Rule id: '5722'
       Level: '0'
       Description: 'sshd: ssh connection closed.'

It looks like this is known and currently discussed in https://github.com/wazuh/wazuh/issues/2084 but makes the whole active response topic where the srcip is required completely useless if a json decoder like for ownCloud is used.

iasdeoupxe avatar Jun 03 '19 14:06 iasdeoupxe

Nevertheless from the above then probably the following needs to be used?

<regex offset="after_prematch">^'(\w+)' \(Remote IP: '(\S+)'|^'(\w+)' \(Remote IP: '(\S+)\)</regex>

iasdeoupxe avatar Jun 03 '19 18:06 iasdeoupxe

Hello @aquerubin,

First of all, thank you so much for your contribution to the Ruleset project. It's interesting that you prefer to use \S+ instead of \d+.\d+.\d+.\d+ Could you send me a log example that doesn't match our rules and does with your PR rules?

Kind regards, Eva

Lopuiz avatar Jun 18 '19 11:06 Lopuiz

@Lopuiz \d+.\d+.\d+.\d+ regex is IPv4 specific while \S+ works for both IPv4 and IPv6.

kravietz avatar Aug 07 '19 13:08 kravietz