wazuh的自定义decoder中,正则表达式也要用pcre2类型哟
IPS的日志格式为:
Mar 10 17:12:34 XX-Internet-IPS1-XX03-XXU IPS: SerialNum=23139121 GenTime="2023-03-10 17:12:34" SrcIP=10.32.56.214 SrcIP6= SrcIPVer=4 DstIP=120.26.160.74 DstIP6= DstIPVer=4 Protocol=TCP SrcPort=65443 DstPort=443 InInterface=xge1/1 OutInterface=xge1/2 SMAC=f0:a3:68:4d:93:07 DMAC=00:1c:54:ff:08:2e FwPolicyID=1 EventName=TCP_远程控制软件_向日葵_V9_建立控制连接 EventID=152328230 EventLevel=2 EventsetName=new_all SecurityType=安全审计 SecurityID=11 ProtocolType=HTTPS ProtocolID=51 Action=PASS Vsysid=0 Content="数据长度=1350;TCP数据内容=5e;TCP目的端口=65443;" CapToken= EvtCount=1
Decoder:
在写IPS的日志解码器时,发现默认的正则类型处理类型很有限,GenTime的“”都无法解析,最后在正则表达式上设置了type="pcre2"就可以解析出来了:
<decoder name="ips_log"> <program_name>^IPS</program_name> </decoder> <decoder name="ips_log"> <parent>ips_log</parent> <regex type="pcre2">SerialNum=(\d+) GenTime="(.+?)" SrcIP=(\d+.\d+.\d+.\d+) SrcIP6= SrcIPVer=4 DstIP=(\d+.\d+.\d+.\d+) DstIP6= DstIPVer=4 Protocol=(\w+) SrcPort=(\d+) DstPort=(\d+) InInterface=([a-zA-Z0-9/]+) OutInterface=([a-zA-Z0-9/]+) SMAC=(\w+:\w+:\w+:\w+:\w+:\w+) DMAC=(\w+:\w+:\w+:\w+:\w+:\w+) FwPolicyID=(\d+) EventName=([^\s]*) EventID=(\d+) EventLevel=(\d+) EventsetName=([^\s]*) SecurityType=([^\s]*) SecurityID=(\d+) ProtocolType=(\w+) ProtocolID=(\d+) Action=(\w+) Vsysid=(\d+) Content="(.+?)" CapToken= EvtCount=(\d+)</regex> <order>SerialNum,GenTime,SrcIP,DstIP,Protocol,SrcPort,DstPort,InInterface,OutInterface,SMAC,DMAC,FwPolicyID,EventName,EventID,EventLevel,EventsetName,SecurityType,SecurityID,ProtocolType,ProtocolID,Action,Vsysid,Content,EvtCount</order> </decoder>
RULE:
测试发现好像没法在同一个规则中,写多个规则,需要一个个的筛选判断:
<!-- 检查IPS执行结果为PASS的事件 --> <group name="IPS"> <rule id="100101" level="5"> <decoded_as>ips_log</decoded_as> <description>All_IPS__Events</description> <options>no_full_log</options> </rule> <rule id="100102" level="5"> <if_sid>100101</if_sid> <decoded_as>ips_log</decoded_as> <description>全部PASS状态事件</description> <match name="Action">PASS</match> <options>no_full_log</options> </rule> <rule id="100103" level="6"> <if_sid>100102</if_sid> <decoded_as>ips_log</decoded_as> <description>IPS异常告警事件</description> <match name="EventName" type="pcre2">^(?!.*(?:向日葵|天擎)).*$</match> <options>no_full_log</options> </rule> </group>