Wazuh自定义decoder实例

 

样本日志：

IPS：
Mar 10 17:12:34 XX-Internet-IPS1-R03-25U IPS: SerialNum=23139121998 GenTime="2023-03-10 17:12:34" SrcIP=23.10.156.214 SrcIP6= SrcIPVer=4 DstIP=120.26.160.74 DstIP6= DstIPVer=4 Protocol=TCP SrcPort=65443 DstPort=443 InInterface=xge1/1 OutInterface=xge1/2 SMAC=f0:a2:b8:8c:93:07 DMAC=00:1c:54:ff:08:2e FwPolicyID=1 EventName=TCP_远程控制软件_hello_V9_建立控制连接 EventID=152328230 EventLevel=2 EventsetName=new_all SecurityType=安全审计 SecurityID=11 ProtocolType=HTTPS ProtocolID=51 Action=PASS Vsysid=0 Content="数据长度=1350;TCP数据内容=5e;TCP目的端口=65443;" CapToken= EvtCount=1


Mar 16 15:46:51 XX-Internet-IPS1-R03-25U IPS: SerialNum=2311998 GenTime="2023-03-16 15:46:51" SrcIP=23.10.156.66 SrcIP6= SrcIPVer=4 DstIP=10.38.48.254 DstIP6= DstIPVer=4 Protocol=FTP SrcPort=53767 DstPort=21 InInterface=xge1/1 OutInterface=xge1/2 SMAC=f0:a2:b8:8c:93:07 DMAC=00:1c:54:ff:08:2e FwPolicyID=1 EventName=FTP_口令弱 EventID=169225718 EventLevel=2 EventsetName=new_all SecurityType=脆弱口令 SecurityID=24 ProtocolType=FTP ProtocolID=12 Action=PASS Content="username=anonymous;password=******" EvtCount=1


防毒墙：
<156>utm_event: devid=4 date="2023/06/12 11:21:38" dname=HZH-AV-M logtype=7 pri=4 ver=0.3.0 user="" mod=av eventtype=AV eventname="僵尸网络 [疑似]僵尸网络" severity=高 dsp_msg="[疑似]僵尸网络" protocol=TCP srcaddr=23.34.60.8 srcport=46568 destaddr=59.82.120.227 destport=443 srcregion="HOST" destregion="CN-中国" app=TCP:443 repeated=1 eventdetails="" action=通过 if="" fwlog=0


WAF:
<902>Jun 12 10:49:23 LJ_DMZ_WAF_R06_34U WAG: SerialNum=2213342106039998 GenTime="2023-06-12 10:49:23" Module=HTTP_认证请求 SrcIP=23.231.117.94 DstIP=10.32.64.28 SrcPort=10665 DstPort=80 In=ge0/1 Out=ge0/2 Action=pass URL="vjoin.landspace.com:48880/seeyonjoin/main/login" Content="用户名称=;URL=/seeyonjoin/main/login;HOST=vjoin.landspace.com:48880;Body_Data=login_username=13810487986&login_password=v12345678&login.code=129835;" EvtCount=1 Evt_level=10 Evt_type=网页爬虫 Evt_log_level=6 Host=vjoin.landspace.com:48880 Evt_response=0 BeforeNat= Method=POST



上网行为：
<6>Jun 12 11:24:06 LJ-JX-ACM-M;550101300120120901622684;ipv4;3; statistic_traffic: user_name=23.33.63.178;ugname=anonymous;umac=F4:1D:6B:98:09:C7;uip=23.33.63.178;appname=飞书_视频语音;appgname=办公软件;up=1327920;down=272960;create_time=1686540240;end_time=1686540300


华为FW
<190>Jun 12 2023 11:20:51 LJ-YanFa-FW2-R04-14U %%01POLICY/6/POLICYDENY(l):vsys=public, protocol=17, source-ip=23.8.27.252, source-port=57975, destination-ip=192.203.230.10, destination-port=53, time=Jun 12 2023 11:20:51, source-zone=trust, destination-zone=untrust, application-name=, rule-name=default.

 

Wazuh decoder：

<decoder name="ips_log">
  <program_name>^IPS</program_name>
</decoder>

<decoder name="LJ_IPS_log">
  <parent>ips_log</parent>
    <regex type="pcre2">SerialNum=(\d+) GenTime="(.+?)" SrcIP=(\d+.\d+.\d+.\d+) SrcIP6= SrcIPVer=4 DstIP=(\d+.\d+.\d+.\d+) DstIP6= DstIPVer=4 Protocol=(\w+) SrcPort=(\d+) DstPort=(\d+) InInterface=([a-zA-Z0-9/]+) OutInterface=([a-zA-Z0-9/]+) SMAC=(\w+:\w+:\w+:\w+:\w+:\w+) DMAC=(\w+:\w+:\w+:\w+:\w+:\w+) FwPolicyID=(\d+) EventName=([^\s]*) EventID=(\d+) EventLevel=(\d+) EventsetName=([^\s]*) SecurityType=([^\s]*) SecurityID=(\d+) ProtocolType=(\w+) ProtocolID=(\d+) Action=(\w+)</regex>
    <order>SerialNum,GenTime,SrcIP,DstIP,Protocol,SrcPort,DstPort,InInterface,OutInterface,SMAC,DMAC,FwPolicyID,EventName,EventID,EventLevel,EventsetName,SecurityType,SecurityID,ProtocolType,ProtocolID,Action</order>
</decoder>


<!--WAF日志decoder-->
<decoder name="WAF_log">
  <program_name>^WAG</program_name>
</decoder>

<decoder name="LJ_WAF_log">
  <parent>WAF_log</parent>
    <regex type="pcre2">SerialNum=(\d+) GenTime="(.+?)" Module=([^\s]*) SrcIP=(\d+.\d+.\d+.\d+) DstIP=(\d+.\d+.\d+.\d+) SrcPort=(\d+) DstPort=(\d+) In=([a-zA-Z0-9/]+) Out=([a-zA-Z0-9/]+) Action=(\w+) URL="([^\s]*)" Content="([^\s]*)" EvtCount=(\d+) Evt_level=(\d+) Evt_type=([^\s]*) Evt_log_level=(\d+) Host=([^\s]*) Evt_response=([^\s]*) BeforeNat=([^\s]*) Method=(\w+)</regex>
    <order>SerialNum,GenTime,Module,SrcIP,DstIP,SrcPort,DstPort,InInterface,OutInterface,Action,URL,Content,EvtCount,Evt_level,Evt_type,Evt_log_level,Host,Evt_response,BeforeNat,Method</order>
</decoder>

<!--防毒墙日志decoder-->
<decoder name="LJ_AVFW_log">
  <prematch>^utm_event: </prematch>
    <regex type="pcre2">devid=(\d+) date="(.+?)" dname=(.+?) logtype=(\d+) pri=(\d+) ver=([^\s]*) user=\"\" mod=(\w+) eventtype=(\w+) eventname="(.+?)" severity=([^\s]*) dsp_msg="([^\s]*)" protocol=(\w+) srcaddr=(\d+.\d+.\d+.\d+) srcport=(\d+) destaddr=(\d+.\d+.\d+.\d+) destport=(\d+) srcregion="([^\s]*)" destregion="([^\s]*)" app=([^\s]*) repeated=(\d+) eventdetails="" action=([^\s]*)</regex>
    <order>AV_devid,AV_date,AV_dname,AV_logtype,AV_pri,AV_ver,AV_mod,AV_event_type,AV_event_name,AV_serverity,AV_dsp_msg,AV_protocol,AV_srcaddr,AV_srcport,AV_destaddr,AV_destport,AV_srcregion,AV_destregion,AV_app,AV_repeated,AV_action</order>
</decoder>

<!--上网行为管理日志decoder-->
<decoder name="LJ_AC_log">
  <prematch>^LJ-JX-ACM-M</prematch>
    <regex type="pcre2">user_name=(\d+.\d+.\d+.\d+);ugname=(\w+);umac=(\w+:\w+:\w+:\w+:\w+:\w+);uip=(\d+.\d+.\d+.\d+);appname=([^\s]*);appgname=([^\s]*);up=(\d+);down=(\d+);create_time=(\d+);end_time=(\d+)</regex>
    <order>AC_user_name,AC_ugname,AC_umac,AC_uip,AC_appname,AC_appgname,AC_up,AC_down,AC_create_time,AC_end_time</order>
</decoder>



<!--华为防火墙日志decoder-->
<decoder name="HW_FW">
  <prematch>^\w+\s+\d+\s+\d+\s+\d+:\d+:\d+\s+LJ-\S+-FW\S+\s+%%\d\d\S+/\d/\S+\(\w\):</prematch>
</decoder>

<decoder name="LJ_HW_FW">
  <parent>HW_FW</parent>
    <regex type="pcre2">vsys=(\w+), protocol=(\d+), source-ip=(\d+.\d+.\d+.\d+), source-port=(\d+), destination-ip=(\d+.\d+.\d+.\d+), destination-port=(\d+), time=(\w+\s+\d+\s+\d+\s+\d+:\d+:\d+), source-zone=(\w+), destination-zone=(\w+), application-name=, rule-name=(\w+)</regex>
    <order>FW_vsys,FW_protocol,FW_SRC_IP,FW_SRC_port,FW_DST_IP,FW_DST_port,FW_time,FW_SRC_Zone,FW_DST_Zone,FW_rule_name</order>
</decoder>