微信公众号搜"智元新知"关注
微信扫一扫可直接关注哦!

OSSEC将来自解码器的允许字段添加到规则描述

如何解决OSSEC将来自解码器的允许字段添加到规则描述

我正在将OSSEC用于HIDS。

我创建了一个自定义解码器,并从日志中提取了诸如 srcip dstip protocol 之类的字段。

以下是使用./ossec-logtest测试的日志

Sep  2 14:39:23 rana-HP-Notebook kernel: [21261.042146] [UFW BLOCK] IN=wlp19s0 OUT= MAC=cc:b0:da:66:20:c3:00:23:15:d4:dd:70:08:00 SRC=192.153.41.125 DST=192.153.41.12 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=28858 PROTO=TCP SPT=2662 DPT=0 WINDOW=512 RES=0x00 URGP=0

为日志编写的解码器是:

<decoder name="iptables-blockedip">
   <parent>iptables</parent>
   <prematch offset="after_parent">^\S+ [UFW BLOCK] IN=\S+ OUT= MAC=\S+ </prematch>
   <regex offset="after_prematch">^SRC=(\S+) DST=(\S+) LEN=\S+ TOS=\S+ PREC=\S+ TTL=\S+ ID=\S+ PROTO=(\S+) SPT=(\S+) DPT=(\S+) WINDOW=\S+ RES=\S+ URGP=\S+$</regex>
   <order>srcip,dstip,protocol,srcport,dstport</order>
</decoder>

规则是:

<rule id="100002" level="8">
    <decoded_as>iptables</decoded_as>
    <description>An ip was blocked by the firewall</description>
 </rule>

这是ossec-logtest的结果

**Phase 1: Completed pre-decoding.
       full event: 'Sep  2 14:39:23 rana-HP-Notebook kernel: [21261.042146] [UFW BLOCK] IN=wlp19s0 OUT= MAC=cc:b0:da:66:20:c3:00:23:15:d4:dd:70:08:00 SRC=192.153.41.125 DST=192.153.41.12 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=28858 PROTO=TCP SPT=2662 DPT=0 WINDOW=512 RES=0x00 URGP=0'
       hostname: 'rana-HP-Notebook'
       program_name: 'kernel'
       log: '[21261.042146] [UFW BLOCK] IN=wlp19s0 OUT= MAC=cc:b0:da:66:20:c3:00:23:15:d4:dd:70:08:00 SRC=192.153.41.125 DST=192.153.41.12 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=28858 PROTO=TCP SPT=2662 DPT=0 WINDOW=512 RES=0x00 URGP=0'

**Phase 2: Completed decoding.
       decoder: 'iptables'
       srcip: '192.153.41.125'
       dstip: '192.153.41.12'
       proto: 'TCP'
       srcport: '2662'
       dstport: '0'

**Phase 3: Completed filtering (rules).
       Rule id: '100002'
       Level: '8'
       Description: 'An ip was blocked by the firewall'

现在的主要问题是:

可以将来自解码器的序列添加到规则描述中,以便在引发警报时在描述中显示它。

我对ossec-logtest的第三阶段的预期结果是:

**Phase 3: Completed filtering (rules).
       Rule id: '100002'
       Level: '8'
       Description: 'An ip 192.153.41.125 was blocked by the firewall'

解决方法

您可以在说明中使用以下语法:$(field_name)

您的规则如下:

<rule id="100002" level="8">
    <decoded_as>iptables</decoded_as>
    <description>An ip $(srcip) was blocked by the firewall</description>
 </rule>

您可以在Wazuh文档中找到有关此信息的更多信息:https://documentation.wazuh.com/3.13/user-manual/ruleset/ruleset-xml-syntax/rules.html#description

版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。