Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

3.3 fix windows decoder #154

Merged
merged 6 commits into from
Aug 27, 2019
Merged

3.3 fix windows decoder #154

merged 6 commits into from
Aug 27, 2019

Conversation

MiguelCasaresRobles
Copy link
Member

@MiguelCasaresRobles MiguelCasaresRobles commented Jul 3, 2018
edited
Loading

Hi team,

I have fixed decoder 0380-windows_decoder.xml for ISS logs and extracted new useful fields. With this modification, logs like these will be seen with these new fields:

2015-07-28 15:07:26 1.2.3.4 GET /QOsa/Browser/Default.aspx UISessionId=SN1234123&DeviceId=SN12312232SHARP+MX-4111N 80 - 31.3.3.7 OpenSystems/1.0;+product-family="85";+product-version="123ER123" 302 0 0 624

**Phase 1: Completed pre-decoding.
       full event: '2015-07-28 15:07:26 1.2.3.4 GET /QOsa/Browser/Default.aspx UISessionId=SN1234123&DeviceId=SN12312232SHARP+MX-4111N 80 - 31.3.3.7 OpenSystems/1.0;+product-family="85";+product-version="123ER123" 302 0 0 624'
       timestamp: '(null)'
       hostname: 'miguel-VirtualBox'
       program_name: '(null)'
       log: '2015-07-28 15:07:26 1.2.3.4 GET /QOsa/Browser/Default.aspx UISessionId=SN1234123&DeviceId=SN12312232SHARP+MX-4111N 80 - 31.3.3.7 OpenSystems/1.0;+product-family="85";+product-version="123ER123" 302 0 0 624'

**Phase 2: Completed decoding.
       decoder: 'windows-date-format'
       action: 'GET'
       url: '/QOsa/Browser/Default.aspx UISessionId=SN1234123&DeviceId=SN12312232SHARP+MX-4111N'
       srcport: '80'
       srcip: '31.3.3.7'
       user_agent: 'OpenSystems/1.0;+product-family="85";+product-version="123ER123"'
       id: '302'

**Phase 3: Completed filtering (rules).
       Rule id: '31108'
       Level: '0'
       Description: 'Ignored URLs (simple queries).

Regards,

Miguel Casares

@MiguelCasaresRobles MiguelCasaresRobles self-assigned this Jul 3, 2018
@maxverro maxverro mentioned this pull request Aug 21, 2018
Closed
@SitoRBJ SitoRBJ changed the base branch from 3.3 to 3.7 September 12, 2018 09:38
@migruiz4 migruiz4 changed the base branch from 3.7 to master October 17, 2018 14:04
@albertomn86 albertomn86 requested a review from Lopuiz March 26, 2019 09:39
Lopuiz
Lopuiz approved these changes Mar 26, 2019
View reviewed changes
Copy link
Contributor

@Lopuiz Lopuiz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Decoder web-accesslog-iis-default don't mach

2015-03-11 21:59:09 1.2.3.4 GET /console/faces/com_sun_web_ui/jsp/version/version_30.jsp - 80 - 31.3.3.7 Sun+Web+Console+Fingerprinter/7.15 - 404 0 2 0


**Phase 1: Completed pre-decoding.
       full event: '2015-03-11 21:59:09 1.2.3.4 GET /console/faces/com_sun_web_ui/jsp/version/version_30.jsp - 80 - 31.3.3.7 Sun+Web+Console+Fingerprinter/7.15 - 404 0 2 0'
       timestamp: '(null)'
       hostname: 'lopezziur-S551LN'
       program_name: '(null)'
       log: '2015-03-11 21:59:09 1.2.3.4 GET /console/faces/com_sun_web_ui/jsp/version/version_30.jsp - 80 - 31.3.3.7 Sun+Web+Console+Fingerprinter/7.15 - 404 0 2 0'

**Phase 2: Completed decoding.
       decoder: 'windows-date-format'
       url: '/console/faces/com_sun_web_ui/jsp/version/version_30.jsp -'
       srcip: '-'
       id: '404'

**Phase 3: Completed filtering (rules).
       Rule id: '31101'
       Level: '5'
       Description: 'Web server 400 error code.'
**Alert to be generated.

And this PR solve this problem:

2015-03-11 20:28:21 1.2.3.4 GET /certsrv/Default.asp - 80 - 31.3.3.7 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/7.0) - 401 2 5 0


**Phase 1: Completed pre-decoding.
       full event: '2015-03-11 20:28:21 1.2.3.4 GET /certsrv/Default.asp - 80 - 31.3.3.7 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/7.0) - 401 2 5 0'
       timestamp: '(null)'
       hostname: 'lopezziur-S551LN'
       program_name: '(null)'
       log: '2015-03-11 20:28:21 1.2.3.4 GET /certsrv/Default.asp - 80 - 31.3.3.7 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/7.0) - 401 2 5 0'

**Phase 2: Completed decoding.
       decoder: 'windows-date-format'
       action: 'GET'
       url: '/certsrv/Default.asp -'
       srcport: '80'
       srcip: '31.3.3.7'
       user_agent: 'Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/7.0)'
       id: '401'

**Phase 3: Completed filtering (rules).
       Rule id: '31101'
       Level: '5'
       Description: 'Web server 400 error code.'
**Alert to be generated.

we have to merge this branch as soon as possible

@Lopuiz Lopuiz self-assigned this Mar 26, 2019
jsanchez91
jsanchez91 approved these changes Jul 12, 2019
View reviewed changes
Copy link

@jsanchez91 jsanchez91 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi!
I come here from a community question. A user asked about this, I tried this change in Wazuh v3.9.2

2015-03-11 22:01:58 1.2.3.4 GET /IISADMPWD/aexp.htr - 80 - 31.3.3.7 - - 404 0 2 0


**Phase 1: Completed pre-decoding.
       full event: '2015-03-11 22:01:58 1.2.3.4 GET /IISADMPWD/aexp.htr - 80 - 31.3.3.7 - - 404 0 2 0'
       timestamp: '(null)'
       hostname: 'master'
       program_name: '(null)'
       log: '2015-03-11 22:01:58 1.2.3.4 GET /IISADMPWD/aexp.htr - 80 - 31.3.3.7 - - 404 0 2 0'

**Phase 2: Completed decoding.
       decoder: 'windows-date-format'
       action: 'GET'
       url: '/IISADMPWD/aexp.htr -'
       srcport: '80'
       srcip: '31.3.3.7'
       user_agent: '-'
       id: '404'

**Phase 3: Completed filtering (rules).
       Rule id: '31101'
       Level: '5'
       Description: 'Web server 400 error code.'
**Alert to be generated.

@Lopuiz Lopuiz changed the base branch from master to 3.10 July 16, 2019 13:47
@Lopuiz Lopuiz self-requested a review August 14, 2019 08:26
Lopuiz
Lopuiz reviewed Aug 14, 2019
View reviewed changes
Copy link
Contributor

@Lopuiz Lopuiz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi team!

It should be noted what this user reports about it.

Regards, Eva

@Lopuiz Lopuiz self-requested a review August 14, 2019 08:38
@snaow snaow merged commit 62ce834 into 3.10 Aug 27, 2019
@snaow snaow deleted the 3.3-fix-windows-decoder branch August 27, 2019 06:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsanchez91 jsanchez91 jsanchez91 approved these changes

@Lopuiz Lopuiz Awaiting requested review from Lopuiz

Assignees

@bah07 bah07

@Lopuiz Lopuiz

Labels
enhancement operations
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@MiguelCasaresRobles @jsanchez91 @Lopuiz @snaow @bah07 @migruiz4