wazuh的自定义decoder中，正则表达式也要用pcre2类型哟

IPS的日志格式为：

Mar 10 17:12:34 XX-Internet-IPS1-XX03-XXU IPS: SerialNum=23139121 GenTime="2023-03-10 17:12:34" SrcIP=10.32.56.214 SrcIP6= SrcIPVer=4 DstIP=120.26.160.74 DstIP6= DstIPVer=4 Protocol=TCP SrcPort=65443 DstPort=443 InInterface=xge1/1 OutInterface=xge1/2 SMAC=f0:a3:68:4d:93:07 DMAC=00:1c:54:ff:08:2e FwPolicyID=1 EventName=TCP_远程控制软件_向日葵_V9_建立控制连接 EventID=152328230 EventLevel=2 EventsetName=new_all SecurityType=安全审计 SecurityID=11 ProtocolType=HTTPS ProtocolID=51 Action=PASS Vsysid=0 Content="数据长度=1350;TCP数据内容=5e;TCP目的端口=65443;" CapToken= EvtCount=1

 

Decoder:

在写IPS的日志解码器时，发现默认的正则类型处理类型很有限，GenTime的“”都无法解析，最后在正则表达式上设置了type="pcre2"就可以解析出来了：

<decoder name="ips_log">
<program_name>^IPS</program_name>
</decoder>

<decoder name="ips_log">
<parent>ips_log</parent>
<regex type="pcre2">SerialNum=(\d+) GenTime="(.+?)" SrcIP=(\d+.\d+.\d+.\d+) SrcIP6= SrcIPVer=4 DstIP=(\d+.\d+.\d+.\d+) DstIP6= DstIPVer=4 Protocol=(\w+) SrcPort=(\d+) DstPort=(\d+) InInterface=([a-zA-Z0-9/]+) OutInterface=([a-zA-Z0-9/]+) SMAC=(\w+:\w+:\w+:\w+:\w+:\w+) DMAC=(\w+:\w+:\w+:\w+:\w+:\w+) FwPolicyID=(\d+) EventName=([^\s]*) EventID=(\d+) EventLevel=(\d+) EventsetName=([^\s]*) SecurityType=([^\s]*) SecurityID=(\d+) ProtocolType=(\w+) ProtocolID=(\d+) Action=(\w+) Vsysid=(\d+) Content="(.+?)" CapToken= EvtCount=(\d+)</regex>
<order>SerialNum,GenTime,SrcIP,DstIP,Protocol,SrcPort,DstPort,InInterface,OutInterface,SMAC,DMAC,FwPolicyID,EventName,EventID,EventLevel,EventsetName,SecurityType,SecurityID,ProtocolType,ProtocolID,Action,Vsysid,Content,EvtCount</order>
</decoder>

 

RULE:

测试发现好像没法在同一个规则中，写多个规则，需要一个个的筛选判断：

<!-- 检查IPS执行结果为PASS的事件 -->
<group name="IPS">
  <rule id="100101" level="5">
     <decoded_as>ips_log</decoded_as>
     <description>All_IPS__Events</description>
     <options>no_full_log</options>
 </rule>

 <rule id="100102" level="5">
     <if_sid>100101</if_sid>
     <decoded_as>ips_log</decoded_as>
     <description>全部PASS状态事件</description>
     <match name="Action">PASS</match> 
     <options>no_full_log</options>
 </rule>

 <rule id="100103" level="6">
    <if_sid>100102</if_sid>
    <decoded_as>ips_log</decoded_as>
    <description>IPS异常告警事件</description>
    <match name="EventName" type="pcre2">^(?!.*(?:向日葵|天擎)).*$</match> 
    <options>no_full_log</options>
 </rule>

</group>