You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current symantec-av decoder appears to be too generic.
We have multiple clients who have unifi devices that send non-standard syslog in a format that matches the Symantec-AV decoder. In order to write custom decoders/rules for these devices, we have to exclude the stock Symantec decoders and rules. This could present a problem when a customer uses both Unifi devices and Symantec-AV or Web Security.
Here are a couple of sample Unifi logs:
Aug 17 10:51:57 some-unifi-AP-dns-name 74acb9bc33f5,UAP-AC-Lite-5.43.36+12724: kernel: [1359238.979852] [wifi1] FWLOG: [49676369] WAL_DBGID_TX_BA_SETUP ( 0x4365a4, 0x0, 0x0, 0x10040, 0xfe4271fd )
Aug 17 10:51:12 some-unifi-switch-dns-name e063dacde998,US-16-150W-5.64.8+13083: switch: DOT1S: inst(0) has elected a new STP root: FF:AA:BB:DD:DD:0D:32:1C
Here is the output of wazuh-logtest:
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.1.5
Type one log per line
I would vote for something that's a mix of the two like: <prematch type="pcre2">^[0-9A-Z]{12},\d+,\d+</prematch>. That way it's looking for more than just a MAC address followed by a comma.
The current symantec-av decoder appears to be too generic.
We have multiple clients who have unifi devices that send non-standard syslog in a format that matches the Symantec-AV decoder. In order to write custom decoders/rules for these devices, we have to exclude the stock Symantec decoders and rules. This could present a problem when a customer uses both Unifi devices and Symantec-AV or Web Security.
Here are a couple of sample Unifi logs:
Aug 17 10:51:57 some-unifi-AP-dns-name 74acb9bc33f5,UAP-AC-Lite-5.43.36+12724: kernel: [1359238.979852] [wifi1] FWLOG: [49676369] WAL_DBGID_TX_BA_SETUP ( 0x4365a4, 0x0, 0x0, 0x10040, 0xfe4271fd )
Aug 17 10:51:12 some-unifi-switch-dns-name e063dacde998,US-16-150W-5.64.8+13083: switch: DOT1S: inst(0) has elected a new STP root: FF:AA:BB:DD:DD:0D:32:1C
Here is the output of wazuh-logtest:
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.1.5
Type one log per line
Aug 17 10:51:57 some-unifi-AP-dns-name 74acb9bc33f5,UAP-AC-Lite-5.43.36+12724: kernel: [1359238.979852] [w ifi1] FWLOG: [49676369] WAL_DBGID_TX_BA_SETUP ( 0x4365a4, 0x0, 0x0, 0x10040, 0xfe4271fd )
**Phase 1: Completed pre-decoding.
full event: 'Aug 17 10:51:57 some-unifi-AP-dns-name 74acb9bc33f5,UAP-AC-Lite-5.43.36+12724: kernel : [1359238.979852] [wifi1] FWLOG: [49676369] WAL_DBGID_TX_BA_SETUP ( 0x4365a4, 0x0, 0x0, 0x10040, 0xfe4271 fd )'
timestamp: 'Aug 17 10:51:57'
hostname: 'some-unifi-AP-dns-name'
**Phase 2: Completed decoding.
name: 'symantec-av'
**Phase 3: Completed filtering (rules).
id: '7300'
level: '0'
description: 'Grouping of Symantec AV rules.'
groups: '['symantec']'
firedtimes: '1'
mail: 'False'
It would be helpful if the symantec-av decoder contained more specific criteria instead of simply
<prematch>^\w\w\w\w\w\w\w\w\w\w\w\w,</prematch>
The text was updated successfully, but these errors were encountered: