Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

3.13 api rules #675

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

3.13 api rules #675

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
15327dc
Create 0685-wazuh-api_rules.xml
eliasgrana Apr 7, 2020
256db81
Create 0495-wazuh-api_decoders.xml
eliasgrana Apr 7, 2020
85fda12
Create api.ini
eliasgrana Apr 7, 2020
c84e62c
changed the group for api rules; change the id for rules; change the …
odintree May 22, 2020
90bc303
Update CHANGELOG.md
odintree May 22, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Prev Previous commit
Next Next commit
Create 0495-wazuh-api_decoders.xml
  • Loading branch information
@eliasgrana @odintree
eliasgrana authored and odintree committed May 22, 2020
commit 256db814c1d00b8a104150500779c22133b55cf6
68 changes: 68 additions & 0 deletions decoders/0495-wazuh-api_decoders.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
<!--
- WazuhAPI decoders
- Author: Daniel Moreno
- Updated by Wazuh, Inc.
- Copyright (C) 2015-2019, Wazuh Inc.
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->

<decoder name="wazuhapi">
<prematch>WazuhAPI </prematch>
</decoder>

<!-- WazuhAPI 2019-02-27 15:23:17 user: [::ffff:11.0.0.19] GET /version? - 200 - error: '0'. -->

<decoder name="wazuhapi_requests">
<parent>wazuhapi</parent>
<prematch>\d+-\d+-\d+ \d+:\d+:\d+ \S+: [\S+] \w+ \S+ - \d+</prematch>
<regex offset="after_parent">(\d+-\d+-\d+ \d+:\d+:\d+) (\S+): [(\S+)] (\w+) (\S+) - \d+ - error: '(\d+)'</regex>
<order>timestamp,apiuser,remoteaddress,method,request,errorcode</order>
</decoder>

<!-- WazuhAPI 2019-03-19 13:46:48 foo: Agent does not exist: 500 --> <!-- exceptions -->
<!-- This is a generic exception log, the decoder should work for every exception -->
<decoder name="wazuhapi_exceptions">
<parent>wazuhapi</parent>
<prematch></prematch>
<regex offset="after_parent">(\d+-\d+-\d+ \d+:\d+:\d+) (\S+): (\.+): \d+</regex>
<order>timestamp,apiuser,exception_message</order>
</decoder>

<!-- WazuhAPI 2019-02-27 15:22:22 : Listening on: http://:::55000 -->

<decoder name="wazuhapi_listening">
<parent>wazuhapi</parent>
<prematch>Listening on</prematch>
<regex offset="after_parent">(\d+-\d+-\d+ \d+:\d+:\d+) : Listening on: (\.+)</regex>
<order>timestamp,apiurl</order>
</decoder>


<!-- WazuhAPI 2019-03-18 16:08:13 user: [::1] User: "user" - Authentication failed. -->

<decoder name="wazuhapi_authfail">
<parent>wazuhapi</parent>
<prematch>Authentication failed</prematch>
<regex offset="after_parent">(\d+-\d+-\d+ \d+:\d+:\d+) (\S+):\.+ Authentication failed</regex>
<order>timestamp,apiuser</order>
</decoder>



<!-- WazuhAPI 2019-03-18 16:08:13 Error: Address in use (port "550"): Close the program using that port or change the port. -->

<decoder name="wazuhapi_porterror">
<parent>wazuhapi</parent>
<prematch>Address in use</prematch>
<regex offset="after_parent">(\d+-\d+-\d+ \d+:\d+:\d+) Error: Address in use \(port "(\d+)"\)</regex>
<order>timestamp,port</order>
</decoder>

<!-- WazuhAPI 2019-03-18 16:08:13 : [::1] Authentication error: 15 - Error message -->

<decoder name="wazuhapi_autherror">
<parent>wazuhapi</parent>
<prematch>Authentication error</prematch>
<regex offset="after_parent">(\d+-\d+-\d+ \d+:\d+:\d+) : [\.+] Authentication error: (\d+) - (\.+)</regex>
<order>timestamp,auth_error,error_message</order>
</decoder>