Domů Procházet Nápověda
Přihlásit se
tum
/
soc
Sledovat 1
Oblíbit 0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Revize 35 Vydání 0 Wiki

Bez popisu

Strom: 395c5c7e78
Větve Značky
soc
/
wazuh-docker
/
single-node
/
config
/
wazuh_cluster
/
local_decode...

local_decoder.xml 2.0KB
Historie Surový

12345678910111213141516171819202122232425262728293031323334353637383940414243444546 
  1. <!--
    2. 

  2.   SOC custom decoders (production-focused baseline)
    3. 

  3.   - Decodes real correlation payloads produced by SOC Integrator
    4. 

  4.   - Decodes real DNS IOC payloads
    5. 

  5.   - Decodes modern ESXi 7/8 syslog format (groups: vmware)
    6. 

  6. -->
    7. 

  7. 

  8. <!--
    9. 

  9.   Modern VMware ESXi / vCenter syslog decoder
    10. 

  10.   Matches ESXi 7.x and 8.x syslog output (built-in vmware decoder only handles old ESX 4.x format).
    11. 

  11. 

  12.   How if_group=vmware works: rule 19100 (decoded_as vmware) fires first and places the event in
    13. 

  13.   the vmware group. Our B1 rules then match via if_group=vmware.
    14. 

  14.   To hook into this chain, our decoder must also be NAMED "vmware" (Wazuh allows multiple
    15. 

  15.   decoders with the same name — they are evaluated in order).
    16. 

  16. 

  17.   ESXi 7.x format:  <ISO-TS> <HOSTNAME> <PROCESS>: <SEV> <proc[pid]> [<meta>] <msg>
    18. 

  18.   ESXi 8.x format:  <ISO-TS> <HOSTNAME> <process[pid]>: [<sev>] <msg>
    19. 

  19. 

  20.   Known process names seen from FPVM70-H1/H2 (ESXi 7) and ESXi 8.0:
    21. 

  21.     Hostd, Vpxa, Rhttpproxy, vmkernel, vmkwarning, healthd, healthdPlugins,
    22. 

  22.     hostd-probe, net-cdp, vdtc, envoy-access, fdm, kmxa, sandboxd, crond
    23. 

  23. -->
    24. 

  24. <decoder name="vmware">
    25. 

  25.   <program_name type="pcre2">(?i)^(Hostd|Vpxa|Rhttpproxy|vmkernel|vmkwarning|vmkdump|healthd|healthdPlugins|hostd-probe|net-cdp|vdtc|envoy-access|fdm|kmxa|sandboxd|vpxd|dcui|crond|ImageConfigManager|sysboot|sfcb|vsanmgmtd)$</program_name>
    26. 

  26. </decoder>
    27. 

  27. 

  28. <decoder name="vmware-esxi-severity">
    29. 

  29.   <parent>vmware</parent>
    30. 

  30.   <prematch type="pcre2">^(?:verbose|info|warning|error|critical|debug) </prematch>
    31. 

  31.   <regex type="pcre2">^(verbose|info|warning|error|critical|debug)</regex>
    32. 

  32.   <order>status</order>
    33. 

  33. </decoder>
    34. 

  34. 

  35. <decoder name="soc-prod-dns">
    36. 

  36.   <prematch>soc_event=dns_ioc</prematch>
    37. 

  37.   <regex type="pcre2">event_type=(\S+)(?:.*?src_ip=([\d.]+))?</regex>
    38. 

  38.   <order>status, srcip</order>
    39. 

  39. </decoder>
    40. 

  40. 

  41. <decoder name="soc-prod-integrator">
    42. 

  42.   <prematch>soc_event=correlation</prematch>
    43. 

  43.   <regex type="pcre2">event_type=(\S+)(?:.*?user="([^"]+)")?(?:.*?src_ip=([\d.]+))?</regex>
    44. 

  44.   <order>status, srcuser, srcip</order>
    45. 

  45. </decoder>
    46. 

  46.