Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

McAfee decoders and rules integration #467

Merged
merged 3 commits into from Oct 14, 2019
Merged

McAfee decoders and rules integration #467

merged 3 commits into from Oct 14, 2019

Conversation

joselopezrio
Copy link

New decoders and rules to integrate McAfee EPO in our ruleset.

This is the log example used:

Syslog Output RAW.txt

The decoders are made to extract every field one by one following this structure:

<decoder name="mcafee-epo2">
        <prematch>\pEPOEvent\p</prematch>
</decoder>

<decoder name="mcafee-epo2-fields">
    <parent>mcafee-epo2</parent>
    <regex offset="after_parent">\pMachineName\p(\.+)\p/MachineName\p</regex>
    <order>machine_name</order>
</decoder>

<decoder name="mcafee-epo2-fields">
    <parent>mcafee-epo2</parent>
    <regex offset="after_parent">\pAgentGUID\p(\.+)\p/AgentGUID\p</regex>
    <order>agent_guid</order>
</decoder>

<decoder name="mcafee-epo2-fields">
    <parent>mcafee-epo2</parent>
    <regex offset="after_parent">\pIPAddress\p(\.+)\p/IPAddress\p</regex>
    <order>ip.address</order>
</decoder>
  • Rules provide information about the type of threat using the decoded field ThreatName. These are the rules:
<group name="mcafee_epo,">

    <rule id="65500" level="0">
        <decoded_as>mcafee-epo2</decoded_as>
        <description>Mcafee EPO2</description>
    </rule>
    <rule id="65501" level="3">
        <if_sid>65500</if_sid>
        <description>$(ThreatName)</description>
    </rule>

</group>

Jose Manuel Lopez added 3 commits July 31, 2019 19:29
Create 0470-mcafee_decoders.xml
fcaeb8f 
Decoders for McAfee EPO
Create 0625-mcafee_epo_rules.xml
77b0c72 
Rules for McAfee EPO
Create file mcafee_epo.ini
fa2f465 
test file for McAfee EPO rules and decoders
@joselopezrio joselopezrio added rules Rules related issues decoders Decoders related issues labels Jul 31, 2019
@joselopezrio joselopezrio self-assigned this Jul 31, 2019
@joselopezrio joselopezrio changed the title 3.10 McAfee decoders and rules integration McAfee decoders and rules integration Aug 14, 2019
@havidarou havidarou added this to In progress in Wazuh 3.10.0 via automation Aug 25, 2019
@havidarou havidarou removed this from In progress in Wazuh 3.10.0 Aug 26, 2019
@chemamartinez chemamartinez changed the base branch from 3.10 to 3.11 October 14, 2019 17:14
@chemamartinez chemamartinez added this to In progress in Wazuh 3.11.0 via automation Oct 14, 2019
@chemamartinez chemamartinez merged commit 458430a into 3.11 Oct 14, 2019
Wazuh 3.11.0 automation moved this from In progress to Done Oct 14, 2019
@chemamartinez chemamartinez deleted the 3.10-mcafee-decoders-rules branch October 14, 2019 17:25
chemamartinez added a commit that referenced this pull request Oct 14, 2019
@chemamartinez
Update changelog for #467 and bump revision to 31101
1f43e77
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MiguelCasaresRobles MiguelCasaresRobles MiguelCasaresRobles approved these changes

Assignees

@joselopezrio joselopezrio

Labels
decoders Decoders related issues enhancement operations rules Rules related issues
Projects
No open projects
Wazuh 3.11.0
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@joselopezrio @MiguelCasaresRobles @havidarou @chemamartinez