Incorrect handling of the ‘< and >‘ characters

[hitman28594]

Wazuh version	Component	Install type	Install method	Platform
X.Y.Z-rev	Wazuh component	Manager/Agent	Packages/Sources	OS version

Hi Team,

The OS_regex option to match on “< or >“ is that the character should be escaped “>”

However this doesn’t work and errors when loading the rule.

I think this is an issue with the xml parser and might not be specific to rules.

The following issue/bug from 2020 has similar symptoms and implies that the xml isnt accurately parsed for certain corner cases. There is also issues with nested xml comments, which wazuh doesn’t currently support.

#4542

[juliancnn]

Hi @hitman28594

It is only necessary to escape the opening character, for example, suppose you want to extract the number field between <> from the following log:

Dec 25 20:45:02 MyHost example_angle[12345]: fieldx=asd <123> field1=asd field2=asd

Therefore, the decoder should be:

<decoder name="example_angle_brackets">
    <program_name>example_angle</program_name>
    <regex>\<(\d+)></regex>
    <order>num</order>
</decoder>

Finally the test in Wazuh-Logtest:

Command:

 echo 'Dec 25 20:45:02 MyHost example_angle[12345]: fieldx=asd <123> field1=asd field2=asd' | /var/ossec/bin/wazuh-logtest

Output

Starting wazuh-logtest v4.3.5
Type one log per line


**Phase 1: Completed pre-decoding.
        full event: 'Dec 25 20:45:02 MyHost example_angle[12345]: fieldx=asd <123> field1=asd field2=asd'
        timestamp: 'Dec 25 20:45:02'
        hostname: 'MyHost'
        program_name: 'example_angle'

**Phase 2: Completed decoding.
        name: 'example_angle_brackets'
        num: '123'

I hope this is useful for you