Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cisco-IOS decoder for EMWEB-3-LOGIN_FAILED events #14739

Open
maumrsms opened this issue Aug 25, 2022 · 0 comments
Open

Cisco-IOS decoder for EMWEB-3-LOGIN_FAILED events #14739

maumrsms opened this issue Aug 25, 2022 · 0 comments
Labels
feed/decoders Decoders related issues level/task reporter/operations team/threatintel Threat Intelligence team type/enhancement New feature or request

Comments

@maumrsms
Copy link
Member

Wazuh version Component Action type
4.3.6 Rules/Decoders New

Description

Hello team! I recently needed to work on decoding the user on next event from Cisco-IOS:
%EMWEB-3-LOGIN_FAILED: ews_auth.c:1234 Login failed for the user:USERNAME_HERE. Service-Type is not present or it doesn't allow READ/WRITE permission..

So I created next decoder to do so:

<decoder name="cisco-ios-login-failed">
  <parent>cisco-ios</parent>
  <prematch>%EMWEB-3-LOGIN_FAILED: \S+ Login failed for the user:\S+.</prematch>
  <regex>%(\w+)-(\d)-(\w+): \S+ Login failed for the user:(\S+).</regex>
  <order>cisco.facility, cisco.severity, cisco.mnemonic, srcuser</order>
</decoder>

The only thing to consider is that I needed to add it right before the last decoder in /var/ossec/ruleset/decoders/0065-cisco-ios_decoders.xml for it to work.

Service/Product/Module

cisco-ios.

Errors/Improvements

Current results

**Phase 2: Completed decoding.
       decoder: 'cisco-ios'
       cisco.facility: 'EMWEB'
       cisco.severity: '3'
       cisco.mnemonic: 'LOGIN_FAILED'

**Phase 3: Completed filtering (rules).
       Rule id: '4713'
       Level: '4'
       Description: 'Cisco IOS error message - LOGIN_FAILED'
**Alert to be generated.

Expected results

**Phase 2: Completed decoding.
       decoder: 'cisco-ios'
       cisco.facility: 'EMWEB'
       cisco.severity: '3'
       cisco.mnemonic: 'LOGIN_FAILED'
       srcuser: 'pdelaquintana'

**Phase 3: Completed filtering (rules).
       Rule id: '4713'
       Level: '4'
       Description: 'Cisco IOS error message - LOGIN_FAILED'
**Alert to be generated.

Resources

Log source / integration

cisco-ios via syslog

Log reference

Log examples

%EMWEB-3-LOGIN_FAILED: ews_auth.c:1234 Login failed for the user:USERNAME_HERE. Service-Type is not present or it doesn't allow READ/WRITE permission..
@maumrsms maumrsms added type/enhancement New feature or request reporter/operations feed/decoders Decoders related issues labels Aug 25, 2022
@72nomada 72nomada added the team/threatintel Threat Intelligence team label Aug 29, 2022
@snaow snaow added this to the Release 4.5.0 milestone Nov 16, 2022
@havidarou havidarou removed this from the Release 4.5.0 milestone Dec 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feed/decoders Decoders related issues level/task reporter/operations team/threatintel Threat Intelligence team type/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@snaow @havidarou @maumrsms @72nomada