wazuh · davidjiglesias · Jan 14, 2022 · Dec 9, 2021 · Jan 3, 2022 · Jan 13, 2022
diff --git a/ruleset/decoders/0560-oracledb_decoders.xml b/ruleset/decoders/0560-oracledb_decoders.xml
@@ -1,74 +1,113 @@
 <!--
-  -  OracleDB 12C decoder
-  -  Created by Wazuh, Inc.
-  -  Copyright (C) 2015-2021, Wazuh Inc.
-  -  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
+  Copyright (C) 2015-2021, Wazuh Inc.
 -->
 
 <!--
-  localfile implementation example:
-  <localfile>
-    <log_format>multi-line-regex</log_format>
-    <location>/tmp/oracle/*.aud</$
-    <multiline_regex match="all">(?m)\n\n</multiline_regex>
-    <out_format>$(timestamp) $(hostname) oracledb: $(log)</out_format>
-  </localfile>
--->
-<!--
-Log example:
-  Fri Jul 09 11:11:00 2021 +05:32
-  LENGTH : '563'
-  ACTION :[412] 'select /*+  no_parallel(t) no_parallel_index(t) dbms_stats cursor_sharing_exact use_weak_name_resl dynamic_sampling(0) no_monitoring xmlindex_sel_idx_tbl no_substrb_pad  */ substrb(dump("INSTANCE_NUMBER",16,0,64),1,240) val, 
-                        rowidtochar(rowid) rwid from "SYS"."WRH$_SEG_STAT" t where rowid in (chartorowid('AAAAAAAAAAAAAAAAAA'),chartorowid('AAAAAAAAAAAAAAAAAA')) order by "INSTANCE_NUMBER"'
-  DATABASE USER:[3] 'SYS'
-  PRIVILEGE :[4] 'NONE'
-  CLIENT USER:[0] ''
-  CLIENT TERMINAL:[7] 'UNKNOWN'
-  STATUS:[1] '0'
-  DBID:[10] '3320902093'
+  Decoders for:
+    OracleDB 12c.
+
+  Configuration:
+  The below needs to be added to the manager's ossec.conf localfile implementation to read Oracle's .aud logs:
+    <localfile>
+      <log_format>multi-line-regex</log_format>
+      <location>/tmp/oracle/*.aud</$
+      <multiline_regex match="all">\n\n</multiline_regex>
+      <out_format>$(timestamp) $(hostname) oracledb: $(log)</out_format>
+    </localfile>
+
+  Log example:
+    Fri Jul 09 11:11:00 2021 +05:32
+    LENGTH : '563'
+    ACTION :[412] 'select /*+  no_parallel(t) no_parallel_index(t) dbms_stats cursor_sharing_exact use_weak_name_resl dynamic_sampling(0) no_monitoring xmlindex_sel_idx_tbl no_substrb_pad  */ substrb(dump("INSTANCE_NUMBER",16,0,64),1,240) val, 
+                          rowidtochar(rowid) rwid from "SYS"."WRH$_SEG_STAT" t where rowid in (chartorowid('AAAAAAAAAAAAAAAAAA'),chartorowid('AAAAAAAAAAAAAAAAAA')) order by "INSTANCE_NUMBER"'
+    DATABASE USER:[3] 'SYS'
+    PRIVILEGE :[4] 'NONE'
+    CLIENT USER:[0] ''
+    CLIENT TERMINAL:[7] 'UNKNOWN'
+    STATUS:[1] '0'
+    DBID:[10] '3320902093'
+
+  Alert examples:
+    {"timestamp":"2021-07-14T11:21:33.363-0700","rule":{"level":3,"description":"OracleDB transaction","id":"89100","firedtimes":1,"mail":false,"groups":["oracle","oracledb"],"pci_dss":["10.6.2"],"hipaa":["164.312.b"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1626286893.177547","full_log":"Jul 14 11:21:33 localhost.localdomain oracledb: \nFri Jul 09 11:11:00 2021 +05:32\nLENGTH : '563'\nACTION :[412] 'select /*+  no_parallel(t) no_parallel_index(t) dbms_stats cursor_sharing_exact use_weak_name_resl dynamic_sampling(0) no_monitoring xmlindex_sel_idx_tbl no_substrb_pad  */ substrb(dump(\"INSTANCE_NUMBER\",16,0,64),1,240) val, \n                      rowidtochar(rowid) rwid from \"SYS\".\"WWW$_SEC_THAT\" t where rowid in (chartorowid('AAAAO0AADAAASALAAA'),chartorowid('AAAAO0AADAAAAAJAAA')) order by \"INSTANCE_NUMBER\"'\nDATABASE USER:[3] 'SYS'\nPRIVILEGE :[4] 'NONE'\nCLIENT USER:[0] ''\nCLIENT TERMINAL:[7] 'UNKNOWN'\nSTATUS:[1] '0'\nDBID:[10] '1120301032'","predecoder":{"program_name":"oracledb","timestamp":"Jul 14 11:21:33","hostname":"localhost.localdomain"},"decoder":{"name":"oracledb-log"},"data":{"action":"select /*+  no_parallel(t) no_parallel_index(t) dbms_stats cursor_sharing_exact use_weak_name_resl dynamic_sampling(0) no_monitoring xmlindex_sel_idx_tbl no_substrb_pad  */ substrb(dump(\"INSTANCE_NUMBER\",16,0,64),1,240) val, \n                      rowidtochar(rowid) rwid from \"SYS\".\"WWW$_SEC_THAT\" t where rowid in (chartorowid('AAAAO0AADAAASALAAA'),chartorowid('AAAAO0AADAAAAAJAAA')) order by \"INSTANCE_NUMBER\"","status":"0","length":"563","database_user":"SYS","privilege_level":"NONE","client_terminal":"UNKNOWN","database_id":"1120301032"},"location":"/tmp/oracle/CDBTST000_j000_11111_20212020231542600818143795.aud"}
 -->
 
-<decoder name="oracledb_log">
-    <program_name>^oracledb$</program_name>
+<decoder name="oracledb-log">
+  <program_name>^oracledb$</program_name>
+</decoder>
+
+<decoder name="oracledb-transaction-fields">
+  <parent>oracledb-log</parent>
+  <regex type="pcre2">(?m)^LENGTH : '(\d+)'\n</regex>
+  <order>length</order>
 </decoder>
 
-<decoder name="oracledb_transaction_fields">
-    <parent>oracledb_log</parent>
-    <regex>(?Ums)^LENGTH : '(\d+)'\n</regex>
-    <regex>^ACTION :\[\d+] '(.+)'\n</regex>
-    <regex>^DATABASE USER:\[\d+] '(.+)'\n</regex>
-    <regex>^PRIVILEGE :\[\d+] '(.+)'\n</regex>
-    <regex>^CLIENT USER:\[\d+] '(.*)'\n</regex>
-    <regex>^CLIENT TERMINAL:\[\d+] '(.*)'\n</regex>
-    <regex>^STATUS:\[\d+] '(.*)'\n</regex>
-    <regex type="pcre2">^DBID:\[\d+] '(.*)'</regex>
-    <order>length, action, database_user, privilege_level, client_user, client_terminal, status, database_id</order>
+<decoder name="oracledb-transaction-fields">
+  <parent>oracledb-log</parent>
+  <regex type="pcre2">(?mUs)ACTION :(.*)(?:^[A-Z\s]+:)</regex>
+  <order>action</order>
 </decoder>
 
+<decoder name="oracledb-transaction-fields">
+  <parent>oracledb-log</parent>
+  <regex type="pcre2">(?m)^DATABASE USER:\[\d+] '(.+)'\n</regex>
+  <order>database_user</order>
+</decoder>
+
+<decoder name="oracledb-transaction-fields">
+  <parent>oracledb-log</parent>
+  <regex type="pcre2">(?m)^PRIVILEGE :\[\d+] '(.+)'\n</regex>
+  <order>privilege_level</order>
+</decoder>
+
+<decoder name="oracledb-transaction-fields">
+  <parent>oracledb-log</parent>
+  <regex type="pcre2">(?m)^CLIENT USER:\[\d+] '(.*)'\n</regex>
+  <order>client_user</order>
+</decoder>
+
+<decoder name="oracledb-transaction-fields">
+  <parent>oracledb-log</parent>
+  <regex type="pcre2">(?m)^CLIENT TERMINAL:\[\d+] '(.*)'\n</regex>
+  <order>client_terminal</order>
+</decoder>
+
+<decoder name="oracledb-transaction-fields">
+  <parent>oracledb-log</parent>
+  <regex type="pcre2">(?m)^STATUS:\[\d+] '(.*)'\n</regex>
+  <order>status</order>
+</decoder>
+
+<decoder name="oracledb-transaction-fields">
+  <parent>oracledb-log</parent>
+  <regex type="pcre2">(?m)^DBID:\[\d+] '(.*)'</regex>
+  <order>database_id</order>
+</decoder>
 
 <!--
-  localfile implementation example:
+  Configuration:
+  The below needs to be added to the manager's ossec.conf localfile implementation to read Oracle's .log logs:
   <localfile>
     <log_format>multi-line-regex</log_format>
     <location>/tmp/oracle/alert_CDBTST931.log</location>
-    <multiline_regex match="start">(?m)\w{3}\s\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s\d{4}</multiline_regex>
+    <multiline_regex match="start">\w{3}\s\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s\d{4}</multiline_regex>
     <out_format>$(timestamp) $(hostname) oracledb_alerts: $(log)</out_format>
   </localfile>
+
+  Log example:
+    Tue Feb 23 11:53:46 2021
+    anyword: mtype: 61 process 70621 failed because of a resource problem in the OS. The OS has most likely run out of buffers (rval: 4)
+    Errors in file /tmp/oracle/traces/CDBTST111_m000_00001.trc  (incident=346445):
+    ORA-00603: ORACLE server session terminated by fatal error
+    ORA-27504: IPC error creating OSD context
+    ORA-27300: OS system dependent operation:sendmsg failed with status: 105
+    ORA-27301: OS failure message: No buffer space available
+    ORA-27302: failure occurred at: anyword
+    opidrv aborting process M000 ospid (70621) as a result of ORA-603
+    Process m000 died, see its trace file
+  Alert examples:
+    {"timestamp":"2021-07-14T11:20:43.107-0700","rule":{"level":7,"description":"Oracle DB alerts","id":"89101","firedtimes":1,"mail":false,"groups":["oracle","oracledb"],"pci_dss":["10.6.1"],"hipaa":["164.312.b"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1626286843.176665","full_log":"Jul 14 11:20:43 localhost.localdomain oracledb_alerts: Tue Feb 23 11:53:46 2021\anyword: mtype: 61 process 70621 failed because of a resource problem in the OS. The OS has most likely run out of buffers (rval: 4)\nErrors in file /opt/oracle/app/oracle/diag/rdbms/cdbtst00/CDBTST000/trace/CDBTST000_m000_10111.trc  (incident=346445):\nORA-00603: ORACLE server session terminated by fatal error\nORA-27504: IPC error creating OSD context\nORA-27300: OS system dependent operation:sendmsg failed with status: 105\nORA-27301: OS failure message: No buffer space available\nORA-27302: failure occurred at: anyword\nopidrv aborting process M000 ospid (70621) as a result of ORA-603\nProcess m000 died, see its trace file","predecoder":{"program_name":"oracledb_alerts","timestamp":"Jul 14 11:20:43","hostname":"localhost.localdomain"},"decoder":{"name":"oracledb-alerts"},"location":"/tmp/oracle/alert_CDBTST931.log"}
 -->
-<!--
-Log example:
-  Tue Feb 23 11:53:46 2021
-  anyword: mtype: 61 process 70621 failed because of a resource problem in the OS. The OS has most likely run out of buffers (rval: 4)
-  Errors in file /tmp/oracle/traces/CDBTST111_m000_00001.trc  (incident=346445):
-  ORA-00603: ORACLE server session terminated by fatal error
-  ORA-27504: IPC error creating OSD context
-  ORA-27300: OS system dependent operation:sendmsg failed with status: 105
-  ORA-27301: OS failure message: No buffer space available
-  ORA-27302: failure occurred at: anyword
-  opidrv aborting process M000 ospid (70621) as a result of ORA-603
-  Process m000 died, see its trace file
--->
-<decoder name="oracledb_alerts">
-    <program_name>^oracledb_alerts$</program_name>
-    <prematch type="pcre2">ORA\-</prematch>
+<decoder name="oracledb-alerts">
+  <program_name>^oracledb-alerts$</program_name>
+  <prematch type="pcre2">ORA\-</prematch>
 </decoder>
diff --git a/ruleset/rules/0920-oracledb_rules.xml b/ruleset/rules/0920-oracledb_rules.xml
@@ -1,31 +1,24 @@
 <!--
-  - OracleDB rules
-  - Created by Wazuh, Inc.
-  - Copyright (C) 2015-2021, Wazuh Inc.
-  - This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
+  Copyright (C) 2015-2021, Wazuh Inc.
 -->
 
-<group name="oracle,oracledb,">
+<!-- 
+  Rules for:
+    OracleDB 12c ID: 89100 - 89199
+-->
 
-    <!-- RULE ID RANGE: 89100 - 89199 -->
+<group name="oracle,oracledb,">
 
-    <!--
-      Alert example:
-      {"timestamp":"2021-07-14T11:21:33.363-0700","rule":{"level":3,"description":"OracleDB transaction","id":"89100","firedtimes":1,"mail":false,"groups":["oracle","oracledb"],"pci_dss":["10.6.2"],"hipaa":["164.312.b"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1626286893.177547","full_log":"Jul 14 11:21:33 localhost.localdomain oracledb: \nFri Jul 09 11:11:00 2021 +05:32\nLENGTH : '563'\nACTION :[412] 'select /*+  no_parallel(t) no_parallel_index(t) dbms_stats cursor_sharing_exact use_weak_name_resl dynamic_sampling(0) no_monitoring xmlindex_sel_idx_tbl no_substrb_pad  */ substrb(dump(\"INSTANCE_NUMBER\",16,0,64),1,240) val, \n                      rowidtochar(rowid) rwid from \"SYS\".\"WWW$_SEC_THAT\" t where rowid in (chartorowid('AAAAO0AADAAASALAAA'),chartorowid('AAAAO0AADAAAAAJAAA')) order by \"INSTANCE_NUMBER\"'\nDATABASE USER:[3] 'SYS'\nPRIVILEGE :[4] 'NONE'\nCLIENT USER:[0] ''\nCLIENT TERMINAL:[7] 'UNKNOWN'\nSTATUS:[1] '0'\nDBID:[10] '1120301032'","predecoder":{"program_name":"oracledb","timestamp":"Jul 14 11:21:33","hostname":"localhost.localdomain"},"decoder":{"name":"oracledb_log"},"data":{"action":"select /*+  no_parallel(t) no_parallel_index(t) dbms_stats cursor_sharing_exact use_weak_name_resl dynamic_sampling(0) no_monitoring xmlindex_sel_idx_tbl no_substrb_pad  */ substrb(dump(\"INSTANCE_NUMBER\",16,0,64),1,240) val, \n                      rowidtochar(rowid) rwid from \"SYS\".\"WWW$_SEC_THAT\" t where rowid in (chartorowid('AAAAO0AADAAASALAAA'),chartorowid('AAAAO0AADAAAAAJAAA')) order by \"INSTANCE_NUMBER\"","status":"0","length":"563","database_user":"SYS","privilege_level":"NONE","client_terminal":"UNKNOWN","database_id":"1120301032"},"location":"/tmp/oracle/CDBTST000_j000_11111_20212020231542600818143795.aud"}
-    -->
-    <rule id="89100" level="3">
-        <decoded_as>oracledb_log</decoded_as>
-        <description>OracleDB transaction</description>
-        <group>pci_dss_10.6.2,hipaa_164.312.b</group>
-    </rule>
+  <rule id="89100" level="3">
+    <decoded_as>oracledb-log</decoded_as>
+    <description>OracleDB transaction.</description>
+    <group>hipaa_164.312.b,pci_dss_10.6.2,</group>
+  </rule>
 
-    <!--
-      Alert example:
-      {"timestamp":"2021-07-14T11:20:43.107-0700","rule":{"level":7,"description":"Oracle DB alerts","id":"89101","firedtimes":1,"mail":false,"groups":["oracle","oracledb"],"pci_dss":["10.6.1"],"hipaa":["164.312.b"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1626286843.176665","full_log":"Jul 14 11:20:43 localhost.localdomain oracledb_alerts: Tue Feb 23 11:53:46 2021\anyword: mtype: 61 process 70621 failed because of a resource problem in the OS. The OS has most likely run out of buffers (rval: 4)\nErrors in file /opt/oracle/app/oracle/diag/rdbms/cdbtst00/CDBTST000/trace/CDBTST000_m000_10111.trc  (incident=346445):\nORA-00603: ORACLE server session terminated by fatal error\nORA-27504: IPC error creating OSD context\nORA-27300: OS system dependent operation:sendmsg failed with status: 105\nORA-27301: OS failure message: No buffer space available\nORA-27302: failure occurred at: anyword\nopidrv aborting process M000 ospid (70621) as a result of ORA-603\nProcess m000 died, see its trace file","predecoder":{"program_name":"oracledb_alerts","timestamp":"Jul 14 11:20:43","hostname":"localhost.localdomain"},"decoder":{"name":"oracledb_alerts"},"location":"/tmp/oracle/alert_CDBTST931.log"}    
-    -->
-    <rule id="89101" level="7">
-      <decoded_as>oracledb_alerts</decoded_as>
-      <description>Oracle DB alerts</description>
-      <group>pci_dss_10.6.1,hipaa_164.312.b</group>
+  <rule id="89101" level="7">
+    <decoded_as>oracledb-alerts</decoded_as>
+    <description>Oracle DB alerts.</description>
+    <group>hipaa_164.312.b,pci_dss_10.6.1,</group>
   </rule>
+
 </group>