OSSEC adding allowed fields from decoders to rules description

Question

I am using OSSEC for HIDS.

I have created a custom decoder and extracted fields from the log like srcip , dstip and protocol .

Here is the log tested with the ./ossec-logtest

Sep  2 14:39:23 rana-HP-Notebook kernel: [21261.042146] [UFW BLOCK] IN=wlp19s0 OUT= MAC=cc:b0:da:66:20:c3:00:23:15:d4:dd:70:08:00 SRC=192.153.41.125 DST=192.153.41.12 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=28858 PROTO=TCP SPT=2662 DPT=0 WINDOW=512 RES=0x00 URGP=0

Decoder written for the log is:

<decoder name="iptables-blockedip">
   <parent>iptables</parent>
   <prematch offset="after_parent">^\S+ [UFW BLOCK] IN=\S+ OUT= MAC=\S+ </prematch>
   <regex offset="after_prematch">^SRC=(\S+) DST=(\S+) LEN=\S+ TOS=\S+ PREC=\S+ TTL=\S+ ID=\S+ PROTO=(\S+) SPT=(\S+) DPT=(\S+) WINDOW=\S+ RES=\S+ URGP=\S+$</regex>
   <order>srcip,dstip,protocol,srcport,dstport</order>
</decoder>

The rule for it is:

<rule id="100002" level="8">
    <decoded_as>iptables</decoded_as>
    <description>An ip was blocked by the firewall</description>
 </rule>

This is the result of the ossec-logtest

**Phase 1: Completed pre-decoding.
       full event: 'Sep  2 14:39:23 rana-HP-Notebook kernel: [21261.042146] [UFW BLOCK] IN=wlp19s0 OUT= MAC=cc:b0:da:66:20:c3:00:23:15:d4:dd:70:08:00 SRC=192.153.41.125 DST=192.153.41.12 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=28858 PROTO=TCP SPT=2662 DPT=0 WINDOW=512 RES=0x00 URGP=0'
       hostname: 'rana-HP-Notebook'
       program_name: 'kernel'
       log: '[21261.042146] [UFW BLOCK] IN=wlp19s0 OUT= MAC=cc:b0:da:66:20:c3:00:23:15:d4:dd:70:08:00 SRC=192.153.41.125 DST=192.153.41.12 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=28858 PROTO=TCP SPT=2662 DPT=0 WINDOW=512 RES=0x00 URGP=0'

**Phase 2: Completed decoding.
       decoder: 'iptables'
       srcip: '192.153.41.125'
       dstip: '192.153.41.12'
       proto: 'TCP'
       srcport: '2662'
       dstport: '0'

**Phase 3: Completed filtering (rules).
       Rule id: '100002'
       Level: '8'
       Description: 'An ip was blocked by the firewall'

Now main question is that:

is it possible to add the srcip from the decoder to the rule description so that it will be shown in the description when the alert was raised.

My expected result for the phase3 of the ossec-logtest is :

**Phase 3: Completed filtering (rules).
       Rule id: '100002'
       Level: '8'
       Description: 'An ip 192.153.41.125 was blocked by the firewall'

Answer 1

You can use the following syntax in the description: $(field_name) .

Your rule would look like this:

<rule id="100002" level="8">
    <decoded_as>iptables</decoded_as>
    <description>An ip $(srcip) was blocked by the firewall</description>
 </rule>

You have more information on this in the Wazuh documentation: https://documentation.wazuh.com/3.13/user-manual/ruleset/ruleset-xml-syntax/rules.html#description