Writing Maltrail decoder and rules

When it comes to writing rules and decoders from scratch, have a look at the folder /var/ossec/ruleset where onboard rules and decoders are.

For Maltrail I tried to add decoders and rules here:

https://github.com/wazuh/wazuh/pull/7031

Have a look at the files added and try yourself in /var/ossec/etc/rules and decoders. As you can see now it’s in etc/ and not the root folder as there are configs which can be changed.

First we have our log:

Dec 23 14:55:34 OPNsense.localdomain CEF: 0|Maltrail|sensor|0.26.1|2020-12-23|long domain (suspicious)|0|src=172.24.68.133 spt=55989 dst=8.8.8.8 dpt=53 trail=(q6pmisvlqpgxptq1s6psghvyoqali.uribl).rspamd.com ref=(heuristic)


For this we need a decoder to detect it:
<decoder name="CEF">
      <program_name>^CEF</program_name> 
</decoder> 
<decoder name="CEF"> 
      <parent>CEF</parent> 
      <regex>(\w+)\|(\w+)\|(\w+)\|(\.+)\|(\d+-\d+-\d+)\|(\.+)\|(\d+)\|src=(\d+.\d+.\d+.\d+) spt=(\.+) dst=(\d+.\d+.\d+.\d+) dpt=(\.+) trail=(\.+) ref=(\.+)</regex> 
      <order>code, application, type, version, date, category, severity, srcip, srcport, dstip, dstport, trail, ref</order> 
</decoder> 




And now we can add rules to detect the decoded logs:
</group>

<group name="Maltrail,connection_attempt,">
    <rule id="64520" level="0">
        <decoded_as>CEF</decoded_as>
        <description>Maltrail messages grouped.</description>
    </rule>

    <rule id="64521" level="3">
        <if_sid>64520</if_sid>
        <field name="severity">0</field>
        <description>Low critical Maltrail event triggered</description>
    </rule>

    <rule id="64522" level="7">
        <if_sid>64520</if_sid>
        <field name="severity">1</field>
        <description>Medium critical Maltrail event triggered</description>
    </rule>

    <rule id="64523" level="10">
        <if_sid>64520</if_sid>
        <field name="severity">2</field>
        <description>High critical Maltrail event triggered</description>
    </rule>

</group>