Rules/decoders for ownCloud

[ghost]

My first dive into this topic, feedback is very welcome.

Cross-Ref: ossec/ossec-hids#1246

[jesuslinares]

Hi @kdslkdsaldsal,

it is a great job!.

Keep on mind that Wazuh 3.0 is able to decode JSON events automatically, so you don't need to create the decoders. Example: https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0475-suricata_rules.xml

Also, this decoder is capturing several events, not only ownCloud:

<decoder name="owncloud">
  <prematch>^{"\S+":"\S+","\S+":"\S+</prematch>
</decoder>

Please, change the parent decoder to something more specific or adapt them to Wazuh 3.0.

Thanks a lot.

[ghost]

@jesuslinares
Hey, thanks for your review. I thought this might be too unspecific but wasn't sure. Unfortunately the logformat of ownCloud is quite messy and unstable as you can see from the examples 😞

What about matching for:

^{"reqId":"\S+","\S+":"\S+|^{"app":"\S+","\S+":"\S+

at the beginning? Or is this still to unspecific?

But i will have another look tomorrow, maybe i can use a <regex> instead of the <prematch> which gives me a little more freedom in the initial decoder match.

[ghost]

@jesuslinares Updated the prematch (got a "No 'prematch' found in decoder: 'owncloud'." when trying to use only a regex). Hope this makes the decoder more specific.

[ghost]

Seems they have changed the log order / syntax once more in ownCloud 10: owncloud/core#27562

Just updated this PR to catch those logs as well.

Cross-Ref: ossec/ossec-hids#1260

[jesuslinares]

Good job!. Thanks for your contribution.