From c12cdbe8f026596432642e89a385abeeab938325 Mon Sep 17 00:00:00 2001
From: eliasgrana <43425223+eliasgrana@users.noreply.github.com>
Date: Tue, 7 Apr 2020 17:12:14 +0200
Subject: [PATCH 1/7] Create 0495-wazuh-api_decoders.xml

---
 decoders/0495-wazuh-api_decoders.xml | 68 ++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)
 create mode 100644 decoders/0495-wazuh-api_decoders.xml

diff --git a/decoders/0495-wazuh-api_decoders.xml b/decoders/0495-wazuh-api_decoders.xml
new file mode 100644
index 000000000..d10c0ad4a
--- /dev/null
+++ b/decoders/0495-wazuh-api_decoders.xml
@@ -0,0 +1,68 @@
+<!--
+  -  WazuhAPI decoders
+  -  Author: Daniel Moreno
+  -  Updated by Wazuh, Inc.
+  -  Copyright (C) 2015-2019, Wazuh Inc.
+  -  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
+-->
+
+<decoder name="wazuhapi">
+  <prematch>WazuhAPI </prematch>
+</decoder>
+
+<!-- WazuhAPI 2019-02-27 15:23:17 user: [::ffff:11.0.0.19] GET /version? - 200 - error: '0'. -->
+
+  <decoder name="wazuhapi_requests">
+    <parent>wazuhapi</parent>
+    <prematch>\d+-\d+-\d+ \d+:\d+:\d+ \S+: [\S+] \w+ \S+ - \d+</prematch>
+    <regex offset="after_parent">(\d+-\d+-\d+ \d+:\d+:\d+) (\S+): [(\S+)] (\w+) (\S+) - \d+ - error: '(\d+)'</regex>
+    <order>timestamp,apiuser,remoteaddress,method,request,errorcode</order>
+  </decoder>
+
+<!-- WazuhAPI 2019-03-19 13:46:48 foo: Agent does not exist: 500 --> <!-- exceptions -->
+  <!-- This is a generic exception log, the decoder should work for every exception -->
+  <decoder name="wazuhapi_exceptions">
+    <parent>wazuhapi</parent>
+    <prematch></prematch>
+    <regex offset="after_parent">(\d+-\d+-\d+ \d+:\d+:\d+) (\S+): (\.+): \d+</regex>
+    <order>timestamp,apiuser,exception_message</order>
+  </decoder>
+
+<!-- WazuhAPI 2019-02-27 15:22:22 : Listening on: http://:::55000 -->
+
+  <decoder name="wazuhapi_listening">
+    <parent>wazuhapi</parent>
+    <prematch>Listening on</prematch>
+    <regex offset="after_parent">(\d+-\d+-\d+ \d+:\d+:\d+) : Listening on: (\.+)</regex>
+    <order>timestamp,apiurl</order>
+  </decoder>
+
+
+<!-- WazuhAPI 2019-03-18 16:08:13 user: [::1] User: "user" - Authentication failed. -->
+
+  <decoder name="wazuhapi_authfail">
+    <parent>wazuhapi</parent>
+    <prematch>Authentication failed</prematch>
+    <regex offset="after_parent">(\d+-\d+-\d+ \d+:\d+:\d+) (\S+):\.+ Authentication failed</regex>
+    <order>timestamp,apiuser</order>
+  </decoder>
+
+
+
+<!-- WazuhAPI 2019-03-18 16:08:13 Error: Address in use (port "550"): Close the program using that port or change the port. -->
+
+  <decoder name="wazuhapi_porterror">
+    <parent>wazuhapi</parent>
+    <prematch>Address in use</prematch>
+    <regex offset="after_parent">(\d+-\d+-\d+ \d+:\d+:\d+) Error: Address in use \(port "(\d+)"\)</regex>
+    <order>timestamp,port</order>
+  </decoder>
+
+<!-- WazuhAPI 2019-03-18 16:08:13 : [::1] Authentication error: 15 - Error message -->
+
+  <decoder name="wazuhapi_autherror">
+    <parent>wazuhapi</parent>
+    <prematch>Authentication error</prematch>
+    <regex offset="after_parent">(\d+-\d+-\d+ \d+:\d+:\d+) : [\.+] Authentication error: (\d+) - (\.+)</regex>
+    <order>timestamp,auth_error,error_message</order>
+  </decoder>

From 10ebccae8268b44a8038f5501133ca81835177a3 Mon Sep 17 00:00:00 2001
From: eliasgrana <43425223+eliasgrana@users.noreply.github.com>
Date: Tue, 7 Apr 2020 17:14:00 +0200
Subject: [PATCH 2/7] Create 0685-wazuh-api_rules.xml

---
 rules/0685-wazuh-api_rules.xml | 165 +++++++++++++++++++++++++++++++++
 1 file changed, 165 insertions(+)
 create mode 100644 rules/0685-wazuh-api_rules.xml

diff --git a/rules/0685-wazuh-api_rules.xml b/rules/0685-wazuh-api_rules.xml
new file mode 100644
index 000000000..6c9d8a089
--- /dev/null
+++ b/rules/0685-wazuh-api_rules.xml
@@ -0,0 +1,165 @@
+<!--
+  -  WazuhAPI rules
+  -  Author: Daniel Moreno
+  -  Updated by Wazuh, Inc.
+  -  Copyright (C) 2015-2020, Wazuh Inc.
+  -  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
+-->
+
+<group name="wazuhapi">
+
+  <rule id="30000" level="0">
+    <decoded_as>wazuhapi</decoded_as>
+    <description></description>
+  </rule>
+
+<!-- WazuhAPI 2019-02-27 15:23:17 user: [::ffff:11.0.0.19] GET /version? - 200 - error: '0'. -->
+  <rule id="30001" level="3">
+    <if_sid>30000</if_sid>
+    <regex>^WazuhAPI \d+-\d+-\d+ \d+:\d+:\d+ \S+: [(\S+)] \w+ \S+ - \d+</regex>
+    <description>Wazuh API request received.</description>
+  </rule>
+
+  <!-- Childs -->
+
+    <rule id="30002" level="3">
+      <if_sid>30001</if_sid>
+      <match>GET</match>
+      <description>Wazuh API GET request received.</description>
+    </rule>
+
+      <rule id="30003" level="8">
+        <if_sid>30002</if_sid>
+        <description>Wazuh API request $(method) $(request) with error code $(errorcode)</description>
+      </rule>
+
+      <rule id="30004" level="3">
+        <if_sid>30003</if_sid>
+        <field name="errorcode">0</field>
+        <description>Wazuh API request $(method) $(request)</description>
+      </rule>
+
+    <rule id="30005" level="7">
+      <if_sid>30001</if_sid>
+      <match>POST</match>
+      <description>Wazuh API request POST received.</description>
+    </rule>
+
+      <rule id="30006" level="7">
+        <if_sid>30005</if_sid>
+        <description>Wazuh API request $(method) $(request) with error code $(errorcode)</description>
+      </rule>
+
+      <rule id="30007" level="7">
+        <if_sid>30005</if_sid>
+        <field name="errorcode">0</field>
+        <description>Wazuh API request $(method) $(request)</description>
+      </rule>
+
+    <rule id="30008" level="10">
+      <if_sid>30001</if_sid>
+      <match>DELETE</match>
+      <description>Wazuh API request DELETE received.</description>
+    </rule>
+
+      <rule id="30009" level="3">
+        <if_sid>30008</if_sid>
+        <description>Wazuh API request $(method) $(request) got the error $(errorcode)</description>
+      </rule>
+
+      <rule id="30010" level="3">
+        <if_sid>30008</if_sid>
+        <field name="errorcode">0</field>
+        <description>Wazuh API request $(method) $(request)</description>
+      </rule>
+
+    <rule id="30011" level="7">
+      <if_sid>30001</if_sid>
+      <match>PUT</match>
+      <description>Wazuh API request PUT received.</description>
+    </rule>
+
+    <rule id="30012" level="3">
+        <if_sid>30011</if_sid>
+        <description>Wazuh API request $(method) $(request) got the error $(errorcode)</description>
+      </rule>
+
+    <rule id="30013" level="3">
+      <if_sid>30011</if_sid>
+      <field name="errorcode">0</field>
+      <description>Wazuh API request $(method) $(request)</description>
+    </rule>
+
+
+<!-- WazuhAPI 2019-03-19 13:46:48 foo: Agent does not exist: 500 --> <!-- exceptions -->
+  <!-- This is a generic exception log, the rule should work for every exception -->
+  <rule id="30014" level="12">
+    <if_sid>30000</if_sid>
+    <regex>^WazuhAPI \d+-\d+-\d+ \d+:\d+:\d+ \S+: \.+: \d+</regex>
+    <description>An exception was given, the message is: $(exception_message)</description>
+  </rule>
+
+<!-- app.js logs -->
+  <!-- WazuhAPI 2019-03-18 16:08:13 user: [::1] User: "user" - Authentication failed. -->
+    <rule id="30015" level="9">
+      <if_sid>30000</if_sid>
+      <match>Authentication failed</match>
+      <description>Authentication with api from user $(apiuser) failed.</description>
+    </rule>
+
+  <!-- WazuhAPI 2019-03-18 16:08:13 : [::1] Authentication error: 15 - Error message -->
+    <rule id="30016" level="9">
+      <if_sid>30000</if_sid>
+      <match>Authentication error</match>
+      <description>Authentication with api failed with the error $(auth_error) and the message: $(error_message).</description>
+    </rule>
+
+  <!-- WazuhAPI 2019-03-18 16:08:13 user: Internal Error -->
+    <rule id="30017" level="12">
+      <if_sid>30000</if_sid>
+      <match>Internal Error</match>
+      <description>Internal error detected in the API.</description>
+    </rule>
+
+    <!-- WazuhAPI 2019-03-18 16:08:13 user: Internal Error: uncaughtException -->
+      <rule id="30018" level="12">
+        <if_sid>30017</if_sid>
+        <match>Internal Error: uncaughtException</match>
+        <description>Internal error detected in the API, an uncaught exception was thrown.</description>
+      </rule>
+
+  <!-- WazuhAPI 2019-03-18 16:08:13 user: Exiting... -->
+    <rule id="30019" level="10">
+      <if_sid>30000</if_sid>
+      <match>Exiting...</match>
+      <description>The API has just exited.</description>
+    </rule>
+
+    <!-- Childs -->
+
+      <rule id="30020" level="10">
+        <if_sid>30019</if_sid>
+        <match>Exiting... (SIGTERM)</match>
+        <description>The API has just exited. (SIGTERM)</description>
+      </rule>
+
+      <rule id="30021" level="10">
+        <if_sid>30019</if_sid>
+        <match>Exiting... (SIGINT)</match>
+        <description>The API has just exited. (SIGINT)</description>
+      </rule>
+  <!-- WazuhAPI 2019-02-27 15:22:22 : Listening on: http://:::55000 -->
+    <rule id="30022" level="3">
+      <if_sid>30000</if_sid>
+      <match>Listening on</match>
+      <description>Api is hearing at $(apiurl)</description>
+    </rule> 
+
+  <!-- WazuhAPI 2019-03-18 16:08:13 Error: Address in use (port "550"): Close the program using that port or change the port. -->
+    <rule id="30023" level="10">
+      <if_sid>30000</if_sid>
+      <match>Address in use</match>
+      <description>Another instance is using the port $(port)</description>
+    </rule>
+
+</group>

From e252b7dcab8d88a3f938453fa70f7009ca35aecd Mon Sep 17 00:00:00 2001
From: eliasgrana <43425223+eliasgrana@users.noreply.github.com>
Date: Tue, 7 Apr 2020 17:14:47 +0200
Subject: [PATCH 3/7] Update copyright

---
 decoders/0495-wazuh-api_decoders.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/decoders/0495-wazuh-api_decoders.xml b/decoders/0495-wazuh-api_decoders.xml
index d10c0ad4a..593299fee 100644
--- a/decoders/0495-wazuh-api_decoders.xml
+++ b/decoders/0495-wazuh-api_decoders.xml
@@ -2,7 +2,7 @@
   -  WazuhAPI decoders
   -  Author: Daniel Moreno
   -  Updated by Wazuh, Inc.
-  -  Copyright (C) 2015-2019, Wazuh Inc.
+  -  Copyright (C) 2015-2020, Wazuh Inc.
   -  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
 -->
 

From 0d858020ab8e74126e6446d19acb1c4d9ab0072e Mon Sep 17 00:00:00 2001
From: eliasgrana <43425223+eliasgrana@users.noreply.github.com>
Date: Tue, 7 Apr 2020 17:16:06 +0200
Subject: [PATCH 4/7] Create api.ini

---
 tools/rules-testing/tests/api.ini | 53 +++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 tools/rules-testing/tests/api.ini

diff --git a/tools/rules-testing/tests/api.ini b/tools/rules-testing/tests/api.ini
new file mode 100644
index 000000000..cd4f9817f
--- /dev/null
+++ b/tools/rules-testing/tests/api.ini
@@ -0,0 +1,53 @@
+[Request to the api with errorcode 0]
+log 1 pass = WazuhAPI 2019-02-27 15:23:17 user: [::ffff:11.0.0.19] GET /version? - 200 - error: '0'.
+rule = 30004
+alert = 3
+decoder = wazuhapi
+
+[Generic exception message when the API is set in error mode]
+log 1 pass = WazuhAPI 2019-03-19 13:46:48 foo: Agent does not exist: 500 --> <!-- exceptions
+rule = 30014
+alert = 12
+decoder = wazuhapi
+
+[Incorrect login because of username]
+log 1 pass = WazuhAPI 2019-03-18 16:08:13 user: [::1] User: "user" - Authentication failed.
+rule = 30015
+alert = 9
+decoder = wazuhapi
+
+[Incorrect login because of error]
+log 1 pass = WazuhAPI 2019-03-18 16:08:13 : [::1] Authentication error: 15 - Error message
+rule = 30016
+alert = 9
+decoder=wazuhapi
+
+[Internal error from the API]
+log 1 pass = WazuhAPI 2019-03-18 16:08:13 user: Internal Error
+rule = 30017
+alert = 12
+decoder=wazuhapi
+
+[The API is exiting]
+log 1 pass = WazuhAPI 2019-03-18 16:08:13 user: Exiting...
+rule = 30019
+alert = 10
+decoder=wazuhapi
+
+[The API is now hearing]
+log 1 pass = WazuhAPI 2019-02-27 15:22:22 : Listening on: http://:::55000
+rule = 30022
+alert = 3
+decoder = wazuhapi
+
+[Error in the API because of the port]
+log 1 pass = WazuhAPI 2019-03-18 16:08:13 Error: Address in use (port "550"): Close the program using that port or change the port.
+rule = 30023
+alert = 10
+decoder = wazuhapi
+
+[Internal error in the API uncaught]
+log 1 pass = WazuhAPI 2019-03-18 16:08:13 user: Internal Error: uncaughtException
+rule = 30018
+alert = 12
+decoder=wazuhapi

From 997432c1c95a79a9155eb22bceb4c3d7662c2f92 Mon Sep 17 00:00:00 2001
From: eliasgrana <43425223+eliasgrana@users.noreply.github.com>
Date: Tue, 7 Apr 2020 17:35:08 +0200
Subject: [PATCH 5/7] Rename 0495-wazuh-api_decoders.xml to 0500-...

---
 .../{0495-wazuh-api_decoders.xml => 0500-wazuh-api_decoders.xml}  | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename decoders/{0495-wazuh-api_decoders.xml => 0500-wazuh-api_decoders.xml} (100%)

diff --git a/decoders/0495-wazuh-api_decoders.xml b/decoders/0500-wazuh-api_decoders.xml
similarity index 100%
rename from decoders/0495-wazuh-api_decoders.xml
rename to decoders/0500-wazuh-api_decoders.xml

From af54ddbc725964b095faaff6fafd6e5d52743ba8 Mon Sep 17 00:00:00 2001
From: eliasgrana <43425223+eliasgrana@users.noreply.github.com>
Date: Tue, 7 Apr 2020 17:35:57 +0200
Subject: [PATCH 6/7] Rename 0685-wazuh-api_rules.xml to 0690-...

---
 rules/{0685-wazuh-api_rules.xml => 0690-wazuh-api_rules.xml} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename rules/{0685-wazuh-api_rules.xml => 0690-wazuh-api_rules.xml} (100%)

diff --git a/rules/0685-wazuh-api_rules.xml b/rules/0690-wazuh-api_rules.xml
similarity index 100%
rename from rules/0685-wazuh-api_rules.xml
rename to rules/0690-wazuh-api_rules.xml

From 9a19ecc6492b4705b60425826b3f1b475d00bd0f Mon Sep 17 00:00:00 2001
From: eliasgrana <43425223+eliasgrana@users.noreply.github.com>
Date: Wed, 8 Apr 2020 16:57:32 +0200
Subject: [PATCH 7/7] Add description to rule id = 30000

---
 rules/0690-wazuh-api_rules.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/0690-wazuh-api_rules.xml b/rules/0690-wazuh-api_rules.xml
index 6c9d8a089..aa0221625 100644
--- a/rules/0690-wazuh-api_rules.xml
+++ b/rules/0690-wazuh-api_rules.xml
@@ -10,7 +10,7 @@
 
   <rule id="30000" level="0">
     <decoded_as>wazuhapi</decoded_as>
-    <description></description>
+    <description>Wazuh API messages grouped.</description>
   </rule>
 
 <!-- WazuhAPI 2019-02-27 15:23:17 user: [::ffff:11.0.0.19] GET /version? - 200 - error: '0'. -->