Can not generate alerts from events

42 views
Skip to first unread message

Zamolxis

unread,
Jun 9, 2020, 7:48:42 PM6/9/20
to ossec-list
Greetings,


I would appreciate some help with what seems to be a configuration issue of some sort because I am unable to generate the alerts.


The basic idea is that I want to process Avast events, triage them according to some rules and generate alerts.


I have modified ossec.conf on the host (the events are stored in FileSystemShield.txt)

<localfile>
<location>C:\ProgramData\Avast Software\Avast\report\FileSystemShield.txt</location>
<log_format>syslog</log_format>
</localfile>


On the server, I have the following modification:
etc/ossec.conf
<logall>yes</logall>

I can cause an event to happen on the Windows host and I can see that the event makes it's way to the server
[root@WazuhDev] grep eicar /var/ossec/logs/archives/archives.log
2020 Jun 09 18:18:32 (DummyPA) 1.1.1.1->\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/9/2020 2:18:32 PM C:\Users\Administrator\eicar.bat [L] EICAR Test-NOT virus!!! (0)
2020 Jun 09 18:39:19 (DummyPA) 1.1.1.1->\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/9/2020 2:39:18 PM C:\Users\Administrator\eicar.bat [L] EICAR Test-NOT virus!!! (0)
 
Decoder
/var/ossec/etc/decoders/avast_decoder.xml

<decoder name="avast">
  <prematch>FileSystemShield.txt </prematch>
  <!--type>syslog</type-->
</decoder>

<decoder name="avast-shield">
  <parent>avast</parent>
  <prematch offset="after_parent">(\d+/\d+/\d+\s\d+:\d+:\d+\s\.M)</prematch>
  <regex offset="after_parent">(\d+/\d+/\d+\s\d+:\d+:\d+\s\.M)\t(\S:\\\S+)\s([\w])\s(\.*)\s(\(\d+\))$</regex>
  <order>av_tstamp,av_object_name,av_threat_severity,av_threat_description,av_error</order>
</decoder>

Rules
/var/ossec/etc/rules/avast_rules.xml

<group name="avast,windows,syslog,">
    <rule id="100100" level="0">
    <!--decoded_as>avast-shield</decoded_as / Causes alerts not to fire -->
    <if_sid>01</if_sid>
    <description>Avast Log Processing</description>
  </rule>

  <rule id="100101" level="8">
    <if_sid>100100</if_sid>
    <field name="av_threat_severity">[L]</field>
    <description>Threats have been detected</description>
    <group>virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_SI.3,nist_800_53_AU.6,nist_800_53_SI.4,</group>
  </rule>

  <rule id="100102" level="0">
    <if_sid>100100</if_sid>
    <field name="av_threat_severity">[E]</field>
    <field name="av_error">\(42019\)</field>
    <description>Skipped due to Avast configuration exclusion</description>
    <group>virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_SI.3,nist_800_53_AU.6,nist_800_53_SI.4,</group>
  </rule>

  <rule id="100103" level="0">
    <if_sid>100100</if_sid>
    <field name="av_threat_severity">[E]</field>
    <field name="av_error">\(5\)</field>
    <description>Access is denied</description>
    <group>virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_SI.3,nist_800_53_AU.6,nist_800_53_SI.4,</group>
  </rule>

  <rule id="100104" level="7">
    <if_sid>100100</if_sid>
    <field name="av_threat_severity">[E]</field>
    <description>Error has been detected</description>
    <group>virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_SI.3,nist_800_53_AU.6,nist_800_53_SI.4,</group>
  </rule>
</group>


Testing
I have stored a number of event variations in the file below
[root@WazuhDev] cat /tmp/input.txt
\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/4/2020 3:35:33 PM       C:\Users\Administrator\Desktop\eicar6.bat [L] EICAR Test-NOT virus!!! (0)
\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/4/2020 3:35:33 PM       D:\My_App\jakarta-tomcat-public\webapps\ROOT\WEB-INF\logs\srspublic.log.8 [E] Skipped due to exclusions settings. (42019)
\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/4/2020 3:35:33 PM       C:\$Extend\$RmMetadata\$TxfLog\$Tops [E] Access is denied (5)
\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/4/2020 3:35:33 PM       D:\My_App\jakarta-tomcat-publxxxxic\wes\srspublic.log.8 [E] Some weird error. (7742019)
\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/8/2020 8:29:23 PM       C:\Users\Administrator\Desktop\zamolxis.bat [L] EICAR Test-NOT virus!!! (0)
Note: There is a tab between PM and the beginning of the file path.

Running ossec-logtest
[root@WazuhDev] cat /tmp/input.txt | /var/ossec/bin/ossec-logtest
2020/06/09 20:29:18 ossec-testrule: INFO: Started (pid: 1017).
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
       full event: '\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/4/2020 3:35:33 PM   C:\Users\Administrator\Desktop\eicar6.bat [L] EICAR Test-NOT virus!!! (0)'
       timestamp: '(null)'
       hostname: 'WazuhDev'
       program_name: '(null)'
       log: '\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/4/2020 3:35:33 PM  C:\Users\Administrator\Desktop\eicar6.bat [L] EICAR Test-NOT virus!!! (0)'

**Phase 2: Completed decoding.
       decoder: 'avast'
       av_tstamp: '6/4/2020 3:35:33 PM'
       av_object_name: 'C:\Users\Administrator\Desktop\eicar6.bat'
       av_threat_severity: '[L]'
       av_threat_description: 'EICAR Test-NOT virus!!!'
       av_error: '(0)'

**Phase 3: Completed filtering (rules).
       Rule id: '100101'
       Level: '8'
       Description: 'Threats have been detected'
**Alert to be generated.




**Phase 1: Completed pre-decoding.
       full event: '\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/4/2020 3:35:33 PM   D:\My_App\jakarta-tomcat-public\webapps\ROOT\WEB-INF\logs\srspublic.log.8 [E] Skipped due to exclusions settings. (42019)'
       timestamp: '(null)'
       hostname: 'WazuhDev'
       program_name: '(null)'
       log: '\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/4/2020 3:35:33 PM  D:\My_App\jakarta-tomcat-public\webapps\ROOT\WEB-INF\logs\srspublic.log.8 [E] Skipped due to exclusions settings. (42019)'

**Phase 2: Completed decoding.
       decoder: 'avast'
       av_tstamp: '6/4/2020 3:35:33 PM'
       av_object_name: 'D:\My_App\jakarta-tomcat-public\webapps\ROOT\WEB-INF\logs\srspublic.log.8'
       av_threat_severity: '[E]'
       av_threat_description: 'Skipped due to exclusions settings.'
       av_error: '(42019)'

**Phase 3: Completed filtering (rules).
       Rule id: '100102'
       Level: '0'
       Description: 'Skipped due to Avast configuration exclusion'


**Phase 1: Completed pre-decoding.
       full event: '\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/4/2020 3:35:33 PM   C:\$Extend\$RmMetadata\$TxfLog\$Tops [E] Access is denied (5)'
       timestamp: '(null)'
       hostname: 'WazuhDev'
       program_name: '(null)'
       log: '\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/4/2020 3:35:33 PM  C:\$Extend\$RmMetadata\$TxfLog\$Tops [E] Access is denied (5)'

**Phase 2: Completed decoding.
       decoder: 'avast'
       av_tstamp: '6/4/2020 3:35:33 PM'
       av_object_name: 'C:\$Extend\$RmMetadata\$TxfLog\$Tops'
       av_threat_severity: '[E]'
       av_threat_description: 'Access is denied'
       av_error: '(5)'

**Phase 3: Completed filtering (rules).
       Rule id: '100103'
       Level: '0'
       Description: 'Access is denied'


**Phase 1: Completed pre-decoding.
       full event: '\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/4/2020 3:35:33 PM   D:\My_App\jakarta-tomcat-publxxxxic\wes\srspublic.log.8 [E] Some weird error. (7742019)'
       timestamp: '(null)'
       hostname: 'WazuhDev'
       program_name: '(null)'
       log: '\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/4/2020 3:35:33 PM  D:\My_App\jakarta-tomcat-publxxxxic\wes\srspublic.log.8 [E] Some weird error. (7742019)'

**Phase 2: Completed decoding.
       decoder: 'avast'
       av_tstamp: '6/4/2020 3:35:33 PM'
       av_object_name: 'D:\My_App\jakarta-tomcat-publxxxxic\wes\srspublic.log.8'
       av_threat_severity: '[E]'
       av_threat_description: 'Some weird error.'
       av_error: '(7742019)'

**Phase 3: Completed filtering (rules).
       Rule id: '100104'
       Level: '7'
       Description: 'Error has been detected'
**Alert to be generated.




**Phase 1: Completed pre-decoding.
       full event: '\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/8/2020 8:29:23 PM   C:\Users\Administrator\Desktop\zamolxis.bat [L] EICAR Test-NOT virus!!! (0)'
       timestamp: '(null)'
       hostname: 'WazuhDev'
       program_name: '(null)'
       log: '\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/8/2020 8:29:23 PM  C:\Users\Administrator\Desktop\zamolxis.bat [L] EICAR Test-NOT virus!!! (0)'

**Phase 2: Completed decoding.
       decoder: 'avast'
       av_tstamp: '6/8/2020 8:29:23 PM'
       av_object_name: 'C:\Users\Administrator\Desktop\zamolxis.bat'
       av_threat_severity: '[L]'
       av_threat_description: 'EICAR Test-NOT virus!!!'
       av_error: '(0)'

**Phase 3: Completed filtering (rules).
       Rule id: '100101'
       Level: '8'
       Description: 'Threats have been detected'
**Alert to be generated.


Running ossec-logtest with verbose enabled (last event only)
**Phase 1: Completed pre-decoding.
       full event: '\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/8/2020 8:29:23 PM   C:\Users\Administrator\Desktop\zamolxis.bat [L] EICAR Test-NOT virus!!! (0)'
       timestamp: '(null)'
       hostname: 'WazuhDev'
       program_name: '(null)'
       log: '\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/8/2020 8:29:23 PM  C:\Users\Administrator\Desktop\zamolxis.bat [L] EICAR Test-NOT virus!!! (0)'

**Phase 2: Completed decoding.
       decoder: 'avast'
       av_tstamp: '6/8/2020 8:29:23 PM'
       av_object_name: 'C:\Users\Administrator\Desktop\zamolxis.bat'
       av_threat_severity: '[L]'
       av_threat_description: 'EICAR Test-NOT virus!!!'
       av_error: '(0)'

**Rule debugging:
    Trying rule: 1 - Generic template for all syslog rules.
       *Rule 1 matched.
       *Trying child rules.
    Trying rule: 600 - Active Response Messages Grouped
    <snip>
    Trying rule: 64220 - Checkpoint events.
    Trying rule: 100100 - Avast Log Processing
       *Rule 100100 matched.
       *Trying child rules.
    Trying rule: 100102 - Skipped due to Avast configuration exclusion
    Trying rule: 100103 - Access is denied
    Trying rule: 100101 - Threats have been detected
       *Rule 100101 matched.

**Phase 3: Completed filtering (rules).
       Rule id: '100101'
       Level: '8'
       Description: 'Threats have been detected'
**Alert to be generated.




Everything works properly when running /ossec-logtest, however when I check for alerts in /var/ossec/logs/alerts/alerts.log or /var/ossec/logs/alerts/alerts.json there are no alerts are been generated/logged. I have also visually inspected alerts.log/json and there is no alert been generated.

Any help much appreciated. Thank you.

Zamolxis

unread,
Jun 10, 2020, 8:40:47 PM6/10/20
to ossec-list
Found the problem.

archives/archives.log has the following entry
2020 Jun 09 18:18:32 (DummyPA) 1.1.1.1->\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/9/2020 2:18:32 PM C:\Users\Administrator\eicar.bat [L] EICAR Test-NOT virus!!! (0)

I thought the event was
\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/9/2020 2:18:32 PM C:\Users\Administrator\eicar.bat [L] EICAR Test-NOT virus!!! (0)

But in fact it was
6/9/2020 2:18:32 PM C:\Users\Administrator\eicar.bat [L] EICAR Test-NOT virus!!! (0)

Which causes the prematch I had in the decoder to skip that event.

I had prepended 'Avast: ' to the message in the following way
<localfile>
  <log_format>syslog</log_format>
  <location>C:\ProgramData\Avast Software\Avast\report\FileSystemShield.txt</location>
  <out_format>Avast: $(log)</out_format>
</localfile>

And in the decoder I have changed 'FileSystemShield.txt ' with 'Avast: '.

Everything is working fine, the alerts are generated. 

Reply all
Reply to author
Forward
0 new messages