Problem with rules based on time options

[serano...@gmail.com]

Hi All.

I've configured into my manager 4.2.7 this rule to be triggered anytime someone access my fortigate firewalls between 8 PM and 7:30 AM

    <rule id="222044" level="12"> 
        <if_sid>222026</if_sid>
        <time>8 pm - 7:30 am</time>
        <description>Night Activity - Fortigate: User successfully logged into firewall interface.</description>
        <group>>night_activity,fgt_login_success,</group>
    </rule>

But i see that this rule is triggered if someone access the firewall even after 7.30 AM and till 9.30 AM

It looks like a timezone problem, but i've already checked the Wazuh Manager Machine and it is set correctly (Europe/Italy) and even the firewall timezone is correct.

THere is another configuration i'm missing?

Have a nice day guys.

[Fabricio Brunetti]

Hi Stefano,

Time tag can be a little tricky.

One thing to keep in mind is that the time  evaluated is not in the log timestamp but it's when the log is decoded by the manager. Are you sure 
Could you share a sample log to test your rule?. Please do check that the local time in your Wazuh manager is correct

Regards,

Fabricio

[Stefano Serano]

Hi Fabricio.

Thanks for your support, here the log:

date=2022-11-02 time=07:26:25 devname="FGT80E-Master" devid="FGT801111111" eventtime=1667373984821812261 tz="+0100" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1667373984" user="admin" ui="https(2.2.2.2)" method="https" srcip=1.1.1.1 dstip=2.2.2.2 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from https(1.1.1.1)"

I've noticed one thing, if in kibana i switch to json format of the log into the discover, i see that the timestamp just below the full log is correct:

but back to table format:

Let me know, have a nice day.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/JAWNq6SCAz0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/45b3a1a4-fc58-4498-905b-5d8109e68e04n%40googlegroups.com.

[Fabricio Brunetti]

Hi Stefano, sorry about the delay in my answer.
I did test your decoders and rules and they are working as intended.
I will check with the team what might be happening with the changing timestamp between json log and table format.
I am guessing that the system time in your manager may be late by one hour.

Regards,

Fabricio

[Stefano Serano]

Hi Fabricio

Thanks, let me know about it.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/02dd1970-7f19-4bd4-a1a8-f0fd170eb1f5n%40googlegroups.com.

[Stefano Serano]

Hi Fabricio

Problem fixed searching into the group:

mv /var/ossec/etc/localtime  /var/ossec/etc/localtime.BACKUP
cp /etc/localtime  /var/ossec/etc/localtime
chown root:wazuh  /var/ossec/etc/localtime
service wazuh-manager restart

Have a nice day.