Suricata for windows agent
1,656 views
Skip to first unread message
istecenter staj
Aug 29, 2022, 11:10:17 AM8/29/22
to Wazuh mailing list
Hi,
I'm using Windows 10 agent and wazuh lastest version.
I want to control my network traffic with suricata. But in wazuh documantation, there is pages for linux agent. I tried to install suricata for my agent but I can't see any logs on wazuh dashboard. Could you help me for that subject?
Message has been deleted
Christian Borla
Aug 29, 2022, 6:30:20 PM8/29/22
to Wazuh mailing list
Hi!
I hope you are doing fine!
Yes, the linux documentation is link,
Do you have any suricata files from where collect the event logs?
The idea is collect events from any files like linux process
/var/log/suricata/fast.log
/var/log/suricata/eve.json | jq .
In your agent side, add to ossec.conf file the locafile configruation, with your suricata logs file path
<localfile>
<log_format>json</log_format>
<location>WINDOWS_PATH/eve.json</location>
</localfile>
Restart the agent, and events should be collected and sent to wazuh manager.
Events should arrive to archives.json file in the manager side.
To enable archive.json file edit /var/ossec/etc/ossec.conf into manager side, add <logall_json>yes</logall_json>
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
If you find some Suricata events in archives.json file but do not have any Suricata alert, it means that events arrives to the manager, but decoders and rules can't process them, send me some Suricata logs from archives.json file, we can check how to make it trigger an alert.
Regards.
I hope you are doing fine!
Yes, the linux documentation is link,
Do you have any suricata files from where collect the event logs?
The idea is collect events from any files like linux process
/var/log/suricata/fast.log
/var/log/suricata/eve.json | jq .
In your agent side, add to ossec.conf file the locafile configruation, with your suricata logs file path
<localfile>
<log_format>json</log_format>
<location>WINDOWS_PATH/eve.json</location>
</localfile>
Restart the agent, and events should be collected and sent to wazuh manager.
Events should arrive to archives.json file in the manager side.
To enable archive.json file edit /var/ossec/etc/ossec.conf into manager side, add <logall_json>yes</logall_json>
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
If you find some Suricata events in archives.json file but do not have any Suricata alert, it means that events arrives to the manager, but decoders and rules can't process them, send me some Suricata logs from archives.json file, we can check how to make it trigger an alert.
Regards.
istecenter staj
Aug 30, 2022, 4:12:08 AM8/30/22
to Christian Borla, Wazuh mailing list
Hi,
I don't have any archives.json file and when I write
<global>
<alerts_log>yes</alerts_log> <logall>yes</logall>
<logall_json>yes</logall_json>
</global>
into my ossec.conf file, it gives me this error:
and I can't start it. What should I do?
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/wuKQH8aIvRw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/05ea6b36-448f-443f-a0df-532edcb6d479n%40googlegroups.com.
istecenter staj
Aug 30, 2022, 4:29:39 AM8/30/22
to Christian Borla, Wazuh mailing list
Hi,
I'm sorry. I didn't realize the manager side, I've noticed it and /var/ossec/etc/ossec.conf into manager side, I edited
<global>
<alerts_log>yes</alerts_log> <logall>yes</logall>
<logall_json>yes</logall_json>
</global>
but I couldn't find the archives.json file. Where is it and How can find it?
Christian Borla
Aug 30, 2022, 8:51:45 AM8/30/22
to Wazuh mailing list
Hi!
I hope you are doing fine!
Sorry, the archive.json file should be in /var/ossec/logs/archives/archives.jsonI hope you are doing fine!
Could you share your localfile configuration on agent side ossec.conf?
Regards
istecenter staj
Aug 30, 2022, 9:07:32 AM8/30/22
to Christian Borla, Wazuh mailing list
Hi,
I'm using Linode for wazuh server.
I found the archive.json file and and when I said "cat archive.json"
After using this command, the file started to be shown to me and written to the screen by itself, I saw some texts but could not read all of them while writing to the screen. then I wanted to read the whole file myself, but I don't know if it's because I'm using linode, I can only see the last parts.
I am sharing the ossec.conf file with you as an attachment.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f5e4a3bf-38da-44e9-9752-72622a518b69n%40googlegroups.com.
Christian Borla
Aug 30, 2022, 12:12:33 PM8/30/22
to Wazuh mailing list
Hi!
Ok, the localfile configuration looks good
<localfile>
<log_format>json</log_format>
<location>C:/Suricata/log/eve.json</location>
</localfile>
You can look for some suricata events in agent side, in C:/Suricata/log/eve.json, use those events to look for same events in archvive.json file in manger side.
Following commad will be usefult to filter suricata events in archives.json.
cat /var/ossec/logs/archives/archives.json | grep "any suricata key word"
Also we can use any log from C:/Suricata/log/eve.json, to start testing the decoding process, could you share any event log?
Regards.
istecenter staj
Aug 31, 2022, 5:50:32 PM8/31/22
to Christian Borla, Wazuh mailing list
Hi,
I am attaching some log from C:/Suricata/log/eve.json as a file to this e-mail.
Also I want to ask another question about my ossec.log file. I've started getting kind of this logs:
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3c51ee5ce489651c_1' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3cd866e73a37de35_0' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3cd866e73a37de35_1' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3ced48221a3caf50_0' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3ced48221a3caf50_1' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3d60f42542ed79ce_0' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3d60f42542ed79ce_1' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3ed0c431ee3ababe_0' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3ed0c431ee3ababe_1' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3faba575ceeb6200_0' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3faba575ceeb6200_1' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3cd866e73a37de35_0' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3cd866e73a37de35_1' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3ced48221a3caf50_0' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3ced48221a3caf50_1' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3d60f42542ed79ce_0' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3d60f42542ed79ce_1' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3ed0c431ee3ababe_0' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3ed0c431ee3ababe_1' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3faba575ceeb6200_0' due to 'c:\users\e\appdata'
2022/09/01 00:21:39 wazuh-agent[2912] create_db.c:1194 at fim_check_ignore(): DEBUG: (6204): Ignoring 'file' 'c:\users\e\appdata\local\microsoft\edge\user data\default\service worker\cachestorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8a8da64e-8a94-4ec9-9368-ea0b86c63a3d\3faba575ceeb6200_1' due to 'c:\users\e\appdata'
I have a lot of kind of these messages.
Because of our project we use chrome with command: chrome.exe --user-data-dir="C://Chrome dev session" --disable-web-security.
So I'm wondering if these messages are important. By the way, I've got these messages too:
Could you help me with these errors too?
Regards.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c794ace3-2745-4933-94e4-293d4a20ac4dn%40googlegroups.com.
Christian Borla
Sep 1, 2022, 5:28:07 PM9/1/22
to Wazuh mailing list
Hi!
Sorry for the delay!, I hope you are doing fine!
Regarding the new question, it would be correct creates a new thread for it, so we keep it easier to search this kind of problems. And really I can't see any known issue in the error. Please, post a new thread for that.
In other hand, I have been analyzing the Suricata events, and it includes 2 example event types, STATS and DNS events, at this moment Wazuh supports DNS event, but it doesn't fires an alert, because the rule has level 0.
Suricata default rules file:
/var/ossec/ruleset/rules/0475-suricata_rules.xml (be careful, any change of this file will be restored in a Wazuh upgrade)
DNS rule:
<rule id="86603" level="0"> <---- if you want fires an alert with this kind of Suricata events, change the level to 3 or higher.
<if_sid>86600</if_sid>
<field name="event_type">^dns$</field>
<description>Suricata: DNS.</description>
<options>no_full_log</options>
</rule>
Also I created a new rule to process STATS
<rule id="86605" level="3">
<if_sid>86600</if_sid>
<field name="event_type">^stats$</field>
<description>Suricata: STATS.</description>
<options>no_full_log</options>
</rule>
This new rule could be added in /var/ossec/etc/rules/local_rules.xml
Remember restart the manager after change any rule.
After updated these rules, I pointed the Wazuh logcollector to a similar file as yours (localfile config), then I pasted your Suricata example event in the file, and following alert was fired.
Sorry for the delay!, I hope you are doing fine!
Regarding the new question, it would be correct creates a new thread for it, so we keep it easier to search this kind of problems. And really I can't see any known issue in the error. Please, post a new thread for that.
In other hand, I have been analyzing the Suricata events, and it includes 2 example event types, STATS and DNS events, at this moment Wazuh supports DNS event, but it doesn't fires an alert, because the rule has level 0.
Suricata default rules file:
/var/ossec/ruleset/rules/0475-suricata_rules.xml (be careful, any change of this file will be restored in a Wazuh upgrade)
DNS rule:
<rule id="86603" level="0"> <---- if you want fires an alert with this kind of Suricata events, change the level to 3 or higher.
<if_sid>86600</if_sid>
<field name="event_type">^dns$</field>
<description>Suricata: DNS.</description>
<options>no_full_log</options>
</rule>
Also I created a new rule to process STATS
<rule id="86605" level="3">
<if_sid>86600</if_sid>
<field name="event_type">^stats$</field>
<description>Suricata: STATS.</description>
<options>no_full_log</options>
</rule>
This new rule could be added in /var/ossec/etc/rules/local_rules.xml
Remember restart the manager after change any rule.
After updated these rules, I pointed the Wazuh logcollector to a similar file as yours (localfile config), then I pasted your Suricata example event in the file, and following alert was fired.
STATS Alert example: (file /var/ossec/logs/alerts/alerts.json)
{"timestamp":"2022-09-01T18:06:57.613-0300","rule":{"level":3,"description":"Suricata: STATS.","id":"86605","firedtimes":1,"mail":false,"groups":["syscheck"]},"agent":{"id":"000","name":"VBox"},"manager":{"name":"VBox"},"id":"1662066417.4963461","decoder":{"name":"json"},"data":{"timestamp":"2022-08-29T13:28:12.179164+0300","event_type":"stats","stats":{"uptime":"73","capture":{"kernel_packets":"5416","kernel_drops":"0","kernel_ifdrops":"0"},"decoder":{"pkts":"5652","bytes":"5780995","invalid":"0","ipv4":"5652","ipv6":"0","ethernet":"5652","chdlc":"0","raw":"0","null":"0","sll":"0","tcp":"134","udp":"5517","sctp":"0","icmpv4":"1","icmpv6":"0","ppp":"0","pppoe":"0","geneve":"0","gre":"0","vlan":"0","vlan_qinq":"0","vxlan":"0","vntag":"0","ieee8021ah":"0","teredo":"0","ipv4_in_ipv6":"0","ipv6_in_ipv6":"0","mpls":"0","avg_pkt_size":"1022","max_pkt_size":"1514","max_mac_addrs_src":"0","max_mac_addrs_dst":"0","erspan":"0","event":{"ipv4":{"pkt_too_small":"0","hlen_too_small":"0","iplen_smaller_than_hlen":"0","trunc_pkt":"0","opt_invalid":"0","opt_invalid_len":"0","opt_malformed":"0","opt_pad_required":"0","opt_eol_required":"0","opt_duplicate":"0","opt_unknown":"0","wrong_ip_version":"0","icmpv6":"0","frag_pkt_too_large":"0","frag_overlap":"0","frag_ignored":"0"},"icmpv4":{"pkt_too_small":"0","unknown_type":"0","unknown_code":"0","ipv4_trunc_pkt":"0","ipv4_unknown_ver":"0"},"icmpv6":{"unknown_type":"0","unknown_code":"0","pkt_too_small":"0","ipv6_unknown_version":"0","ipv6_trunc_pkt":"0","mld_message_with_invalid_hl":"0","unassigned_type":"0","experimentation_type":"0"},"ipv6":{"pkt_too_small":"0","trunc_pkt":"0","trunc_exthdr":"0","exthdr_dupl_fh":"0","exthdr_useless_fh":"0","exthdr_dupl_rh":"0","exthdr_dupl_hh":"0","exthdr_dupl_dh":"0","exthdr_dupl_ah":"0","exthdr_dupl_eh":"0","exthdr_invalid_optlen":"0","wrong_ip_version":"0","exthdr_ah_res_not_null":"0","hopopts_unknown_opt":"0","hopopts_only_padding":"0","dstopts_unknown_opt":"0","dstopts_only_padding":"0","rh_type_0":"0","zero_len_padn":"0","fh_non_zero_reserved_field":"0","data_after_none_header":"0","unknown_next_header":"0","icmpv4":"0","frag_pkt_too_large":"0","frag_overlap":"0","frag_invalid_length":"0","frag_ignored":"0","ipv4_in_ipv6_too_small":"0","ipv4_in_ipv6_wrong_version":"0","ipv6_in_ipv6_too_small":"0","ipv6_in_ipv6_wrong_version":"0"},"tcp":{"pkt_too_small":"0","hlen_too_small":"0","invalid_optlen":"0","opt_invalid_len":"0","opt_duplicate":"0"},"udp":{"pkt_too_small":"0","hlen_too_small":"0","hlen_invalid":"0"},"sll":{"pkt_too_small":"0"},"ethernet":{"pkt_too_small":"0"},"ppp":{"pkt_too_small":"0","vju_pkt_too_small":"0","ip4_pkt_too_small":"0","ip6_pkt_too_small":"0","wrong_type":"0","unsup_proto":"0"},"pppoe":{"pkt_too_small":"0","wrong_code":"0","malformed_tags":"0"},"gre":{"pkt_too_small":"0","wrong_version":"0","version0_recur":"0","version0_flags":"0","version0_hdr_too_big":"0","version0_malformed_sre_hdr":"0","version1_chksum":"0","version1_route":"0","version1_ssr":"0","version1_recur":"0","version1_flags":"0","version1_no_key":"0","version1_wrong_protocol":"0","version1_malformed_sre_hdr":"0","version1_hdr_too_big":"0"},"vlan":{"header_too_small":"0","unknown_type":"0","too_many_layers":"0"},"ieee8021ah":{"header_too_small":"0"},"vntag":{"header_too_small":"0","unknown_type":"0"},"ipraw":{"invalid_ip_version":"0"},"ltnull":{"pkt_too_small":"0","unsupported_type":"0"},"sctp":{"pkt_too_small":"0"},"mpls":{"header_too_small":"0","pkt_too_small":"0","bad_label_router_alert":"0","bad_label_implicit_null":"0","bad_label_reserved":"0","unknown_payload_type":"0"},"vxlan":{"unknown_payload_type":"0"},"geneve":{"unknown_payload_type":"0"},"erspan":{"header_too_small":"0","unsupported_version":"0","too_many_vlan_layers":"0"},"dce":{"pkt_too_small":"0"},"chdlc":{"pkt_too_small":"0"}},"too_many_layers":"0"},"flow":{"memcap":"0","tcp":"12","udp":"27","icmpv4":"0","icmpv6":"0","tcp_reuse":"0","get_used":"0","get_used_eval":"0","get_used_eval_reject":"0","get_used_eval_busy":"0","get_used_failed":"0","wrk":{"spare_sync_avg":"100","spare_sync":"3","spare_sync_incomplete":"0","spare_sync_empty":"0","flows_evicted_needs_work":"0","flows_evicted_pkt_inject":"0","flows_evicted":"0","flows_injected":"0"},"mgr":{"full_hash_pass":"1","closed_pruned":"0","new_pruned":"0","est_pruned":"0","bypassed_pruned":"0","rows_maxlen":"1","flows_checked":"4","flows_notimeout":"4","flows_timeout":"0","flows_timeout_inuse":"0","flows_evicted":"0","flows_evicted_needs_work":"0"},"spare":"9700","emerg_mode_entered":"0","emerg_mode_over":"0","memuse":"6834304"},"defrag":{"ipv4":{"fragments":"0","reassembled":"0","timeouts":"0"},"ipv6":{"fragments":"0","reassembled":"0","timeouts":"0"},"max_frag_hits":"0"},"flow_bypassed":{"local_pkts":"0","local_bytes":"0","local_capture_pkts":"0","local_capture_bytes":"0","closed":"0","pkts":"0","bytes":"0"},"tcp":{"sessions":"5","ssn_memcap_drop":"0","pseudo":"0","pseudo_failed":"0","invalid_checksum":"0","no_flow":"0","syn":"5","synack":"5","rst":"5","midstream_pickups":"0","pkt_on_wrong_thread":"0","segment_memcap_drop":"0","stream_depth_reached":"0","reassembly_gap":"0","overlap":"0","overlap_diff_data":"0","insert_data_normal_fail":"0","insert_data_overlap_fail":"0","insert_list_fail":"0","memuse":"1818624","reassembly_memuse":"299008"},"detect":{"engines":[{"id":0,"last_reload":"2022-08-29T13:28:12.179164+0300","rules_loaded":0,"rules_failed":0}],"alert":"0","alert_queue_overflow":"0","alerts_suppressed":"0"},"app_layer":{"flow":{"imap":"0","dns_tcp":"0","sip":"0","rfb":"0","mqtt":"0","rdp":"0","http2":"0","failed_tcp":"3","dns_udp":"13","failed_udp":"14"},"tx":{"imap":"0","dns_tcp":"0","sip":"0","rfb":"0","mqtt":"0","rdp":"0","http2":"0","dns_udp":"29"},"expectations":"0"},"http":{"memuse":"0","memcap":"0"},"ftp":{"memuse":"0","memcap":"0"},"file_store":{"open_files":"0"}}},"location":"/home/workspace/eve.json"}
Let me know if this works for you.
Regards!
{"timestamp":"2022-09-01T18:06:57.613-0300","rule":{"level":3,"description":"Suricata: STATS.","id":"86605","firedtimes":1,"mail":false,"groups":["syscheck"]},"agent":{"id":"000","name":"VBox"},"manager":{"name":"VBox"},"id":"1662066417.4963461","decoder":{"name":"json"},"data":{"timestamp":"2022-08-29T13:28:12.179164+0300","event_type":"stats","stats":{"uptime":"73","capture":{"kernel_packets":"5416","kernel_drops":"0","kernel_ifdrops":"0"},"decoder":{"pkts":"5652","bytes":"5780995","invalid":"0","ipv4":"5652","ipv6":"0","ethernet":"5652","chdlc":"0","raw":"0","null":"0","sll":"0","tcp":"134","udp":"5517","sctp":"0","icmpv4":"1","icmpv6":"0","ppp":"0","pppoe":"0","geneve":"0","gre":"0","vlan":"0","vlan_qinq":"0","vxlan":"0","vntag":"0","ieee8021ah":"0","teredo":"0","ipv4_in_ipv6":"0","ipv6_in_ipv6":"0","mpls":"0","avg_pkt_size":"1022","max_pkt_size":"1514","max_mac_addrs_src":"0","max_mac_addrs_dst":"0","erspan":"0","event":{"ipv4":{"pkt_too_small":"0","hlen_too_small":"0","iplen_smaller_than_hlen":"0","trunc_pkt":"0","opt_invalid":"0","opt_invalid_len":"0","opt_malformed":"0","opt_pad_required":"0","opt_eol_required":"0","opt_duplicate":"0","opt_unknown":"0","wrong_ip_version":"0","icmpv6":"0","frag_pkt_too_large":"0","frag_overlap":"0","frag_ignored":"0"},"icmpv4":{"pkt_too_small":"0","unknown_type":"0","unknown_code":"0","ipv4_trunc_pkt":"0","ipv4_unknown_ver":"0"},"icmpv6":{"unknown_type":"0","unknown_code":"0","pkt_too_small":"0","ipv6_unknown_version":"0","ipv6_trunc_pkt":"0","mld_message_with_invalid_hl":"0","unassigned_type":"0","experimentation_type":"0"},"ipv6":{"pkt_too_small":"0","trunc_pkt":"0","trunc_exthdr":"0","exthdr_dupl_fh":"0","exthdr_useless_fh":"0","exthdr_dupl_rh":"0","exthdr_dupl_hh":"0","exthdr_dupl_dh":"0","exthdr_dupl_ah":"0","exthdr_dupl_eh":"0","exthdr_invalid_optlen":"0","wrong_ip_version":"0","exthdr_ah_res_not_null":"0","hopopts_unknown_opt":"0","hopopts_only_padding":"0","dstopts_unknown_opt":"0","dstopts_only_padding":"0","rh_type_0":"0","zero_len_padn":"0","fh_non_zero_reserved_field":"0","data_after_none_header":"0","unknown_next_header":"0","icmpv4":"0","frag_pkt_too_large":"0","frag_overlap":"0","frag_invalid_length":"0","frag_ignored":"0","ipv4_in_ipv6_too_small":"0","ipv4_in_ipv6_wrong_version":"0","ipv6_in_ipv6_too_small":"0","ipv6_in_ipv6_wrong_version":"0"},"tcp":{"pkt_too_small":"0","hlen_too_small":"0","invalid_optlen":"0","opt_invalid_len":"0","opt_duplicate":"0"},"udp":{"pkt_too_small":"0","hlen_too_small":"0","hlen_invalid":"0"},"sll":{"pkt_too_small":"0"},"ethernet":{"pkt_too_small":"0"},"ppp":{"pkt_too_small":"0","vju_pkt_too_small":"0","ip4_pkt_too_small":"0","ip6_pkt_too_small":"0","wrong_type":"0","unsup_proto":"0"},"pppoe":{"pkt_too_small":"0","wrong_code":"0","malformed_tags":"0"},"gre":{"pkt_too_small":"0","wrong_version":"0","version0_recur":"0","version0_flags":"0","version0_hdr_too_big":"0","version0_malformed_sre_hdr":"0","version1_chksum":"0","version1_route":"0","version1_ssr":"0","version1_recur":"0","version1_flags":"0","version1_no_key":"0","version1_wrong_protocol":"0","version1_malformed_sre_hdr":"0","version1_hdr_too_big":"0"},"vlan":{"header_too_small":"0","unknown_type":"0","too_many_layers":"0"},"ieee8021ah":{"header_too_small":"0"},"vntag":{"header_too_small":"0","unknown_type":"0"},"ipraw":{"invalid_ip_version":"0"},"ltnull":{"pkt_too_small":"0","unsupported_type":"0"},"sctp":{"pkt_too_small":"0"},"mpls":{"header_too_small":"0","pkt_too_small":"0","bad_label_router_alert":"0","bad_label_implicit_null":"0","bad_label_reserved":"0","unknown_payload_type":"0"},"vxlan":{"unknown_payload_type":"0"},"geneve":{"unknown_payload_type":"0"},"erspan":{"header_too_small":"0","unsupported_version":"0","too_many_vlan_layers":"0"},"dce":{"pkt_too_small":"0"},"chdlc":{"pkt_too_small":"0"}},"too_many_layers":"0"},"flow":{"memcap":"0","tcp":"12","udp":"27","icmpv4":"0","icmpv6":"0","tcp_reuse":"0","get_used":"0","get_used_eval":"0","get_used_eval_reject":"0","get_used_eval_busy":"0","get_used_failed":"0","wrk":{"spare_sync_avg":"100","spare_sync":"3","spare_sync_incomplete":"0","spare_sync_empty":"0","flows_evicted_needs_work":"0","flows_evicted_pkt_inject":"0","flows_evicted":"0","flows_injected":"0"},"mgr":{"full_hash_pass":"1","closed_pruned":"0","new_pruned":"0","est_pruned":"0","bypassed_pruned":"0","rows_maxlen":"1","flows_checked":"4","flows_notimeout":"4","flows_timeout":"0","flows_timeout_inuse":"0","flows_evicted":"0","flows_evicted_needs_work":"0"},"spare":"9700","emerg_mode_entered":"0","emerg_mode_over":"0","memuse":"6834304"},"defrag":{"ipv4":{"fragments":"0","reassembled":"0","timeouts":"0"},"ipv6":{"fragments":"0","reassembled":"0","timeouts":"0"},"max_frag_hits":"0"},"flow_bypassed":{"local_pkts":"0","local_bytes":"0","local_capture_pkts":"0","local_capture_bytes":"0","closed":"0","pkts":"0","bytes":"0"},"tcp":{"sessions":"5","ssn_memcap_drop":"0","pseudo":"0","pseudo_failed":"0","invalid_checksum":"0","no_flow":"0","syn":"5","synack":"5","rst":"5","midstream_pickups":"0","pkt_on_wrong_thread":"0","segment_memcap_drop":"0","stream_depth_reached":"0","reassembly_gap":"0","overlap":"0","overlap_diff_data":"0","insert_data_normal_fail":"0","insert_data_overlap_fail":"0","insert_list_fail":"0","memuse":"1818624","reassembly_memuse":"299008"},"detect":{"engines":[{"id":0,"last_reload":"2022-08-29T13:28:12.179164+0300","rules_loaded":0,"rules_failed":0}],"alert":"0","alert_queue_overflow":"0","alerts_suppressed":"0"},"app_layer":{"flow":{"imap":"0","dns_tcp":"0","sip":"0","rfb":"0","mqtt":"0","rdp":"0","http2":"0","failed_tcp":"3","dns_udp":"13","failed_udp":"14"},"tx":{"imap":"0","dns_tcp":"0","sip":"0","rfb":"0","mqtt":"0","rdp":"0","http2":"0","dns_udp":"29"},"expectations":"0"},"http":{"memuse":"0","memcap":"0"},"ftp":{"memuse":"0","memcap":"0"},"file_store":{"open_files":"0"}}},"location":"/home/workspace/eve.json"}
Let me know if this works for you.
Regards!
istecenter staj
Sep 5, 2022, 7:21:41 AM9/5/22
to Christian Borla, Wazuh mailing list
Hi
Sorry for my late reply.
Sorry but I didn't try your rule for suricata yet. But I realize that my eve.json file has not been updated for few days even though I didn't make any difference for Suricata.
How can I fix this?
Regards
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/97049c71-09b5-44cc-82ae-47c35dc01ba9n%40googlegroups.com.
Christian Borla
Sep 5, 2022, 9:33:51 AM9/5/22
to Wazuh mailing list
Hi!
Localfile feature collects new log lines from eve.json file, each line should be a new event,
I think you are right with your agent ossec.conf configruation
<localfile>
<log_format>json</log_format>
<location>WINDOWS_PATH/eve.json</location>
</localfile>
Also you can manually open the eve.json, paste a new log line, and you will find it in
/var/ossec/logs/archives/archives.json.
Regarding Suricata problem, I have been looking for some Suricata documentation, to realise why it doens't update the eve.json file, I'm not sure about Suricata but maybe you can chek this link
Let me know if this useful to you.
Regards.
Localfile feature collects new log lines from eve.json file, each line should be a new event,
I think you are right with your agent ossec.conf configruation
<localfile>
<log_format>json</log_format>
<location>WINDOWS_PATH/eve.json</location>
</localfile>
Regarding Suricata problem, I have been looking for some Suricata documentation, to realise why it doens't update the eve.json file, I'm not sure about Suricata but maybe you can chek this link
Let me know if this useful to you.
Regards.
Reply all
Reply to author
Forward
0 new messages