OSSEC Sysmon Rule - High Rate of False Positives

1,255 views
Skip to first unread message

Alessandro Di Giuseppe

unread,
May 12, 2016, 6:26:16 PM5/12/16
to Wazuh mailing list
Hi all,

I've installed Sysinternals Sysmon 3.21 on Windows Server 2012 R2 ("Log network connections" enabled), and enabled the OSSEC agent (v2.8/Wazuh 1.1.1) to monitor the "Microsoft-Windows-Sysmon/Operational" event logs by adding this bit of configuration in the agent.conf file:

<agent_config os="Windows">
  <localfile>
     <location>Microsoft-Windows-Sysmon/Operational</location>
     <log_format>eventchannel</log_format>
  </localfile>
</agent_config>

Sysmon events are now being received by the OSSEC manager, however, the number of false positive alerts is staggering - one to two thousands per hour.

Example below:

Rule: Sysmon - Suspicious Process - svchost.exe
User: NT AUTHORITY\LOCAL SERVICE
2016 May 12 17:59:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(3): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: dc1.anonymous.local: Network connection detected: UtcTime: 2016-05-12 21:59:21.980 ProcessGuid: {4F69E393-C8F7-5733-0000-0010B4290100} ProcessId: 412 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\LOCAL SERVICE Protocol: udp Initiated: true SourceIsIpv6: false SourceIp: 10.10.10.10 SourceHostname: dc1.anonymous.local SourcePort: 123 SourcePortName: ntp DestinationIsIpv6: false DestinationIp: 199.182.221.110 DestinationHostname: zero.gotroot.ca DestinationPort: 123 DestinationPortName: ntp

The above is simply the Windows time service synchronizing time with a public NTP server; hundreds of other normal/benign Windows processes are being alerted in a similar fashion. Surprisingly, when I launch a browser and connect to a bunch of random web sites, this is not flagged by the sysmon rule, despite being logged locally as a sysmon event.

Aynone else have any experience with the Sysmon decoder/rules that can offer some guidance?

Thanks,

Alessandro

Santiago Bassett

unread,
May 12, 2016, 7:29:32 PM5/12/16
to Alessandro Di Giuseppe, Wazuh mailing list
This is the decoder for the sysmon event:


And this is the rule triggering the alert:


It seems that every event containing the string "svchost.exe" in the "Image" field will trigger this alert. I think that is too generic, and that is why you get so many alerts. Decoder is also capturing many other fields like "DestinationPort". You should be able to modify the rule not to alert if it is "123". Try doing an overwrite in local_rules.xml

On the other hand, if this happen for a lot of different services I would recommend to overwrite the rule with level 0, so it doesn't alert anymore.

I hope it helps,

Santiago.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2575eff9-267f-4422-910b-29f1770e68fc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Alessandro Di Giuseppe

unread,
May 13, 2016, 7:18:19 AM5/13/16
to Wazuh mailing list
Thanks, Santiago.

Makes sense... am just surprised no one else has raised this concern. I guess not a popular decoder yet, and those that do use it have already done this tuning themselves.

I'll experiment with tuning the rule for myself. What's the best way to contribute my tweaked rules to the community?

Alessandro
Message has been deleted

Josh Brower

unread,
May 13, 2016, 5:07:58 PM5/13/16
to Wazuh mailing list
This rule is tied to rule 184667 - basically it states that if the parent image of svchost.exe is not \services.exe, then fire an alert. (This would be a legitimate process anomaly)

Originally I wrote this rule for Sysmon EventID 1 - Process Creation, which includes the Parent Image information... Since EventID 3 - Network Connections do not include the Parent Image, that would be why you are seeing the FP.

In short, it is a valid rule, but only for Sysmon EventID 1 logs.

-Josh

Jesus Linares

unread,
May 16, 2016, 3:13:22 AM5/16/16
to Wazuh mailing list
You are right Josh, when I added the new decoders I didn't realise that they could launch these FP. The sysmon rules were created for Sysmon EventID 1 logs, so I have added a new rule that only launch sysmon alerts for that event. It is necessary to create rules for the new events, but at least the decoders are already created.

New sysmon rules: sysmon_rules.xml. See changes.


Regards.
Jesus Linares.
Reply all
Reply to author
Forward
0 new messages