Howto mail/alert for specific package/service

110 views
Skip to first unread message

valombre.d Delanhuyi

unread,
May 25, 2023, 5:27:58 AM5/25/23
to Wazuh mailing list
Hi,
i would like to have a simple way to generate an alert (or report) mail for specific services, not a specific CVE as i don't know them before they are published.
Exemple i want to be alert with all apache and ssh related vulnerabilities for my agents.

Il already use the daily report with lvl 12+ alerts but i will like to receive those specific apache and ssh vulnerabilities by mail.

Thanks for a detailed method/procedure to achieve this.

Regards.

Anthony Faruna

unread,
May 25, 2023, 7:47:49 AM5/25/23
to valombre.d Delanhuyi, Wazuh mailing list
Hello Valombre 

Thank you for using Wazuh

You can create custom rules to trigger specific alerts based on your requirements. 

You can check our documentation on how to define custom rules and decoders. 

Also, the blog post on Detecting Apache Text4shell (CVE-2022-42889) with Wazuh gives a detailed explanation of how to create rules to detect specific vulnerabilities

Based on the custom rules created, you can follow this documentation to send email alerts to you. 

Take, for example, if you define a custom rule with rule ID 100301. You can define a rule like this 
<email_alerts>
  <email_to>y...@example.com</email_to>
  <rule_id>100301</rule_id>
  <do_not_delay />
</email_alerts>
Best Regards

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b4f40e3c-e8bf-41dd-8c64-25af993c3a94n%40googlegroups.com.

valombre.d Delanhuyi

unread,
May 25, 2023, 8:24:57 AM5/25/23
to Wazuh mailing list
Hello Anthony,
thanks for your answer, i understand the concept, but the problem is the creation of the rule to obtain the list of agents with CVE that i don't know the number.
In fact i need to use a kind of regular expression or wildcard concerning apache and ssh in general, based on package name like :  apache* and ssh*
I tried to understand how to do a part of this using visualisation and data.vulnerability.package.name = apache* but it doesn't work at all, wildcards are not allowed.
May be do you have a solution to create a rule to achieve this ?

Thanks in advance,
Regards

Anthony Faruna

unread,
May 25, 2023, 8:55:02 AM5/25/23
to valombre.d Delanhuyi, Wazuh mailing list
Hello Valombre

Please can you share two sample apache vulnerability alerts you have received?

Best regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/564368be-6453-4f62-8809-8d7c79f0f8a6n%40googlegroups.com.

valombre.d Delanhuyi

unread,
May 25, 2023, 10:55:53 AM5/25/23
to Wazuh mailing list
Anthony,
I have CVE-2023-27522, CVE-2022-37436 for example, but i don't want to be mail/alert on those existing CVE number because they exist now but i want to be alerted when new CVE relative to apache/ssh are imported/active in wazuh for my agents.
The goal is to be sure in case of a CVE alert on this packages/services (apache and ssh globally)  concerning my agents that i have an alert mail from wazuh (not a daily /weekly global report with a lot of different alerts in it )
I'm registered on an external service  (https://www.opencve.io/) to be notified in case of new cve related to apache/apache2 and ssh/openssh,  but i'll would prefer to have a real alert  from wazuh for those specific services if a new CVE appear/is active for my machines/agents.
For my tests => screenshot visualization for apache, apache* not possible.
Regards,






wazuh-data-vulnerability-package-name-apache.png

Anthony Faruna

unread,
May 25, 2023, 1:49:59 PM5/25/23
to valombre.d Delanhuyi, Wazuh mailing list
Hello Valombre

It's actually not possible based on your current requirements, except, as I stated before, you create a custom rule based on a regular expression to match generic apache fields 

Then based on those rules, you can use the rule IDs within the email alerts.

Please let me know if you have  further query

Best Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f41fd576-571a-4dac-93c6-65a6097314b5n%40googlegroups.com.

valombre.d Delanhuyi

unread,
May 26, 2023, 5:59:10 AM5/26/23
to Wazuh mailing list
Hello Anthony,
"you create a custom rule based on a regular expression to match generic apache fields"
It's exactly my problem, i need help creating a working rule i don't know what field/value/component to use to achieve that, the syntax is still kind of obscure for me.
A syntax/example, or better the rule itself would be nice.
From that I will test it and add other regular expressions etc ..
Thanks for your help.

Regards.

Anthony Faruna

unread,
May 26, 2023, 7:09:08 AM5/26/23
to valombre.d Delanhuyi, Wazuh mailing list
Hello Valombre

Please provide a sample apache vulnerability json log so I can assist you with creating the rule 

I will be expecting your feedback

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3a0a23f6-ea93-48bd-9cae-43b6a37211a1n%40googlegroups.com.

valombre.d Delanhuyi

unread,
May 26, 2023, 8:29:40 AM5/26/23
to Wazuh mailing list

And i don't understand what kind of information your talking about, we were talking  regex based on package name in your database data.vulnerability.package.name and possible value apache* , ssh* , openssh* for example.
If it's not what you need, could you explain where i could find/extract from wazuh  "a sample apache vulnerability json log" corresponding to the regex ?
Regards


valombre.d Delanhuyi

unread,
May 26, 2023, 9:19:01 AM5/26/23
to Wazuh mailing list
May be it's from the /var/ossec/logs/alerts/, i found and extract that from an recent (marc 2023) apache detected CVE on one of my server/agent=> CVE-2023-2752, may it's what you need ?
Regards



ossec-alerts-07_CVE-2023-2752_agent_serveur01.json

Anthony Faruna

unread,
May 26, 2023, 10:13:12 AM5/26/23
to valombre.d Delanhuyi, Wazuh mailing list
Hello Valombre

My sincere apologies for the delay in response

Yes, exactly, you can share the log from /var/ossec/logs/alerts/ for the one you saw in March 

Best Regards


To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3847881f-4893-402f-8cd9-b3188aeac935n%40googlegroups.com.

valombre.d Delanhuyi

unread,
Jun 2, 2023, 10:06:22 AM6/2/23
to Wazuh mailing list
Hi Anthony,
i just check if the logs i gave you is enough or do you need other logs/traces/etc.. ?
Regards

Anthony Faruna

unread,
Jun 2, 2023, 10:52:00 AM6/2/23
to valombre.d Delanhuyi, Wazuh mailing list
Hello @valombre.d Delanhuyi 

My sincere apologies, as I did not notice you attached the json log in your email and was expecting your reply after my last email.

Based on the log you shared with me, you can create a sample custom rule like this 

 <rule id="100222" level="9">
      <if_sid>23504</if_sid>
      <options>no_full_log</options>
      <field name="vulnerability.package.name">apache</field>
      <description>$(vulnerability.cve) affects $(vulnerability.package.name)</description>
  </rule>

Note that this rule will trigger vulnerability with a medium severity level. You might need to create similar rules for 23503, 23505, and 23506 for low, high, and critical, respectively.

Best Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d88b1d3a-fc77-40aa-b295-aa38496fef57n%40googlegroups.com.

valombre.d Delanhuyi

unread,
Jun 2, 2023, 10:55:18 AM6/2/23
to Wazuh mailing list
Thanks for your help Anthony, i check/test that and tell you about the results.
Regards

Reply all
Reply to author
Forward
0 new messages