Windows Firewall
275 views
Skip to first unread message
andrzej oto
Oct 14, 2022, 6:52:12 AM10/14/22
to Wazuh mailing list
Hi
I am trying to monitor the firewall status in Windows 10, I am getting an alert about adding and deleting rules
however, enabling / disabling the firewall does not generate a notification
<local file>
<location> Microsoft-Windows-Windows Firewall with Advanced Security / Firewall </location>
<log_format> event channel </log_format>
</localfile>
is configured in ossec.conf on the workstation
WazuhServer v4.3.8
WazuhAgent v4.3.8
I am trying to monitor the firewall status in Windows 10, I am getting an alert about adding and deleting rules
however, enabling / disabling the firewall does not generate a notification
<local file>
<location> Microsoft-Windows-Windows Firewall with Advanced Security / Firewall </location>
<log_format> event channel </log_format>
</localfile>
is configured in ossec.conf on the workstation
WazuhServer v4.3.8
WazuhAgent v4.3.8
Why the firewall state did not generate an alert?
Octavio Valle López
Oct 17, 2022, 1:14:40 AM10/17/22
to Wazuh mailing list
Hi, I Hope you are well!
Could you tell me how you see the alerts when you add or delete rules?
Do you have rules 67004 and 67005 active?
How are you disabling and re-enabling the firewall?
why did you remove the "query" tag from your config?
Can you see the "2003" ID events in the event viewer?
<ossec_config>
<localfile>
<location>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID \>= 2003 and EventID \<= 2006]</query>
</localfile>
</ossec_config>
Could you tell me how you see the alerts when you add or delete rules?
Do you have rules 67004 and 67005 active?
How are you disabling and re-enabling the firewall?
why did you remove the "query" tag from your config?
Can you see the "2003" ID events in the event viewer?
I just tried it and with this and the default rules configuration it works for me:
<localfile>
<location>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID \>= 2003 and EventID \<= 2006]</query>
</localfile>
</ossec_config>
andrzej oto
Oct 17, 2022, 3:36:29 AM10/17/22
to Wazuh mailing list
Hi,
1. wazuh ruleID 67006 i 67007
2. yes, this is the default rule.
3. Control Panel\All Control Panel Items\Windows Defender Firewall 4. I tried different configurations
4 I've tried different configurations
5. yes i see Event id 2003.
my first attempts were with the <query>Event/System[EventID \>= 2003 and EventID \<= 2006]</query>
I also did not receive any information about enabling and disabling the firewall.
Octavio Valle López
Oct 24, 2022, 2:35:08 AM10/24/22
to Wazuh mailing list
Hi, I hope you are well!
I see that the source language of your data is Polish (Based on the keyword "nie" on your event log), but when I analyze how the rule works, the value is being identified through a regex looking for "Yes" or "No", something that is in English.
Please modify or add some custom rules for your language to be able to identify based on the localization of the value.
Note that you will need to adapt this based on the different languages you receive information from.
the rules on which it should be based or what you need to modify.
https://github.com/wazuh/wazuh-ruleset/blob/b26f7f5b75aab78ff54fc797e745c8bdb6c23017/rules/0602-win-wfirewall_rules.xml#L43
https://github.com/wazuh/wazuh-ruleset/blob/b26f7f5b75aab78ff54fc797e745c8bdb6c23017/rules/0602-win-wfirewall_rules.xml#L55
I see that the source language of your data is Polish (Based on the keyword "nie" on your event log), but when I analyze how the rule works, the value is being identified through a regex looking for "Yes" or "No", something that is in English.
Please modify or add some custom rules for your language to be able to identify based on the localization of the value.
Note that you will need to adapt this based on the different languages you receive information from.
the rules on which it should be based or what you need to modify.
https://github.com/wazuh/wazuh-ruleset/blob/b26f7f5b75aab78ff54fc797e745c8bdb6c23017/rules/0602-win-wfirewall_rules.xml#L43
https://github.com/wazuh/wazuh-ruleset/blob/b26f7f5b75aab78ff54fc797e745c8bdb6c23017/rules/0602-win-wfirewall_rules.xml#L55
andrzej oto
Oct 25, 2022, 4:18:42 AM10/25/22
to Octavio Valle López, Wazuh mailing list
Hi,
Thanks for your help, everything works
I found a similar situation in sca rules,
are there good practices for non-english versions of systems?
Thanks for your help, everything works
I found a similar situation in sca rules,
are there good practices for non-english versions of systems?
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/5YiTv5L_W04/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3c19958e-712b-4eb8-a205-8f0048a45278n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages