Problems with a custom rule
38 views
Skip to first unread message
Jeremy Utley
Nov 6, 2024, 12:48:00 PM11/6/24
to Wazuh | Mailing List
We are currently trying to use Wazuh to analyze web logs coming from Cloudflare.
Cloudflare writes the logs to a S3 bucket, which Wazuh then reads using the "subscriber bucket" feature, and parses using the JSONLines parser. This is currently working well, and we have set up a few custom events corresponding to different types of traffic blocked by them:
Rule: 100322 - Cloudflare WAF block
Rule: 100327 - Zone Lockdown block
Rule: 100328 - Rate Limiting block
Rule: 100329 - Browser Integrity Check block
These are also working quite well, we can see the events in the Discover pane of the Wazuh Dashboard.
Now, we are trying to create a new rule for repeated blocks from the same IP address over a period of time generates a different higher level event. We have set the rule as follows:
<rule id="100332" level="10" frequency="200" timeframe="3600" ignore="3600">
<if_matched_sid>100322,100327,100328,100329</if_matched_sid>
<description>Cloudflare source IP address blocked 200 times in last hour.</description>
<same_field>aws.ClientIP</same_field>
<group>cloudflare,</group>
</rule>
By my understanding of the rules syntax, this should indicate if we get 200 events matching any of those 4 rules, in a 1 hour (3600 sec), and the field "aws.ClientIP" is identical (same origin IP), it should generate a Level 10 event, and ignore future triggers for that IP for 1 hour before generating another event.
However, this rule is not working as expected. I tested this by triggering the 100327 rule 500 times in a very short period of time (5 minutes). I can see all 500 events of the 100327 rule, but can never see an event for 100332.
For reference, below is the full log JSON data for the 100327 event, just to show the JSON syntax of the log:
{"integration": "aws", "aws": {"log_info": {"log_file": "trustcharge.net/20241106/20241106T160944Z_20241106T161046Z_f5c58577.jsonl.gz", "s3bucket": "trustcharge-cloudflare-logs"}, "ClientIP": "138.197.135.83", "ClientRequestHost": "reports.trustcharge.net", "ClientRequestMethod": "GET", "ClientRequestURI": "/", "EdgeEndTimestamp": 1730909325, "EdgeResponseBytes": 503, "EdgeResponseStatus": 403, "EdgeStartTimestamp": 1730909325, "RayID": "8de6581419a8a1f0", "CacheCacheStatus": "unknown", "CacheResponseBytes": 0, "CacheResponseStatus": 0, "CacheTieredFill": false, "ClientASN": 14061, "ClientCountry": "ca", "ClientDeviceType": "desktop", "ClientIPClass": "noRecord", "ClientRequestBytes": 2557, "ClientRequestPath": "/", "ClientRequestProtocol": "HTTP/1.1", "ClientRequestReferer": "", "ClientRequestUserAgent": "curl/7.29.0", "ClientSSLCipher": "ECDHE-ECDSA-AES128-GCM-SHA256", "ClientSSLProtocol": "TLSv1.2", "ClientSrcPort": 48922, "EdgeColoCode": "YYZ", "EdgeColoID": 29, "EdgePathingOp": "ban", "EdgePathingSrc": "user", "EdgePathingStatus": "zl", "EdgeRateLimitAction": "", "EdgeRateLimitID": 0, "EdgeRequestHost": "", "EdgeResponseCompressionRatio": 1, "EdgeResponseContentType": "text/plain; charset=UTF-8", "EdgeServerIP": "", "FirewallMatchesActions": ["block"], "FirewallMatchesRuleIDs": ["98638a893f524df6b9f772ac729845cc"], "FirewallMatchesSources": ["zoneLockdown"], "OriginIP": "", "OriginResponseBytes": 0, "OriginResponseHTTPExpires": "", "OriginResponseHTTPLastModified": "", "OriginResponseStatus": 0, "OriginResponseTime": 0, "OriginSSLProtocol": "unknown", "ParentRayID": "00", "SecurityLevel": "unk", "WAFAction": "unknown", "WAFFlags": "0", "WAFMatchedVar": "", "WAFProfile": "unknown", "WAFRuleID": "", "WAFRuleMessage": "", "WorkerCPUTime": 0, "WorkerStatus": "unknown", "WorkerSubrequest": false, "WorkerSubrequestCount": 0, "ZoneID": 102112315}}
Hope someone can help, as I can't figure out what I have wrong here!
Jeremy
Cloudflare writes the logs to a S3 bucket, which Wazuh then reads using the "subscriber bucket" feature, and parses using the JSONLines parser. This is currently working well, and we have set up a few custom events corresponding to different types of traffic blocked by them:
Rule: 100322 - Cloudflare WAF block
Rule: 100327 - Zone Lockdown block
Rule: 100328 - Rate Limiting block
Rule: 100329 - Browser Integrity Check block
These are also working quite well, we can see the events in the Discover pane of the Wazuh Dashboard.
Now, we are trying to create a new rule for repeated blocks from the same IP address over a period of time generates a different higher level event. We have set the rule as follows:
<rule id="100332" level="10" frequency="200" timeframe="3600" ignore="3600">
<if_matched_sid>100322,100327,100328,100329</if_matched_sid>
<description>Cloudflare source IP address blocked 200 times in last hour.</description>
<same_field>aws.ClientIP</same_field>
<group>cloudflare,</group>
</rule>
By my understanding of the rules syntax, this should indicate if we get 200 events matching any of those 4 rules, in a 1 hour (3600 sec), and the field "aws.ClientIP" is identical (same origin IP), it should generate a Level 10 event, and ignore future triggers for that IP for 1 hour before generating another event.
However, this rule is not working as expected. I tested this by triggering the 100327 rule 500 times in a very short period of time (5 minutes). I can see all 500 events of the 100327 rule, but can never see an event for 100332.
For reference, below is the full log JSON data for the 100327 event, just to show the JSON syntax of the log:
{"integration": "aws", "aws": {"log_info": {"log_file": "trustcharge.net/20241106/20241106T160944Z_20241106T161046Z_f5c58577.jsonl.gz", "s3bucket": "trustcharge-cloudflare-logs"}, "ClientIP": "138.197.135.83", "ClientRequestHost": "reports.trustcharge.net", "ClientRequestMethod": "GET", "ClientRequestURI": "/", "EdgeEndTimestamp": 1730909325, "EdgeResponseBytes": 503, "EdgeResponseStatus": 403, "EdgeStartTimestamp": 1730909325, "RayID": "8de6581419a8a1f0", "CacheCacheStatus": "unknown", "CacheResponseBytes": 0, "CacheResponseStatus": 0, "CacheTieredFill": false, "ClientASN": 14061, "ClientCountry": "ca", "ClientDeviceType": "desktop", "ClientIPClass": "noRecord", "ClientRequestBytes": 2557, "ClientRequestPath": "/", "ClientRequestProtocol": "HTTP/1.1", "ClientRequestReferer": "", "ClientRequestUserAgent": "curl/7.29.0", "ClientSSLCipher": "ECDHE-ECDSA-AES128-GCM-SHA256", "ClientSSLProtocol": "TLSv1.2", "ClientSrcPort": 48922, "EdgeColoCode": "YYZ", "EdgeColoID": 29, "EdgePathingOp": "ban", "EdgePathingSrc": "user", "EdgePathingStatus": "zl", "EdgeRateLimitAction": "", "EdgeRateLimitID": 0, "EdgeRequestHost": "", "EdgeResponseCompressionRatio": 1, "EdgeResponseContentType": "text/plain; charset=UTF-8", "EdgeServerIP": "", "FirewallMatchesActions": ["block"], "FirewallMatchesRuleIDs": ["98638a893f524df6b9f772ac729845cc"], "FirewallMatchesSources": ["zoneLockdown"], "OriginIP": "", "OriginResponseBytes": 0, "OriginResponseHTTPExpires": "", "OriginResponseHTTPLastModified": "", "OriginResponseStatus": 0, "OriginResponseTime": 0, "OriginSSLProtocol": "unknown", "ParentRayID": "00", "SecurityLevel": "unk", "WAFAction": "unknown", "WAFFlags": "0", "WAFMatchedVar": "", "WAFProfile": "unknown", "WAFRuleID": "", "WAFRuleMessage": "", "WorkerCPUTime": 0, "WorkerStatus": "unknown", "WorkerSubrequest": false, "WorkerSubrequestCount": 0, "ZoneID": 102112315}}
Hope someone can help, as I can't figure out what I have wrong here!
Jeremy
Gastón Palomeque
Nov 7, 2024, 7:48:15 AM11/7/24
to Wazuh | Mailing List
Hello Jeremy,
Your understanding is correct, the only issue I see is that the field if_matched_sid only takes one ID and not a list like if_sid. Could you perform the same test but specifying just the 100327 ID to see if it works?
To workaround this limitation and trigger a rule taking any of the other rules instead of one, you could try using if_matched_group and id to replace if_matched_sid:
<if_matched_group>cloudflare</if_matched_group>
<id>100322|100327|100328|100329</id>
Regards,
Gastón Palomeque
Your understanding is correct, the only issue I see is that the field if_matched_sid only takes one ID and not a list like if_sid. Could you perform the same test but specifying just the 100327 ID to see if it works?
To workaround this limitation and trigger a rule taking any of the other rules instead of one, you could try using if_matched_group and id to replace if_matched_sid:
<if_matched_group>cloudflare</if_matched_group>
<id>100322|100327|100328|100329</id>
Regards,
Gastón Palomeque
Jeremy Utley
Nov 7, 2024, 10:59:23 AM11/7/24
to Wazuh | Mailing List
That did it, thank you Gaston! I changed your workaround idea little bit - for the 4 rules in question, I added a separate group designation (cloudflare_block), and then for my time-based rule, I simply did a if_matched_group against that group name.
Again, many thanks for the fast help!
Jeremy Utley
Gastón Palomeque
Nov 7, 2024, 11:07:13 AM11/7/24
to Jeremy Utley, Wazuh | Mailing List
That's a good way of solving the issue. I'm glad I could help you!
Have a great end of the week,--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/7rsdHnHM1vI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/602d9007-4e48-4559-88d0-eaa5c4344ac5n%40googlegroups.com.
--
 | Gastón Palomeque Software Engineer |
Reply all
Reply to author
Forward
0 new messages