Find rule ID 11 Wazuh 4.2
1,456 views
Skip to first unread message
Zaho
Oct 28, 2021, 7:16:35 AM10/28/21
to Wazuh mailing list
hello,
I have got the rule ID 11 in my wazuh. So, i would like modify it in the rule de Wazuh.
(same as picture).
But i don't find it in the rule liste https://github.com/wazuh/wazuh-ruleset/tree/master/rules
Where can i find this rule for modify it?
Christian Borla
Oct 28, 2021, 11:32:00 AM10/28/21
to Wazuh mailing list
Hello Zaho
I hope you are doing fine!
I was looking for same rule id and I can't find it, rules that contain id 11 and level 4 as sample picture show are following:
/rules/0175-proftpd_rules.xml:
<rule id="11208" level="4">
<match>unable to find open port in PassivePorts range</match>
<rule id="11211" level="4">
<if_sid>11200</if_sid>
<match>host name/name mismatch|host name/address mismatch</match>
<rule id="11220" level="4">
<if_sid>11200</if_sid>
<match>listen() failed in</match>
<rule id="11222" level="4">
<if_sid>11200</if_sid>
<match>unable to open incoming connection</match>
/rules/0190-ms_ftpd_rules.xml:
<rule id="11504" level="4">
<if_sid>11500</if_sid>
<id>^5</id>
But are different than yours.
Could you look into /var/ossec/etc/rules/local_rules.xml file? maybe it's a custom rule.
Also you can enable log_all option to search the alert in /var/ossec/logs/alerts/alerts.json. To enable archive.json logs configure /var/ossec/etc/ossec.conf into manager side.
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>no</logall_json>
</global>
Let me know if you find it.
Regards.
Eric Martinez
Nov 5, 2021, 9:28:17 AM11/5/21
to Wazuh mailing list
Hi,
I have the same problem as Zaho, I couldn't find where this rule is located, to be able to modify it
Pedro Nicolás Gomez
Nov 5, 2021, 1:00:46 PM11/5/21
to Wazuh mailing list
Hi emartinez73,
I agree with you, I did not find a rule with id "11".
I would need more information to try to reproduce this situation.
emartinez73, you see the same alert as Zaho(id=11 and level=4)?
What version of wazuh manager are you using?
Could you share me the full_log of the event that produces the alert? (be careful, hide the private information)
Could you run wazuh-logtest and paste the full-log of the event and share the output with me? If it matches with a custom-decoder, could you share it with me?
Victor Diaz
Feb 25, 2022, 12:49:37 PM2/25/22
to Wazuh mailing list
Hello pedro, nice to meet you.
I share you the evidence about this event. The rule cannot be edit because not exist. I was run "wazuh-logtest" but i don't recieve any information.
full_log The average number of logs between 14:00 and 15:00 is 207557. We reached 518894.
Result of wazuh-logtest
Starting wazuh-logtest v4.1.5
Type one log per line
The average number of logs between 14:00 and 15:00 is 207557. We reached 518894.
**Phase 1: Completed pre-decoding.
full event: 'The average number of logs between 14:00 and 15:00 is 207557. We reached 518894.'
**Phase 2: Completed decoding.
No decoder matched.
Type one log per line
The average number of logs between 14:00 and 15:00 is 207557. We reached 518894.
**Phase 1: Completed pre-decoding.
full event: 'The average number of logs between 14:00 and 15:00 is 207557. We reached 518894.'
**Phase 2: Completed decoding.
No decoder matched.
Rafael Nepomuceno
Aug 18, 2022, 11:14:05 AM8/18/22
to Wazuh mailing list
Has anyone come up with a resolution to this case? I'm having the same problem in the latest version of wazuh to receive logs from cisco umbrella
Rafael Nepomuceno
Aug 18, 2022, 11:16:50 AM8/18/22
to Wazuh mailing list
Mohamed ZAGHOUANI
Aug 31, 2022, 7:25:25 AM8/31/22
to Wazuh mailing list
Hello,
I found the same rule ID also in my environment using the v4.3.4, it appears for different types of logs, it doesn't have a description which is impossible in rule syntax, finally it doesn't belong to the predefined ruleset nor to custom rules.
Have you please any clarification about this strange behaviour?
Regards,
Mohamed Zaghouani
Juan Carlos Tello
Sep 8, 2022, 6:14:48 AM9/8/22
to Mohamed ZAGHOUANI, Wazuh mailing list
Hi,
This message is produced by the Check_Hour() function which can be found here:
https://github.com/wazuh/wazuh/blob/v4.3.7/src/analysisd/stats.c#L229-L257
This part of the code has been there since the very beginning of OSSEC (17 years ago, long before being forked by Wazuh) as it can be found here: https://github.com/ossec/ossec-hids/blob/OSSEC_HIDS_0_3/src/analysisd/stats.c#L165
This function is called by w_process_event_thread ( https://github.com/wazuh/wazuh/blob/v4.3.7/src/analysisd/analysisd.c#L1964 ) and it is verifying the average amount of events observed over the last 3 days at the same hour of the day. This will alert whenever the amount of events exceeds that average by 2.5 times.
This was a basic method to detect anomalies from the beginning of OSSEC and does not go through the analysis engine as other events do, which is why it triggers the non-existent level 4 rule ID 11, has no description (which has caused issues in the past https://github.com/wazuh/wazuh/issues/4418 ) and all fields except for full_log are taken from the most recent event.
This alert by itself is not indicative of a larger issue with log collection or analysis, so if you're unable to receive other expected logs then it would be best to temporarily enable <logall_json> to verify if the logs are correctly reaching the manager and if they're triggering any rule below the alert threshold.
I hope this helps,
Best Regards,
Juan C. Tello
This message is produced by the Check_Hour() function which can be found here:
https://github.com/wazuh/wazuh/blob/v4.3.7/src/analysisd/stats.c#L229-L257
This part of the code has been there since the very beginning of OSSEC (17 years ago, long before being forked by Wazuh) as it can be found here: https://github.com/ossec/ossec-hids/blob/OSSEC_HIDS_0_3/src/analysisd/stats.c#L165
This function is called by w_process_event_thread ( https://github.com/wazuh/wazuh/blob/v4.3.7/src/analysisd/analysisd.c#L1964 ) and it is verifying the average amount of events observed over the last 3 days at the same hour of the day. This will alert whenever the amount of events exceeds that average by 2.5 times.
This was a basic method to detect anomalies from the beginning of OSSEC and does not go through the analysis engine as other events do, which is why it triggers the non-existent level 4 rule ID 11, has no description (which has caused issues in the past https://github.com/wazuh/wazuh/issues/4418 ) and all fields except for full_log are taken from the most recent event.
This alert by itself is not indicative of a larger issue with log collection or analysis, so if you're unable to receive other expected logs then it would be best to temporarily enable <logall_json> to verify if the logs are correctly reaching the manager and if they're triggering any rule below the alert threshold.
I hope this helps,
Best Regards,
Juan C. Tello
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6c8a22a4-5a30-4c40-9cda-a430a2d3344en%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages