Network connection decoders for Sysmon rules

400 views
Skip to first unread message

Blason R

unread,
Aug 11, 2019, 11:30:10 PM8/11/19
to Wazuh mailing list
Hi Team,

It seems existing sysmon decoders does not have parsers for Network connections which sysmon is capturing, does it?

TIA,
Blason R

Juan Pablo Saez

unread,
Aug 12, 2019, 3:47:51 AM8/12/19
to Wazuh mailing list
Hi and nice to talk to you again Blason.

How are you collecting the Sysmon events? I recommend you using Eventchannel for this. You can read the How to collect Windows events with Wazuh document by my mate Cristina for a full explanation. 

It seems existing sysmon decoders does not have parsers for Network connections which sysmon is capturing, does it? 

 Eventchannel's internal decoder should be enough to parse this Sysmon Network connection events in the right way. In the current ruleset version, 61605 rule triggers on Network connection events:
  <rule id="61605" level="0">
   <if_sid>61600</if_sid>
   <field name="win.system.eventID">^3$</field>
   <description>Sysmon - Event 3: Network connection by $(win.eventdata.sourceImage)</description>
   <options>no_full_log</options>
   <group>sysmon_event3,</group>
 </rule>


if you're referring to Sysmon 10 new features as DNS queries logging,  we are currently working on new rules to cover these new features. You can track our progress here. Anyway, our current Eventchannel decoder should be able to parse the Sysmon 10 logs too so, in case you want to test these new rules before they are officially released, you can add them to your ruleset and test them in your lab environment.


If you provide some sample logs, we can help you on tuning your Wazuh manager to process them correctly. Throughout my entire reply I have spoken about Eventchannel. If you are collecting the logs through Eventlog or otherwise, please point it and I will help you with the method you have chosen.


Best regards, Juan Pablo Sáez 

Blason R

unread,
Aug 12, 2019, 4:49:25 AM8/12/19
to Juan Pablo Saez, Wazuh mailing list
Hello,

I am collecting thorugh eventchannel only however what I see from your conversation is I should not use Sysmon10 as this might be causing an issue with current decoders.

  <localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>

By the way thanks again for extensive answer and offering help.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/34c49060-123f-43bc-853d-95bfc845449b%40googlegroups.com.

Juan Pablo Saez

unread,
Aug 12, 2019, 5:39:50 AM8/12/19
to Wazuh mailing list
Hi again Blason,

It's great that you use Eventchannel as it's the best solution for collecting Windows logs. On the other hand, if it is not strictly necessary for you to use Sysmon 10, it may be a good idea to use an older version. 

Now that I know you collect and receive the logs correctly, are you interested in generating alerts for some events and, when these events occur you find no alerts related? If so, please, could you paste here some example events so we can give you a solution?


Best regards, Juan Pablo Sáez


To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

Blason R

unread,
Aug 12, 2019, 9:17:30 AM8/12/19
to Juan Pablo Saez, Wazuh mailing list
Hello,

Nah, everything is working fine however somehow even though my sysmon network flag is ON and network logs are being generated but not being forwarded to Wazuh mgr even though all the event levels are being configured as 3.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9a4c7462-0f8f-4809-aded-a8d5dbb6d931%40googlegroups.com.

Miki Alkalay

unread,
Aug 12, 2019, 9:21:06 AM8/12/19
to Blason R, Juan Pablo Saez, Wazuh mailing list
Hi,
Today I installed the sysmon 10 and it seems that it's working perfect with event channel also i'm able to use the event id 22 for DNS queries.
The Json decoder is doing the job for this event channel


Miki

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAPPXLT9XR3r%3Du9Oo03HAf5jYxdQ7H1BfRzP%2BsmsY1OONr-dx4A%40mail.gmail.com.


--

Best Regards

Miki Alkalay
Mobile: 972-54-6496293

Blason R

unread,
Aug 12, 2019, 9:27:56 AM8/12/19
to Miki Alkalay, Juan Pablo Saez, Wazuh mailing list
Hi Miki,

Any spcific sysmon config you have used probably let me try with that? Or any specifi changes you have done?

Juan Pablo Saez

unread,
Aug 13, 2019, 2:24:55 AM8/13/19
to Wazuh mailing list
Hi Miki,

Thank you very much for sharing your experience on our Sysmon v10 ruleset update. If possible, please, tell us a bit more about your use case.

On the other hand, Blason, if you need our help configuring Sysmon v10 or adding its new rules to your current ruleset, count on us!


Big greetings, Juan Pablo Sáez

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

Blason R

unread,
Aug 13, 2019, 3:28:07 AM8/13/19
to Juan Pablo Saez, Wazuh mailing list
Thanks man for offering a hand. However my query and concenr is - if we have basic corelated events possible out of Wazuh logs? Like 5 logong failures within  2 mins alert it, etc...

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.


--

Best Regards

Miki Alkalay
Mobile: 972-54-6496293

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6cb4e815-caf8-425b-92e1-f2d8691ba883%40googlegroups.com.

Juan Pablo Saez

unread,
Aug 13, 2019, 5:10:21 AM8/13/19
to Wazuh mailing list
Hi Blason,


if we have basic corelated events possible out of Wazuh logs? Like 5 logong failures within  2 mins alert it, etc...

Absolutely! Significant correlations can be established, let me show you an example:


The further sample event..:
2019 Jun 10 17:11:22 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: MYDOMAIN: An account failed to log on. Subject:  Security ID:  S-1-0-0  Account Name:  -  Account Domain:  -  Logon ID:  0x0  Logon Type:   3  Account For Which Logon Failed:  Security ID:  S-1-0-0  Account Name:  AMMINISTRATORE  Account Domain:    Failure Information:  Failure Reason:  %%2313  Status:   0xc000006d  Sub Status:  0xc0000064  Process Information:  Caller Process ID: 0x0  Caller Process Name: -  Network Information:  Workstation Name: -  Source Network Address: -  Source Port:  -  Detailed Authentication Information:  Logon Process:  NtLmSsp   Authentication Package: NTLM  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon request fails. It is generated on the computer where access was attempted.



..triggers a Logon failure rule:
**Phase 3: Completed filtering (rules).
       Rule id: '18130'
       Level: '5'
       Description: 'Windows: Logon Failure - Unknown user or bad password.'
       Info - Link: 'https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625'
**Alert to be generated.


 
We can create a rule that triggers after 5 failed logon attempts in the same user within 5 minutes:
 <rule id="100002" level="7" frequency="5" timeframe="300">
   <if_matched_sid>18130</if_matched_sid>
   <same_user/>  
   <description>5 failed logon attemps on the same user in 5 minutes.</description>
 </rule>


And after 5 failed logon attempts in the same user within 5 minutes the rule above will trigger giving an alert as output:
**Phase 3: Completed filtering (rules).
       Rule id: '100002'
       Level: '7'
       Description: '5 failed logon attemps on the same user in 5 minutes.'
**Alert to be generated.


You can try it yourself by including the rule above in the /var/ossec/etc/rules/local_rules.xml file and using the  /var/ossec/bin/ossec-logtest binary with the example event as input 5 times in 5 minutes lapse.


If you need more information do not hesitate to contact us! 
Best regards, Juan Pablo Sáez
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.


--

Best Regards

Miki Alkalay
Mobile: 972-54-6496293

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

Miki Alkalay

unread,
Aug 13, 2019, 6:18:50 AM8/13/19
to Blason R, Juan Pablo Saez, Wazuh mailing list
Hi Blason,
I'm working on a case that i can have a CDB with all malicious IP and URL, while getting alerts on queries that going to those sites.
I have MISP (Malware information share platform) that i'm downloading from that the rootchecks and now i'm on getting sites that holds the URL and IP's IOC's.
by that i can get alert on any malicious activities trough the agent.

Miki

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAPPXLT8QWMUxP0z1o6dGYfqp4S1AO9EV-u2VNaoA%3DdpM%2BM6e9w%40mail.gmail.com.

Blason R

unread,
Aug 13, 2019, 7:12:40 AM8/13/19
to Miki Alkalay, Juan Pablo Saez, Wazuh mailing list
Is it like a Dictionary rules from logsstash? If so then yes that is an excellnt use case, any idea how to configure such rules. Since I also have MISP data how do I start with such rules?

Juan Pablo Saez

unread,
Aug 30, 2019, 6:27:22 AM8/30/19
to Wazuh mailing list
Hi again Blason,

On this MISP you can find a lot of malicious URL's and IP's feeds to include on your CDB lists. The most interesting are those in freetext format, they require little or no modification to use them as CDB list, i.e: IP list or this URL list. You can do the same with your usual MISPs

Then you can design some rules to check events against your MISP based black lists i.e:
<rule id="100100" level="10">
 <if_sid>XXXXXX</if_sid>
 <list field="srcip" lookup="address_match_key">etc/lists/blacklist1</list>
 <description>IP in black list.</description


<rule id="100101" level="10">
 <if_sid>XXXXXX</if_sid>
 <list field="srcip" lookup="address_match_key">etc/lists/blacklist1</list>
 <description>URL in black list.</description

And finally, block the attacks with some <command> + an  <active-response> blocks.
<command>
    <name>netsh</name>
    <executable>netsh.cmd</executable>
    <expect>srcip</expect> 
    <timeout_allowed>yes</timeout_allowed>
</command>

<active-response>
    <command>netsh</command>
    <location>local</location>
    <rules_id>100100</rules_id>
    <timeout>1800</timeout>
  </active-response>


Please, let me know if it helps!

Best regards, Juan Pablo Sáez

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.


--

Best Regards

Miki Alkalay
Mobile: 972-54-6496293

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

Walid Bzeouich

unread,
Oct 19, 2023, 7:19:21 AM10/19/23
to Wazuh | Mailing List
Hi 
I want to parse logs received from Sysmon installed on windows 7.
the purpose is to generate an alert when user ping a domain so i want wazuh to notify me and show me which domain. So i can then verify if this domain is an IoC (integration wazuh with MISP). I follow this blog : https://opensecure.medium.com/wazuh-and-misp-integration-242dfa2f2e19

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.


--

Best Regards

Miki Alkalay
Mobile: 972-54-6496293

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages