Problem With Redis for reading Xbits

[sss sss]

Hi,

debug msg 1:

[D] [xbit-redis.c, line 87] Xbit 'WINDOWS_AUTHUseraccountdelete' set in Redis for 192.168.1.24 for 86400 seconds

Debug msg 2:

[D] [xbit-redis.c, line 226] Xbit 'WINDOWS_AUTHUseraccountdelete' was not found IP address 192.168.1.24 for isset. Returning false.

at the same time, Redis data:

127.0.0.1:6379> KEYS *

1) "sagan:X:WINDOWS_SECURITYAsecurity_ena:192.168.1.24"

2) "sagan:X:WINDOWS_AUTHUseraccountdelete:192.168.1.24"

3) "sagan:X:WINDOWS_AUTHUseraccountcreate:192.168.1.24"

Redis version:

Redis server v=5.0.8 sha=00000000:0 malloc=jemalloc-5.1.0 bits=64 build=18ca9d7ea1c3e9cc

Sagan version:

1.2.2 

OS:

in both side ==> CentOS 7 with kernel: 5.2.11-1.el7.elrepo.x86_64

Where is the problem? what should I do?

[Da Beave]

Hmmmm....   What is you "sensor-name" and "cluster-name" set to?   Also, can you try 2.0.0 in Github (https://github.com/beave/sagan)?

[sss sss]

I've 3 nodes. XSIEM_Correlator1,2,3 [sensor names] and "X_SIEM" [cluster name]. I'll try 2.0.0 ASAP.

[sss sss]

Rules :

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Strategy] Test - Stage A"; after: track by_src, count 2, seconds 300; sid: 10444675; rev: 12; reference: x; classtype: successful-user; xbits: set, WINDOWS_AUTHUseraccountcreateA, track ip_src, expire 86400; program: *Security*; pcre: "/  4720: | 624: /"; )

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Strategy] Test - Stage B"; after: track by_src, count 2, seconds 300; sid: 44825366; rev: 6; classtype: successful-user; reference: x; xbits: isset,WINDOWS_AUTHUseraccountcreateA,track ip_src; xbits: set, WINDOWS_AUTHUseraccountdeleteB, track ip_src, expire 86400; program: *Security*; pcre: "/  4726: | 630: /"; )

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Strategy] Test - Stage C"; after: track by_src, count 3, seconds 300; sid: 42509443; rev: 4; content: !"$ Account Domain|3a|"; program: *Security*; reference: ANP Default Rule; xbits: isset,WINDOWS_AUTHUseraccountdeleteB,track ip_src; xbits: set, WINDOWS_SECURITYAsecurity_ena, track ip_src, expire 86400; reference: x classtype: system-event; pcre: "/  4735: | 639: /"; )

Problem still exist on 2.0.0

[Da Beave]

Perfect and thank you for the information.  I'll look at this ASAP (today/tomorow)

[Da Beave]

Hello,  

There was a bug due to "debug" code that caused an incomplete condition.    This has been corrected.  Can you get the latest code from Github and test again?    I was able to fire your rules as expected.   Let me know the results and thank you!

[sss sss]

Thanks for your quick reaction! I'll check the new version and will share my experience ASAP.