Wazuh Rules Creation

[M.Ali]

Hi everyone,

I am new in open source SIEM and WAZUH is my first deployment. I deploy WAZUH on Ubuntu and I have windows and Ubuntu agents and all agents forward logs to server. 

Now i want to implement rules on logs but I its not clear in Documentation that GitHub rules repository already in the WAZUH or I have to add them. I already Update the rules with # /var/ossec/bin/update_ruleset .

Can anyone guide me about step by step process of rules implementation. Can we use kibana to upload .XML rule files ?

[Jose Miguel Mallorquin]

Hello M.Ali,

we are glad you started to use Wazuh.

Let me introduce some details regarding the Rules:

The Ruleset, included in the Wazuh Manager installation by default, is a set of XML files called Decoders and Rules. The Decoders are used by the Analysis Daemon to extract the required fields and values from the incoming events or log messages. Then, the Rules are used to generate an alert based on the fields extracted by the corresponding Decoder. The alerts will follow the data flow and they will be finally displayed on the Kibana web.

As you properly mentioned, there is a wazuh-ruleset repository in GitHub where we can find all of the Decoders and Rules that are currently available in the corresponding version of Wazuh.

The /var/ossec/bin/update_ruleset is used to update the current ruleset on your system in case of a possible out-of-date.

Finally, regarding the rules creation process, you requested, please, take a look at Custom rules and decoders. It is used when we have a specific log message or event with a format that is not ready to be managed by the current Ruleset. In those cases, we firstly create a custom Decoder to extract the fields we need and their values. Then, we create the corresponding custom Rule to generate the alert according to our requirements. It is recommended to use the /var/ossec/etc/decoders/ and /var/ossec/etc/rules to place the custom XML files instead of using the  /var/ossec/ruleset as this is overwritten when we upgrade the wazuh-manager installation.

The XML files can be created/edited directly from the CLI with any text editor, or you do it on your local system and then upload them to the wazuh-manager server. And also, they can be created/edited from the Kibana Wazuh App:

Every change requires to restart the wazuh-manager service to update the changes.

Also, you can use the /var/ossec/bin/ossec-logtest to test the logs you want to parse.

I hope this helps you.

Don't hesitate to ask us for further information.

Best regards,

Jose M.

[M.Ali]

Thanks a lot for this help.

Sorry I know that my questions are really basic but I need help.

Do I need to add new decoder for windows security logs or following existing 827 decoders are enough for the alerts.

Same like this there are almost 126 rule files with 2856 rules how I can enable all these rules ?

 

[Jose Miguel Mallorquin]

Hello M.Ali,

don't worry, it is a pleasure for us to help our Community.

As you properly mentioned, there are a lot of prebuilt Decoders and Rules included in the Wazuh ruleset when Wazuh Manager is installed. They all are enabled by default.

Regarding Windows logs, Wazuh Agent collects the events from the main Windows channels: System, Application and Security. Then, it sends those events to the Manager, whose ruleset is plenty ready to manage them and generate alerts thanks to the Decoders and Rules.

This blog post can also be interesting: https://wazuh.com/blog/how-to-collect-windows-events-with-wazuh/

I hope this helps.

Best regards,

Jose M.

[M.Ali]

Sir,

Thanks a lot for the help.

Just one thing more how can I disable unnecessary rules ?

[Jose Miguel Mallorquin]

Hi,

in order to avoid generating alerts for a particular Rule, you can decrease its level value to 0 to be ignored:

https://documentation.wazuh.com/3.10/user-manual/ruleset/rules-classification.html

Please, visit Changing an existing rule to know how to proceed.

In essence, you need to copy the desired Rule from the corresponding file (located at /var/ossec/ruleset/rules/) and paste it in a file for custom Rules (located at /var/ossec/etc/rules/). Then, edit the value of level and add overwrite="yes" to indicate that this rule is overwriting an already defined rule.




Finally, restart the wazuh-manager service to update the changes.

[M.Ali]

hi,

I add all the nodes and WAZUH receiving logs from the agents.

But my Sophos firewall traffic logs are not appearing only Sophos system logs and its domain activity logs are available.

I forward all type of logs from Sophos on WAZUH server IP but Sophos traffic logs like source IP connected with a destination IP on xxxx port. where can I get these type of logs in WAZUH and how can I monitor firewall traffic in WAZUH?

[Jose Miguel Mallorquin]

Hi M.Ali,

my apologies for this late response.

At the moment, the Wazuh ruleset is ready to parse Sophos Antivirus logs thanks to the corresponding Decoders and Rules files.

Regarding Sophos Firewall, could you please provide some log samples? You can omit sensitive information (hostname, IP addresses, etc.).

That way, we can use the /var/ossec/bin/ossec-logtest binary tool to test if those specific logs are properly decoded and an alert is triggered. Otherwise, it will be necessary to create custom Decoders and Rules.

Best regards,

Jose M.

[M.Ali]

Sorry for late reply.

Rule test command "/var/ossec/bin/ossec-logtest" is not executing on my wazuh server. whenever try to execute no result appeared on screen. for test I leave it for 24 hr but no luck.

[Rick Gutierrez]

El El vie, oct. 25, 2019 a la(s) 8:33 a. m., M.Ali <hotatti...@gmail.com> escribió:

Sorry for late reply.

Rule test command "/var/ossec/bin/ossec-logtest" is not executing on my wazuh server. whenever try to execute no result appeared on screen. for test I leave it for 24 hr but no luck.

--

Hi,  I had the same thing, run the test for a new rule, but it hangs

--

rickygm

http://gnuforever.homelinux.com

[Jose Miguel Mallorquin]

Hello,

to use the ossec-logtest tool, please, execute the command, then paste or type the log you want to parse and press Enter:

In the example above, I used the following log sample from my test environment: Oct 28 02:43:02 wazuh-manager-3-10-2-ip9 postfix/master[1545]: daemon started -- version 2.10.1, configuration /etc/postfix

The correct execution of the test would provide the 3 Phases of the process:

- Phase 1: Completed pre-decoding.

- Phase 2: Completed decoding.

- Phase 3: Completed filtering (rules).

We can also run the test in just one line like below:

# echo 'Oct 28 02:43:02 wazuh-manager-3-10-2-ip9 postfix/master[1545]: daemon started -- veion 2.10.1, configuration /etc/postfix' | /var/ossec/bin/ossec-logtest

The results output is the same.

[M.Ali]

Hello,

This command was just for one type of rules or for all implemented rules?

how I can check all decoder and rules at once????

Please answer as soon as possible.

Thanks

[Juan Carlos]

Hi,

This command will verify how the event log you provide it will be analyzed and the resulting action to be taken by Wazuh's analysis daemon, taking into consideration all of the decoders and rules in its ruleset.

You may test it with as many event logs as you want.

Best Regards,

Juan Carlos Tello

[M.Ali]

If I have to check my decoders and rules of a firewall or Apache server than what change i have to made in above command?

 

[Jose Miguel Mallorquin]

Hello,

the ossec-logtest tool offers several options. Please, use -h or --help to check them:

]# /var/ossec/bin/ossec-logtest -h

Wazuh v3.10.2 - Wazuh Inc. (info@wazuh.com)
http://www.wazuh.com
  ossec-testrule: -[Vhdtva] [-c config] [-D dir] [-U rule:alert:decoder]
    -V          Version and license message
    -h          This help message
    -d          Execute in debug mode. This parameter
                can be specified multiple times
                to increase the debug level.
    -t          Test configuration
    -a          Alerts output
    -v          Verbose (full) output/rule debugging
    -c <config> Configuration file to use (default: /var/ossec/etc/ossec.conf)
    -D <dir>    Directory to chroot into (default: /var/ossec)
    -U <rule:alert:decoder>  Unit test. Refer to contrib/ossec-testing/runtests.py

For example, we can use -t in order to test all of the Decoders and Rules XML files in order to know if they contain any syntax error, for example:

# /var/ossec/bin/ossec-logtest -t
2019/10/29 06:21:26 ossec-testrule: ERROR: (1226): Error reading XML file 'etc/rules/local_rules.xml': XMLERR: End of file and some elements were not closed. (line 79).
2019/10/29 06:21:26 ossec-testrule: CRITICAL: (1220): Error loading the rules: 'etc/rules/local_rules.xml'

We can also use -v to add verbose to the output. It expects to receive a one log per line (type or paste it). See below example (I have simply used "test" as my input log), we will see Rule debugging:

# /var/ossec/bin/ossec-logtest -v
2019/10/29 06:17:02 ossec-testrule: INFO: Started (pid: 4531).
ossec-testrule: Type one log per line.

test


**Phase 1: Completed pre-decoding.
       full event: 'test'
       timestamp: '(null)'
       hostname: 'wazuh-manager-3-10-2-ip9'
       program_name: '(null)'
       log: 'test'

**Phase 2: Completed decoding.
       No decoder matched.

**Rule debugging:
    Trying rule: 1 - Generic template for all syslog rules.
       *Rule 1 matched.
       *Trying child rules.
    Trying rule: 600 - Active Response Messages Grouped
    Trying rule: 200 - Grouping of wazuh rules.
   ...