Snyk Integration - Wazuh
171 views
Skip to first unread message
Vera
Apr 24, 2024, 3:16:44 AM4/24/24
to Wazuh | Mailing List
Good morning,
I am trying to add Snyk to Wazuh. I use a regular expression to get a specific field, but it only detects the first match, not all the existing ones in the log. Any help with this?
I am trying to add Snyk to Wazuh. I use a regular expression to get a specific field, but it only detects the first match, not all the existing ones in the log. Any help with this?
Rafael Bailon Robles
Apr 24, 2024, 4:29:20 AM4/24/24
to Wazuh | Mailing List
Hello! To add Snyk to Wazuh, I recommend taking a look at this guide Container Vulnerability Scanning with Wazuh and Snyk From what I understand, you have problems with the rules for Snyk so you can go directly to Snyk Rules Configuration where examples appear that you can use as a base.
If you need more specific help, I need an example of the rule you created and an example of the log you use to test the rule.
I hope you find it useful
If you need more specific help, I need an example of the rule you created and an example of the log you use to test the rule.
I hope you find it useful
Vera
Apr 24, 2024, 4:32:15 AM4/24/24
to Wazuh | Mailing List
Hello Rafael,
Thank you for the information. The rules and decoders are fine (the alert appears in the dashboard with the information), but I would like to add the flag ‘global’ to the regular expression (type PCRE2). Any advice?
Rafael Bailon Robles
Apr 24, 2024, 5:46:48 AM4/24/24
to Wazuh | Mailing List
I'm not sure I understand what the problem is. If what you want is to add one more parameter to the regular expression, you can do it directly. This is the documentation about the regex. You can also use sibling decoders. This way, you can manage logs with different structure.
If you have different logs that you want to manage at the same time, I suggest using sibling decoders. If it is adding just one parameter to the regex, you can do it directly in the decoder you already have.
If you have different logs that you want to manage at the same time, I suggest using sibling decoders. If it is adding just one parameter to the regex, you can do it directly in the decoder you already have.
I hope it helps. If you need more help, I will need an example so I can reproduce it locally and provide you with better help.
Rafael Bailon Robles
Apr 24, 2024, 7:22:48 AM4/24/24
to Wazuh | Mailing List
From the logs that you have sent me privately, I think they are multiline logs. If so, take a look at the documentation Log-Format The "log_format" should be "multi-line".
Here you have the regex that Wazuh uses, in case you didn't have it and it helps you Regex
If this doesn't solve it, let me know. I'm trying to reproduce it locally to help you better.
Here you have the regex that Wazuh uses, in case you didn't have it and it helps you Regex
If this doesn't solve it, let me know. I'm trying to reproduce it locally to help you better.
Message has been deleted
Shaikh Krunal
Jun 27, 2024, 9:32:16 AM6/27/24
to Wazuh | Mailing List
Hello Vera,
I
am trying to take the logs or i can say scan output of Snyk CLI in the
wazuh with the help of wazuh decoder and custom rules but i am getting
the error in my decoders
this is my decoder:
this is my decoder:
<decoder name="snyk">
<prematch>^\h*✗\h+\[</prematch>
</decoder>
<decoder name="snyk-issue">
<parent>snyk</parent>
<regex>^✗\h+\[(\w+)\]\h+(.*)$</regex>
<order>severity,issue</order>
</decoder>
<decoder name="snyk-path">
<parent>snyk-issue</parent>
<regex>Path:\h+(.+?),\h+line\h+(\d+)$</regex>
<order>path,line</order>
</decoder>
<decoder name="snyk-info">
<parent>snyk-issue</parent>
<regex>Info:\h+(.+)$</regex>
<order>info</order>
</decoder>
<decoder name="snyk-summary">
<parent>snyk</parent>
<regex>^(\d+)\h+Code issues found$</regex>
<order>total_issues</order>
</decoder>
and these are the scan outputs:
✗ [Low] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Path: pygoat/introduction/views.py, line 194
Info: The cookie's Secure flag is set to False. Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Low] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Path: pygoat/introduction/views.py, line 208
Info: The cookie's Secure flag is set to False. Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Low] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Path: pygoat/introduction/views.py, line 222
Info: The cookie's Secure flag is set to False. Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Low] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Path: pygoat/introduction/views.py, line 119
Info: Cookie's Secure flag is set to False by default. Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Low] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Path: pygoat/introduction/views.py, line 255
Info: Cookie's Secure flag is set to False by default. Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Low] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Path: pygoat/introduction/views.py, line 259
Info: Cookie's Secure flag is set to False by default. Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Low] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Path: pygoat/introduction/views.py, line 349
Info: Cookie's Secure flag is set to False by default. Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Low] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Path: pygoat/introduction/views.py, line 355
Info: Cookie's Secure flag is set to False by default. Set it to true to protect the cookie from man-in-the-middle attacks.
✗ [Low] Sensitive Cookie Without 'HttpOnly' Flag
Path: pygoat/introduction/views.py, line 119
Info: Cookie's HttpOnly flag is set to False by default. Set it to true
to protect the cookie from possible malicious code on client side.
✗ [Low] Sensitive Cookie Without 'HttpOnly' Flag
Path: pygoat/introduction/views.py, line 194
Info: Cookie's HttpOnly flag is set to False by default. Set it to true
to protect the cookie from possible malicious code on client side.
✗ [Low] Sensitive Cookie Without 'HttpOnly' Flag
Path: pygoat/introduction/views.py, line 208
Info: Cookie's HttpOnly flag is set to False by default. Set it to true
to protect the cookie from possible malicious code on client side.
✗ [Low] Sensitive Cookie Without 'HttpOnly' Flag
Path: pygoat/introduction/views.py, line 222
Info: Cookie's HttpOnly flag is set to False by default. Set it to true
to protect the cookie from possible malicious code on client side.
✗ [Low] Sensitive Cookie Without 'HttpOnly' Flag
Path: pygoat/introduction/views.py, line 255
Info: Cookie's HttpOnly flag is set to False by default. Set it to true
to protect the cookie from possible malicious code on client side.
✗ [Low] Sensitive Cookie Without 'HttpOnly' Flag
Path: pygoat/introduction/views.py, line 259
Info: Cookie's HttpOnly flag is set to False by default. Set it to true
to protect the cookie from possible malicious code on client side.
✗ [Low] Sensitive Cookie Without 'HttpOnly' Flag
Path: pygoat/introduction/views.py, line 349
Info: Cookie's HttpOnly flag is set to False by default. Set it to true
to protect the cookie from possible malicious code on client side.
✗ [Low] Sensitive Cookie Without 'HttpOnly' Flag
Path: pygoat/introduction/views.py, line 355
Info: Cookie's HttpOnly flag is set to False by default. Set it to true
to protect the cookie from possible malicious code on client side.
✗ [Medium] Insecure Xml Parser
Path: pygoat/introduction/views.py, line 161
Info: xml.sax.make_parser is considered insecure. Use an analog from the defusedxml package.
✗ [Medium] Insecure Xml Parser
Path: pygoat/introduction/views.py, line 163
Info: xml.dom.pulldom.parseString is considered insecure. Use an analog from the defusedxml package.
✗ [Medium] Cross-Site Request Forgery (CSRF)
Path: pygoat/introduction/views.py, line 148
Info: CSRF protection is disabled by
django.views.decorators.csrf.csrf_exempt. This allows the attackers to
execute requests on a user's behalf.
✗ [Medium] Cross-Site Request Forgery (CSRF)
Path: pygoat/introduction/views.py, line 159
Info: CSRF protection is disabled by
django.views.decorators.csrf.csrf_exempt. This allows the attackers to
execute requests on a user's behalf.
✗ [Medium] Cross-Site Request Forgery (CSRF)
Path: pygoat/introduction/views.py, line 238
Info: CSRF protection is disabled by
django.views.decorators.csrf.csrf_exempt. This allows the attackers to
execute requests on a user's behalf.
✗ [Medium] Cross-Site Request Forgery (CSRF)
Path: pygoat/introduction/views.py, line 244
Info: CSRF protection is disabled by
django.views.decorators.csrf.csrf_exempt. This allows the attackers to
execute requests on a user's behalf.
✗ [Medium] Cross-Site Request Forgery (CSRF)
Path: pygoat/introduction/views.py, line 300
Info: CSRF protection is disabled by
django.views.decorators.csrf.csrf_exempt. This allows the attackers to
execute requests on a user's behalf.
✗ [Medium] Cross-Site Request Forgery (CSRF)
Path: pygoat/introduction/views.py, line 341
Info: CSRF protection is disabled by
django.views.decorators.csrf.csrf_exempt. This allows the attackers to
execute requests on a user's behalf.
✗ [Medium] Cross-Site Request Forgery (CSRF)
Path: pygoat/introduction/views.py, line 398
Info: CSRF protection is disabled by
django.views.decorators.csrf.csrf_exempt. This allows the attackers to
execute requests on a user's behalf.
✗ [High] Command Injection
Path: pygoat/introduction/views.py, line 312
Info: Unsanitized input from an HTTP parameter flows into
subprocess.check_output, where it is used as a shell command. This may
result in a Command Injection vulnerability.
✗ [High] Cross-site Scripting (XSS)
Path: pygoat/introduction/views.py, line 363
Info: Unsanitized input from cookies flows into
django.http.HttpResponse, where it is used to render an HTML page
returned to the user. This may result in a Cross-Site Scripting attack
(XSS).
✗ [High] Deserialization of Untrusted Data
Path: pygoat/introduction/views.py, line 122
Info: Unsanitized input from cookies flows into pickle.loads, where it
is used to deserialize an object. This may result in an Unsafe
Deserialization vulnerability.
✗ [High] Deserialization of Untrusted Data
Path: pygoat/introduction/views.py, line 407
Info: Unsanitized input from an uploaded file flows into yaml.load,
where it is used to deserialize an object. This may result in an Unsafe
Deserialization vulnerability.
✗ [High] Hardcoded Secret
Path: pygoat/pygoat/settings.py, line 25
Info: Avoid hardcoding values that are meant to be secret. Found a hardcoded string used in here.
✗ [High] SQL Injection
Path: pygoat/introduction/views.py, line 86
Info: Unsanitized input from an HTTP parameter flows into
pygoat.introduction.models.login.objects.raw, where it is used in an SQL
query. This may result in an SQL Injection vulnerability.
✔ Test completed
Organization: krunalshaikh786
Test type: Static code analysis
Project path: pygoat
Summary:
31 Code issues found
6 [High] 9 [Medium] 16 [Low] ```````````````````````````````````````````````````````````````
- i am getting syntax error because of *✗
- So, the scenario is on the my Wazuh Agent's machine i installed snyk CLI and attache it with my snyk account and clone my project in that machine and run the snyk code test on it and get the scan output
How can i fix this problem can you please help me.
Reply all
Reply to author
Forward
0 new messages