Help with alerts filter
71 views
Skip to first unread message
Leginho
Oct 31, 2022, 5:03:14 AM10/31/22
to Wazuh mailing list
Hi!
Can someone help me to do a better ruleset filter for these alerts?
Its always showing me the same thing because there is just one alert filter to all the alerts that are coming, so i would be thankfull if you can help me to do betters filters, i would like to have only the alerts with the label "Blacklist" after the EFW :
the original filter is this:
<group name="clavister">
<rule id="100700" level="3">
<decoded_as>decoder_EFW</decoded_as>
<description>Clavister alert</description>
</rule>
</group>
<rule id="100700" level="3">
<decoded_as>decoder_EFW</decoded_as>
<description>Clavister alert</description>
</rule>
</group>
And these are some alerts that are coming:
Oct 31 06:35:12
82.218.161.11 [2022-10-31 06:35:19] EFW: BLACKLIST: prio=2 id=04600004 rev=4 event=host_unblacklisted proto=all srcnet=82.218.161.11 dstnet=0.0.0.0/0 port=all
Oct 31 06:35:12 82.218.161.11 [2022-10-31 06:35:19] EFW: BLACKLIST: prio=2 id=04600004 rev=4 event=host_unblacklisted proto=all srcnet=12.132.21.43 dstnet=0.0.0.0/0 port=all
Oct 31 06:35:12 82.218.161.11 [2022-10-31 06:35:15] EFW: BLACKLIST: prio=2 id=04600004 rev=4 event=host_unblacklisted proto=all srcnet= 12.132.21.43 dstnet=0.0.0.0/0 port=all
Oct 31 06:35:12 82.218.161.11 [2022-10-31 06:35:19] EFW: BLACKLIST: prio=2 id=04600004 rev=4 event=host_unblacklisted proto=all srcnet=12.132.21.43 dstnet=0.0.0.0/0 port=all
Oct 31 06:35:12 82.218.161.11 [2022-10-31 06:35:15] EFW: BLACKLIST: prio=2 id=04600004 rev=4 event=host_unblacklisted proto=all srcnet= 12.132.21.43 dstnet=0.0.0.0/0 port=all
---------------------------------------------------------------------------------------------------------------
Julia Magán Rodríguez
Oct 31, 2022, 5:52:10 AM10/31/22
to Wazuh mailing list
Hello,
To achieve this, there are two options:
- Extract the label with a decoder and check it on a rule:
For this option, the first thing we are going to do is to create a child decoder like the following:
<decoder name="decoder_EFW_child">
<parent>decoder_EFW</parent>
<regex>EFW: (\S+):</regex>
<order>label</order>
</decoder>
You can learn more about regex and order here.
We can test that it works correctly using wazuh-logtest:
[root@localhost vagrant]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.9
Type one log per line
Oct 31 06:35:12 82.218.161.11 [2022-10-31 06:35:19] EFW: BLACKLIST: prio=2 id=04600004 rev=4 event=host_unblacklisted proto=all srcnet=82.218.161.11 dstnet=0.0.0.0/0 port=all
**Phase 1: Completed pre-decoding.
full event: 'Oct 31 06:35:12 82.218.161.11 [2022-10-31 06:35:19] EFW: BLACKLIST: prio=2 id=04600004 rev=4 event=host_unblacklisted proto=all srcnet=82.218.161.11 dstnet=0.0.0.0/0 port=all'
timestamp: 'Oct 31 06:35:12'
**Phase 2: Completed decoding.
name: 'decoder_EFW'
label: 'BLACKLIST'
**Phase 3: Completed filtering (rules).
id: '100700'
level: '3'
description: 'Clavister alert'
groups: '['clavister']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
The next step will be to create a rule that checks that the value of label is BLACKLIST:
<rule id="100701" level="3">
<if_sid>100700</if_sid>
<field name="label">BLACKLIST</field>
<description>BLACKLIST rules</description>
</rule>
If we retest the event with wazuh-logtest we see that we get the new rule:
[root@localhost vagrant]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.9
Type one log per line
Oct 31 06:35:12 82.218.161.11 [2022-10-31 06:35:19] EFW: BLACKLIST: prio=2 id=04600004 rev=4 event=host_unblacklisted proto=all srcnet=82.218.161.11 dstnet=0.0.0.0/0 port=all
**Phase 1: Completed pre-decoding.
full event: 'Oct 31 06:35:12 82.218.161.11 [2022-10-31 06:35:19] EFW: BLACKLIST: prio=2 id=04600004 rev=4 event=host_unblacklisted proto=all srcnet=82.218.161.11 dstnet=0.0.0.0/0 port=all'
timestamp: 'Oct 31 06:35:12'
**Phase 2: Completed decoding.
name: 'decoder_EFW'
label: 'BLACKLIST'
**Phase 3: Completed filtering (rules).
id: '100701'
level: '3'
description: 'BLACKLIST rules'
groups: '['clavister']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
The advantage of this option is that it allows us to create different rules for different extracted label.
2. Search for BLACKLIST directly in the rule:
For this option we simply need to create a rule like the following, that looks for BLACKLIST to appear in the log:
<rule id="100701" level="3">
<if_sid>100700</if_sid>
<match>BLACKLIST</match>
<description>BLACKLIST rules</description>
</rule>
If we check with wazuh-logtest, we see that this option also works:
[root@localhost vagrant]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.9
Type one log per line
Oct 31 06:35:12 82.218.161.11 [2022-10-31 06:35:19] EFW: BLACKLIST: prio=2 id=04600004 rev=4 event=host_unblacklisted proto=all srcnet=82.218.161.11 dstnet=0.0.0.0/0 port=all
**Phase 1: Completed pre-decoding.
full event: 'Oct 31 06:35:12 82.218.161.11 [2022-10-31 06:35:19] EFW: BLACKLIST: prio=2 id=04600004 rev=4 event=host_unblacklisted proto=all srcnet=82.218.161.11 dstnet=0.0.0.0/0 port=all'
timestamp: 'Oct 31 06:35:12'
**Phase 2: Completed decoding.
name: 'decoder_EFW'
**Phase 3: Completed filtering (rules).
id: '100701'
level: '3'
description: 'BLACKLIST rules'
groups: '['clavister']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Leginho
Oct 31, 2022, 8:43:23 AM10/31/22
to Wazuh mailing list
OKay, thank you so much !
Reply all
Reply to author
Forward
0 new messages