Trying to create a custom ruleset for fail2ban, but alerts won't get triggered.
371 views
Skip to first unread message
werner gold
Apr 22, 2024, 6:57:13 AM4/22/24
to Wazuh | Mailing List
I asked the same question in reddit, but the formatting of my post there went ugly, Reddit seems to have formatting issues with Chrome. But I really appreciate some help with that problem.
I want to create a custom wazuh alert for fail2ban. I am stuck and the AIs are unable to give me any more helpful suggestions.
On my agents I collect the fail2ban logs
I created a decoder:
root@mo2 alerts]# cat ../../ruleset/decoders/0800-wgold-fail2ban_decoders.xml
<!--
- Fail2Ban Decoder
- Author: Werner Gold 240419
- Example log line:
- 2024 Apr 19 16:28:41 (wfe08.app.schimmel) any->/var/log/fail2ban.log 2024-04-19 16:28:40,763 fail2ban.actions [331438]: NOTICE [apache-dos-attack] Ban 199.89.55.190
-->
<decoder name="fail2ban-wgold">
<prematch>fail2ban.actions</prematch>
</decoder>
<decoder name="fail2ban-action-wgold">
<parent>fail2ban-wgold</parent>
<regex type="pcre2">actions +\[\S+\]: (\w+) +\[(\S+)\] (\w+) (\S+)</regex>
<order>severity,cause,actiontaken,srcip</order>
</decoder>
and I created a rule:
[root@mo2 alerts]# cat ../../ruleset/rules/1100-wgold-fail2ban_rules.xml
<!--
- Fail2ban Rules
- Author: wgold 240419
-->
<group name="fail2ban-wgold">
<rule id="100010" level="3">
<decoded_as>fail2ban-wgold</decoded_as>
<description>Fail2ban Logs</description>
</rule>
<rule id="100011" level="10">
<if_sid>100010</if_sid>
<field name="actiontaken">Unban</field>
<description>Fail2ban Unban action taken</description>
</rule>
<rule id="100012" level="12">
<if_sid>100010</if_sid>
<field name="actiontaken">Ban</field>
<description>Fail2ban Ban action taken</description>
</rule>
</group>
My ossec.conf has these global configurations:
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<smtp_server>localhost</smtp_server>
[mailaddresses deleted]
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
I did manually ban 10.10.10.10 on one of the servers and it is shown in the archive.log:
2024 Apr 20 12:12:11 (wfe11.app.schimmel) any->/var/log/fail2ban.log 2024-04-20 12:12:11,149 fail2ban.actions [26307]: NOTICE [ip-blacklist] Ban 10.10.10.10
Processing the entry on wazuh logtest leads to:
[root@mo2 alerts]# wazuh-logtest
Starting wazuh-logtest v4.7.3
Type one log per line
2024 Apr 20 12:12:11 (wfe11.app.schimmel) any->/var/log/fail2ban.log 2024-04-20 12:12:11,149 fail2ban.actions [26307]: NOTICE [ip-blacklist] Ban 10.10.10.10
**Phase 1: Completed pre-decoding.
full event: '2024 Apr 20 12:12:11 (wfe11.app.schimmel) any->/var/log/fail2ban.log 2024-04-20 12:12:11,149 fail2ban.actions [26307]: NOTICE [ip-blacklist] Ban 10.10.10.10'
timestamp: '2024 Apr 20 12:12:11'
**Phase 2: Completed decoding.
name: 'fail2ban-wgold'
actiontaken: 'Ban'
cause: 'ip-blacklist'
severity: 'NOTICE'
srcip: '10.10.10.10'
**Phase 3: Completed filtering (rules).
id: '100012'
level: '12'
description: 'Fail2ban Ban action taken'
groups: '['fail2ban-wgold']'
firedtimes: '1'
mail: 'True'
**Alert to be generated
So the alert should be processed according to wazuh-logtest and it shows up in the archive. But
[root@mo2 alerts]# grep 100012 alerts.*
gives an empty result.
What did I miss?
Best Regards
Werner
I want to create a custom wazuh alert for fail2ban. I am stuck and the AIs are unable to give me any more helpful suggestions.
On my agents I collect the fail2ban logs
I created a decoder:
root@mo2 alerts]# cat ../../ruleset/decoders/0800-wgold-fail2ban_decoders.xml
<!--
- Fail2Ban Decoder
- Author: Werner Gold 240419
- Example log line:
- 2024 Apr 19 16:28:41 (wfe08.app.schimmel) any->/var/log/fail2ban.log 2024-04-19 16:28:40,763 fail2ban.actions [331438]: NOTICE [apache-dos-attack] Ban 199.89.55.190
-->
<decoder name="fail2ban-wgold">
<prematch>fail2ban.actions</prematch>
</decoder>
<decoder name="fail2ban-action-wgold">
<parent>fail2ban-wgold</parent>
<regex type="pcre2">actions +\[\S+\]: (\w+) +\[(\S+)\] (\w+) (\S+)</regex>
<order>severity,cause,actiontaken,srcip</order>
</decoder>
and I created a rule:
[root@mo2 alerts]# cat ../../ruleset/rules/1100-wgold-fail2ban_rules.xml
<!--
- Fail2ban Rules
- Author: wgold 240419
-->
<group name="fail2ban-wgold">
<rule id="100010" level="3">
<decoded_as>fail2ban-wgold</decoded_as>
<description>Fail2ban Logs</description>
</rule>
<rule id="100011" level="10">
<if_sid>100010</if_sid>
<field name="actiontaken">Unban</field>
<description>Fail2ban Unban action taken</description>
</rule>
<rule id="100012" level="12">
<if_sid>100010</if_sid>
<field name="actiontaken">Ban</field>
<description>Fail2ban Ban action taken</description>
</rule>
</group>
My ossec.conf has these global configurations:
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<smtp_server>localhost</smtp_server>
[mailaddresses deleted]
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
I did manually ban 10.10.10.10 on one of the servers and it is shown in the archive.log:
2024 Apr 20 12:12:11 (wfe11.app.schimmel) any->/var/log/fail2ban.log 2024-04-20 12:12:11,149 fail2ban.actions [26307]: NOTICE [ip-blacklist] Ban 10.10.10.10
Processing the entry on wazuh logtest leads to:
[root@mo2 alerts]# wazuh-logtest
Starting wazuh-logtest v4.7.3
Type one log per line
2024 Apr 20 12:12:11 (wfe11.app.schimmel) any->/var/log/fail2ban.log 2024-04-20 12:12:11,149 fail2ban.actions [26307]: NOTICE [ip-blacklist] Ban 10.10.10.10
**Phase 1: Completed pre-decoding.
full event: '2024 Apr 20 12:12:11 (wfe11.app.schimmel) any->/var/log/fail2ban.log 2024-04-20 12:12:11,149 fail2ban.actions [26307]: NOTICE [ip-blacklist] Ban 10.10.10.10'
timestamp: '2024 Apr 20 12:12:11'
**Phase 2: Completed decoding.
name: 'fail2ban-wgold'
actiontaken: 'Ban'
cause: 'ip-blacklist'
severity: 'NOTICE'
srcip: '10.10.10.10'
**Phase 3: Completed filtering (rules).
id: '100012'
level: '12'
description: 'Fail2ban Ban action taken'
groups: '['fail2ban-wgold']'
firedtimes: '1'
mail: 'True'
**Alert to be generated
So the alert should be processed according to wazuh-logtest and it shows up in the archive. But
[root@mo2 alerts]# grep 100012 alerts.*
gives an empty result.
What did I miss?
Best Regards
Werner
Juan Nicolás Asselle (Nico Asselle)
Apr 22, 2024, 7:35:43 AM4/22/24
to Wazuh | Mailing List
Hi Werner,
The problem is that you are evaluating/developing custom decoders using a Wazuh archive entry as it was the fail2ban log, but this is not accurate since Wazuh adds some extra information to the log itself when dumped into archives.log.
Example:
Example:
- Fail2ban generates: 2024-04-20 12:12:11,149 fail2ban.actions [26307]: NOTICE [ip-blacklist] Ban 10.10.10.10
- Wazuh output for the log: 2024 Apr 20 12:12:11 (wfe11.app.schimmel) any->/var/log/fail2ban.log 2024-04-20 12:12:11,149 fail2ban.actions [26307]: NOTICE [ip-blacklist] Ban 10.10.10.10
As you can see, Wazuh added the next header: 2024 Apr 20 12:12:11 (wfe11.app.schimmel) any->/var/log/fail2ban.log
To solve this, you just need to develop and test your custom decoders/rules using the raw fail2ban log.
Hope this helps
Werner Gold
May 3, 2024, 2:32:18 AM5/3/24
to wa...@googlegroups.com
Thanks Juan,
I found out that wazuh has a problem with fail2ban's file format, which
is not 100% syslog.
I described the solution/workaround on reddit:
https://www.reddit.com/r/Wazuh/comments/1c8nfbz/comment/l0ql9al/?context=3
On the agent, I set:
<localfile>
<log\_format>syslog</log\_format>
<location>/var/log/fail2ban.log</location>
<out\_format>$(timestamp) fail2ban: $(log)</out\_format> </localfile>
Which still allows me to write into a file. I now have redundant
timestamps in the entry, but - so what...
With this decoder, I can then check for the Ban and Unban action. The
line is now close enough to a syslog entry, so I can filter with
"program_name".
<decoder name="fail2ban-wgold">
<program\_name>fail2ban</program\_name>
<regex type="pcre2" option="after\_prematch">
(\\S+) +\\\[(\\S+)\\\] (\\w+) (\\S+)</regex>
<order>fbseverity,cause,actiontaken,srcip</order>
</decoder>
Best
Werner
Am 22.04.24 um 13:35 schrieb 'Juan Nicolás Asselle (Nico Asselle)' via
Wazuh | Mailing List:
--
Werner Gold
Technik / zentrada.Europe
zentrada Europe GmbH & Co.KG
Delpstraße 5, D - 97084 Würzburg
E-Mail: werne...@zentrada.com
Sitz der Gesellschaft und Amtsgericht Würzburg, HRA 5427, UID DE813805341
Komplementär: zentrada Management GmbH, Sitz und Amtsgericht Würzburg, HRB
8245
Geschäftsführer: Ingo Schloo, Martina Schimmel, Gudrun Schimmel-Wanner
European Wholesale Buyer Network
Würzburg - Paris - Harderwijk - Opole - Zalaegerszeg - Caceres - Stockholm
www.zentrada.de; www.zentrada.fr; www.zentrada.pl; www.zentrada.nl;
www.zentrada.eu; www.zentrada.hu; www.zentrada.it; www.zentrada.es;
www.zentrada.se
I found out that wazuh has a problem with fail2ban's file format, which
is not 100% syslog.
I described the solution/workaround on reddit:
https://www.reddit.com/r/Wazuh/comments/1c8nfbz/comment/l0ql9al/?context=3
On the agent, I set:
<localfile>
<log\_format>syslog</log\_format>
<location>/var/log/fail2ban.log</location>
<out\_format>$(timestamp) fail2ban: $(log)</out\_format> </localfile>
Which still allows me to write into a file. I now have redundant
timestamps in the entry, but - so what...
With this decoder, I can then check for the Ban and Unban action. The
line is now close enough to a syslog entry, so I can filter with
"program_name".
<decoder name="fail2ban-wgold">
<program\_name>fail2ban</program\_name>
</decoder>
<decoder name="fail2ban-action-wgold">
<parent>fail2ban-wgold</parent>
<prematch>fail2ban.actions\\s+\\S+\\s+</prematch>
<decoder name="fail2ban-action-wgold">
<parent>fail2ban-wgold</parent>
<regex type="pcre2" option="after\_prematch">
(\\S+) +\\\[(\\S+)\\\] (\\w+) (\\S+)</regex>
<order>fbseverity,cause,actiontaken,srcip</order>
</decoder>
Best
Werner
Am 22.04.24 um 13:35 schrieb 'Juan Nicolás Asselle (Nico Asselle)' via
Wazuh | Mailing List:
Werner Gold
Technik / zentrada.Europe
zentrada Europe GmbH & Co.KG
Delpstraße 5, D - 97084 Würzburg
E-Mail: werne...@zentrada.com
Sitz der Gesellschaft und Amtsgericht Würzburg, HRA 5427, UID DE813805341
Komplementär: zentrada Management GmbH, Sitz und Amtsgericht Würzburg, HRB
8245
Geschäftsführer: Ingo Schloo, Martina Schimmel, Gudrun Schimmel-Wanner
European Wholesale Buyer Network
Würzburg - Paris - Harderwijk - Opole - Zalaegerszeg - Caceres - Stockholm
www.zentrada.de; www.zentrada.fr; www.zentrada.pl; www.zentrada.nl;
www.zentrada.eu; www.zentrada.hu; www.zentrada.it; www.zentrada.es;
www.zentrada.se
Reply all
Reply to author
Forward
0 new messages