paloalto authentication failed
952 views
Skip to first unread message
Nauris Metlans
Jun 23, 2022, 8:48:18 AM6/23/22
to Wazuh mailing list
Hello,
I want to make rule which will be matched if found in log text:
SAML SSO authentication failed for user
Rules look like this:
<rule id="64500" level="3">
<decoded_as>paloalto_system</decoded_as>
<description>SYSTEM Palo Alto logs type</description>
</rule>
<decoded_as>paloalto_system</decoded_as>
<description>SYSTEM Palo Alto logs type</description>
</rule>
<rule id="64515" level="3">
<if_sid>64500</if_sid>
<match>SAML SSO authentication failed</match>
<description>Palo Alto System: User $(srcusr) failed to login from $(srcip).</description>
<group>access_control,authentication_failed</group>
</rule>
<if_sid>64500</if_sid>
<match>SAML SSO authentication failed</match>
<description>Palo Alto System: User $(srcusr) failed to login from $(srcip).</description>
<group>access_control,authentication_failed</group>
</rule>
But every time I test it with logtest, it is cought by syslog rule:
**Phase 3: Completed filtering (rules).
id: '2501'
level: '5'
description: 'syslog: User authentication failure.'
groups: '['syslog', 'access_control', 'authentication_failed']'
firedtimes: '1'
gdpr: '['IV_35.7.d', 'IV_32.2']'
gpg13: '['7.8']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.14', 'AC.7']'
pci_dss: '['10.2.4', '10.2.5']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
id: '2501'
level: '5'
description: 'syslog: User authentication failure.'
groups: '['syslog', 'access_control', 'authentication_failed']'
firedtimes: '1'
gdpr: '['IV_35.7.d', 'IV_32.2']'
gpg13: '['7.8']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.14', 'AC.7']'
pci_dss: '['10.2.4', '10.2.5']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
Decoder decodes log as paloalto_system:
**Phase 2: Completed decoding.
name: 'paloalto_system'
parent: 'paloalto_system'
actionflags: '0x0'
content_type: 'auth'
name: 'paloalto_system'
parent: 'paloalto_system'
actionflags: '0x0'
content_type: 'auth'
How can I override this syslog rule?
Nauris Metlans
Jun 23, 2022, 8:53:09 AM6/23/22
to Wazuh mailing list
Here is decoder:
<decoder name="paloalto_system_fail_sso">
<parent>paloalto_system</parent>
<prematch>\.*SAML SSO authentication failed for\.*</prematch>
<regex >(\d*/\d*/\d* \d*:\d*:\d*),(\d*),(\w*),(\w*),\.*,(\.*),(\.*),(\S*),(\.*),\.*,\.*,(\w*),\w*,"SAML SSO authentication failed for user '(\S+)'. \.*,\.*,\.*,\.*, From: (\d+.\d+.\d+.\d+).",(\d*),(\S*),(\d*,\d*,\d*,\d*),(\.*),(\S*)</regex>
<order>receive_time,serial_number,type,content_type,time_generated,virtual_system,eventid,object,module,srcusr,srcip,sequence_number,actionflags,dg_hier_level_1_to_dg_hier_level_4,virtual_system_name,device_name</order>
</decoder>
<parent>paloalto_system</parent>
<prematch>\.*SAML SSO authentication failed for\.*</prematch>
<regex >(\d*/\d*/\d* \d*:\d*:\d*),(\d*),(\w*),(\w*),\.*,(\.*),(\.*),(\S*),(\.*),\.*,\.*,(\w*),\w*,"SAML SSO authentication failed for user '(\S+)'. \.*,\.*,\.*,\.*, From: (\d+.\d+.\d+.\d+).",(\d*),(\S*),(\d*,\d*,\d*,\d*),(\.*),(\S*)</regex>
<order>receive_time,serial_number,type,content_type,time_generated,virtual_system,eventid,object,module,srcusr,srcip,sequence_number,actionflags,dg_hier_level_1_to_dg_hier_level_4,virtual_system_name,device_name</order>
</decoder>
And also full log entry:
Jun 22 14:17:39 firewall_01 1,2022/06/22 14:17:39,007254000215990,SYSTEM,auth,2561,2022/06/22 14:17:39,,auth-fail,SSO-Provider Prod,0,0,general,informational,"SAML SSO authentication failed for user 'test...@testemail.com'. auth profile 'SSO-Provider', vsys 'vsys1', server profile 'SSO-provider', IdP entityID 'http://www.sso-prov.com/exk6n31jk12kl1k1l', From: 192.168.0.1.",7083838222996490650,0x0,0,0,0,0,,firewall_01,0,0,2022-06-22T14:17:39.887+00:0
Luis Daniel Avendaño Larios
Jun 23, 2022, 11:55:43 AM6/23/22
to Wazuh mailing list
Hello!
Thanks for using wazuh!
Could you provide us with log samples about this event for which you want to create the rule?
I remain attentive to your response.
Regards,
Luis Avendaño.
Thanks for using wazuh!
Could you provide us with log samples about this event for which you want to create the rule?
I remain attentive to your response.
Regards,
Luis Avendaño.
Nauris Metlans
Jun 23, 2022, 12:44:42 PM6/23/22
to Wazuh mailing list
Yes, here is the sample:
Jun 22 14:17:39 firewall_01 1,2022/06/22 14:17:39,007254000215990,SYSTEM,auth,2561,2022/06/22 14:17:39,,auth-fail,SSO-Provider Prod,0,0,general,informational,"SAML SSO authentication failed for user 'test...@testemail.com'. auth profile 'SSO-Provider', vsys 'vsys1', server profile 'SSO-provider', IdP entityID 'http://www.sso-prov.com/exk6n31jk12kl1k1l', From: 192.168.0.1.",7083838222996490650,0x0,0,0,0,0,,firewall_01,0,0,2022-06-22T14:17:39.887+00:0
Message has been deleted
Nauris Metlans
Jun 24, 2022, 8:36:47 AM6/24/22
to Wazuh mailing list
Also if I make rules like this:
<description>Palo Alto System: User $(srcusr) failed to login from $(srcip).</description>
<group>access_control,authentication_failed</group>
</rule>
Jun 22 14:17:39 firewall_01 1,2022/06/22 14:17:39,007254000215990,SYSTEM,auth,2561,2022/06/22 14:17:39,,auth-fail,SSO-Provider Prod,0,0,general,informational,"SAML SSO authentication failed for user 'test...@testemail.com'. auth profile 'SSO-Provider', vsys 'vsys1', server profile 'SSO-provider', IdP entityID 'http://www.sso-prov.com/exk6n31jk12kl1k1l', From: 192.168.0.1.",7083838222996490650,0x0,0,0,0,0,,firewall_01,0,0,2022-06-22T14:17:39.887+00:0
gdpr: '['IV_35.7.d', 'IV_32.2']'
gpg13: '['7.8']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.14', 'AC.7']'
pci_dss: '['10.2.4', '10.2.5']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
<rule id="64500" level="3">
<decoded_as>paloalto_system</decoded_as>
<description>SYSTEM Palo Alto logs type</description>
</rule>
<decoded_as>paloalto_system</decoded_as>
<description>SYSTEM Palo Alto logs type</description>
</rule>
<rule id="64512" level="3">
<if_sid>64500</if_sid>
<field name="eventid">auth-fail</field>
<if_sid>64500</if_sid>
<field name="eventid">auth-fail</field>
<description>Palo Alto System: User $(srcusr) failed to login from $(srcip).</description>
<group>access_control,authentication_failed</group>
</rule>
And decoders:
<decoder name="paloalto_system_fail_auth">
<parent>paloalto_system</parent>
<prematch>\.*failed authentication for user\.*</prematch>
<regex >(\d*/\d*/\d* \d*:\d*:\d*),(\d*),(\w*),(\w*),\.*,(\.*),(\.*),(\S*),(\.*),\.*,\.*,(\w*),\w*,"failed authentication for user '(\S+)'.\.*. From: (\d+.\d+.\d+.\d+).",(\d*),(\S*),(\d*,\d*,\d*,\d*),(\.*),(\S*)</regex>
<order>receive_time,serial_number,type,content_type,time_generated,virtual_system,eventid,object,module,srcusr,srcip,sequence_number,actionflags,dg_hier_level_1_to_dg_hier_level_4,virtual_system_name,device_name</order>
</decoder>
<parent>paloalto_system</parent>
<prematch>\.*failed authentication for user\.*</prematch>
<regex >(\d*/\d*/\d* \d*:\d*:\d*),(\d*),(\w*),(\w*),\.*,(\.*),(\.*),(\S*),(\.*),\.*,\.*,(\w*),\w*,"failed authentication for user '(\S+)'.\.*. From: (\d+.\d+.\d+.\d+).",(\d*),(\S*),(\d*,\d*,\d*,\d*),(\.*),(\S*)</regex>
<order>receive_time,serial_number,type,content_type,time_generated,virtual_system,eventid,object,module,srcusr,srcip,sequence_number,actionflags,dg_hier_level_1_to_dg_hier_level_4,virtual_system_name,device_name</order>
</decoder>
<decoder name="paloalto_system_fail_sso">
<parent>paloalto_system</parent>
<prematch>\.*SAML SSO authentication failed for\.*</prematch>
<regex >(\d*/\d*/\d* \d*:\d*:\d*),(\d*),(\w*),(\w*),\.*,(\.*),(\.*),(\S*),(\.*),\.*,\.*,(\w*),\w*,"SAML SSO authentication failed for user '(\S+)'. \.*,\.*,\.*,\.*, From: (\d+.\d+.\d+.\d+).",(\d*),(\S*),(\d*,\d*,\d*,\d*),(\.*),(\S*)</regex>
<order>receive_time,serial_number,type,content_type,time_generated,virtual_system,eventid,object,module,srcusr,srcip,sequence_number,actionflags,dg_hier_level_1_to_dg_hier_level_4,virtual_system_name,device_name</order>
</decoder>
<parent>paloalto_system</parent>
<prematch>\.*SAML SSO authentication failed for\.*</prematch>
<regex >(\d*/\d*/\d* \d*:\d*:\d*),(\d*),(\w*),(\w*),\.*,(\.*),(\.*),(\S*),(\.*),\.*,\.*,(\w*),\w*,"SAML SSO authentication failed for user '(\S+)'. \.*,\.*,\.*,\.*, From: (\d+.\d+.\d+.\d+).",(\d*),(\S*),(\d*,\d*,\d*,\d*),(\.*),(\S*)</regex>
<order>receive_time,serial_number,type,content_type,time_generated,virtual_system,eventid,object,module,srcusr,srcip,sequence_number,actionflags,dg_hier_level_1_to_dg_hier_level_4,virtual_system_name,device_name</order>
</decoder>
Both these log examples are decoded and have field eventid: auth-fail, but rule only works for the first log entry, not for second:
Jun 22 09:42:34 firewall_01 1,2022/06/22 09:42:33,007254000215990,SYSTEM,auth,2561,2022/06/22 09:42:33,,auth-fail,,0,0,general,medium,"failed authentication for user 'fake.user.login.admin'. Reason: Authentication profile not found for the user. From: 10.10.10.2.",7083838222996489638,0x0,0,0,0,0,,firewall_01,0,0,2022-06-22T09:42:34.062+00:00
Jun 22 14:17:39 firewall_01 1,2022/06/22 14:17:39,007254000215990,SYSTEM,auth,2561,2022/06/22 14:17:39,,auth-fail,SSO-Provider Prod,0,0,general,informational,"SAML SSO authentication failed for user 'test...@testemail.com'. auth profile 'SSO-Provider', vsys 'vsys1', server profile 'SSO-provider', IdP entityID 'http://www.sso-prov.com/exk6n31jk12kl1k1l', From: 192.168.0.1.",7083838222996490650,0x0,0,0,0,0,,firewall_01,0,0,2022-06-22T14:17:39.887+00:0
For first in logtest result is:
**Phase 3: Completed filtering (rules).
id: '64512'
level: '3'
description: 'Palo Alto System: User fake.user.login failed to login from 10.10.10.2.'
groups: '['paloalto', 'access_control', 'authentication_failed']'
firedtimes: '1'
mail: 'False'
level: '3'
description: 'Palo Alto System: User fake.user.login failed to login from 10.10.10.2.'
groups: '['paloalto', 'access_control', 'authentication_failed']'
firedtimes: '1'
mail: 'False'
For second logtest result is:
**Phase 3: Completed filtering (rules).
id: '2501'
level: '5'
description: 'syslog: User authentication failure.'
groups: '['syslog', 'access_control', 'authentication_failed']'
id: '2501'
level: '5'
description: 'syslog: User authentication failure.'
groups: '['syslog', 'access_control', 'authentication_failed']'
firedtimes: '2'
gdpr: '['IV_35.7.d', 'IV_32.2']'
gpg13: '['7.8']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.14', 'AC.7']'
pci_dss: '['10.2.4', '10.2.5']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
Can't understand where is the problem, tried other rules with <match>, <regex>, nothing works.
Luis Daniel Avendaño Larios
Jun 27, 2022, 8:46:30 AM6/27/22
to Wazuh mailing list
Hello,
These two events should be decoded by default and trigger rules 64501 and 64504, could you tell me what version of wazuh you have currently on your environment?
At the moment, are you modifying these wazuh default rules and adding this new rule 64512? as well are modifying the default wazuh decoders?
I remain attentive to your response.
Regards,
Luis Avendaño.
These two events should be decoded by default and trigger rules 64501 and 64504, could you tell me what version of wazuh you have currently on your environment?
At the moment, are you modifying these wazuh default rules and adding this new rule 64512? as well are modifying the default wazuh decoders?
I remain attentive to your response.
Regards,
Luis Avendaño.
Nauris Metlans
Jun 27, 2022, 9:11:25 AM6/27/22
to Wazuh mailing list
Hello,
**Phase 2: Completed decoding.
name: 'paloalto_system'
parent: 'paloalto_system'
actionflags: '0x0'
content_type: 'auth'
**Phase 3: Completed filtering (rules).
id: '2501'
level: '5'
description: 'syslog: User authentication failure.'
groups: '['syslog', 'access_control', 'authentication_failed']'
firedtimes: '1'
gdpr: '['IV_35.7.d', 'IV_32.2']'
gpg13: '['7.8']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.14', 'AC.7']'
pci_dss: '['10.2.4', '10.2.5']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
wazuh version is 4.3.1.
Yes I am modifying wazuh default rules, because I need to decode username and source IP address from where the user is logging in.
As I said in previous posts newly added decoders are working, for example. the log entry:
Jun 22 14:17:39 firewall_01 1,2022/06/22 14:17:39,007254000215990,SYSTEM,auth,2561,2022/06/22 14:17:39,,auth-fail,SSO-Provider Prod,0,0,general,informational,"SAML SSO authentication failed for user 'test...@testemail.com'. auth profile 'SSO-Provider', vsys 'vsys1', server profile 'SSO-provider', IdP entityID 'http://www.sso-prov.com/exk6n31jk12kl1k1l', From: 192.168.0.1.",7083838222996490650,0x0,0,0,0,0,,firewall_01,0,0,2022-06-22T14:17:39.887+00:0
is decoded as:
**Phase 1: Completed pre-decoding.
full event: 'Jun 22 14:17:39 firewall_01 1,2022/06/22 14:17:39,007254000215990,SYSTEM,auth,2561,2022/06/22 14:17:39,,auth-fail,SSO-Provider Prod,0,0,general,informational,"SAML SSO authentication failed for user 'test...@testemail.com'. auth profile 'SSO-Provider', vsys 'vsys1', server profile 'SSO-provider', IdP entityID 'http://www.sso-prov.com/exk6n31jk12kl1k1l', From: 192.168.0.1.",7083838222996490650,0x0,0,0,0,0,,firewall_01,0,0,2022-06-22T14:17:39.887+00:0'
timestamp: 'Jun 22 14:17:39'
hostname: 'firewall_01'
full event: 'Jun 22 14:17:39 firewall_01 1,2022/06/22 14:17:39,007254000215990,SYSTEM,auth,2561,2022/06/22 14:17:39,,auth-fail,SSO-Provider Prod,0,0,general,informational,"SAML SSO authentication failed for user 'test...@testemail.com'. auth profile 'SSO-Provider', vsys 'vsys1', server profile 'SSO-provider', IdP entityID 'http://www.sso-prov.com/exk6n31jk12kl1k1l', From: 192.168.0.1.",7083838222996490650,0x0,0,0,0,0,,firewall_01,0,0,2022-06-22T14:17:39.887+00:0'
timestamp: 'Jun 22 14:17:39'
hostname: 'firewall_01'
**Phase 2: Completed decoding.
name: 'paloalto_system'
parent: 'paloalto_system'
actionflags: '0x0'
content_type: 'auth'
device_name: 'firewall_01,0,0,2022-06-22T14:17:39.887+00:0'
dg_hier_level_1_to_dg_hier_level_4: '0,0,0,0'
eventid: 'auth-fail'
module: 'general'
object: 'SSO-Provider Prod'
receive_time: '2022/06/22 14:17:39'
sequence_number: '7083838222996490650'
serial_number: '007254000215990'
srcip: '192.168.0.1'
srcusr: 'test...@testemail.com'
time_generated: '2022/06/22 14:17:39'
type: 'SYSTEM'
dg_hier_level_1_to_dg_hier_level_4: '0,0,0,0'
eventid: 'auth-fail'
module: 'general'
object: 'SSO-Provider Prod'
receive_time: '2022/06/22 14:17:39'
sequence_number: '7083838222996490650'
serial_number: '007254000215990'
srcip: '192.168.0.1'
srcusr: 'test...@testemail.com'
time_generated: '2022/06/22 14:17:39'
type: 'SYSTEM'
**Phase 3: Completed filtering (rules).
id: '2501'
level: '5'
description: 'syslog: User authentication failure.'
groups: '['syslog', 'access_control', 'authentication_failed']'
firedtimes: '1'
gdpr: '['IV_35.7.d', 'IV_32.2']'
gpg13: '['7.8']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.14', 'AC.7']'
pci_dss: '['10.2.4', '10.2.5']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
But it is not triggering this rule:
<rule id="64512" level="3">
<if_sid>64500</if_sid>
<field name="eventid">auth-fail</field>
<description>Palo Alto System: User $(srcusr) failed to login from $(srcip).</description>
<group>access_control,authentication_failed</group>
</rule>
<if_sid>64500</if_sid>
<field name="eventid">auth-fail</field>
<description>Palo Alto System: User $(srcusr) failed to login from $(srcip).</description>
<group>access_control,authentication_failed</group>
</rule>
Nauris Metlans
Jun 29, 2022, 2:54:32 AM6/29/22
to Wazuh mailing list
Hello,
any luck with this?
Regards,
Nauris
Luis Daniel Avendaño Larios
Jun 29, 2022, 12:17:13 PM6/29/22
to Wazuh mailing list
Hello,
First of all, when editing the default decoders you can lose the information applied to it in an update, so it is recommended to override the default decoder with a custom decoder.
To override a default decoder you shouldn't update the original file, since any changes in the /var/ossec/ruleset/decoders folder will be lost in the update process. The override procedure is:
1. Copy the decoder file from the default folder to the user folder /var/ossec/etc/decoders in order to keep the changes.
2. Exclude the original decoder file from the OSSEC loading list. To do this, use the tag <decoder_exclude> in the ossec.conf file. Thus, the specified decoder will not be loaded from the default decoder folder, and the decoder file saved in the user folder will be loaded instead.
3. Perform the changes in the file you copied in /var/ossec/etc/decoders.
Bear in mind that, if updates to the public Wazuh Ruleset include changes to the decoder you override, they will not apply to you since you are no longer loading that decoder file from the standard location that gets updates. Here's the documentation section about overriding a decoder:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-decoder
Now, in order to extract the user field from this decoder, it is as simple as adding this child decoder to the end of the file:
<decoder name="paloalto_system_fields">
<parent>paloalto_system</parent>
<regex>for user '(\S+)'</regex>
<order>pa_user</order>
</decoder>
Now we will have to add a custom rule to create the rule you want, since just like the defaults decoders you can lose your information in an update if you edit the default rules. For custom rules we will use rules ids greater than 10000.
1. We will create a new custom rules file as "paloalto_custom_rules.xml" in the path /var/ossec/etc/rules.
2. We will add the following content to this file:
<group name="paloalto_auth,">
<rule id="164515" level="3">
<if_sid>64501</if_sid>
<match>SAML SSO authentication failed</match>
<description>Palo Alto System: User $(pa_user) failed to login from $(srcip).</description>
<group>access_control,authentication_failed</group>
</rule>
</group>
Once these steps have been carried out, we will obtain the following output that we can see in the attached image.
I hope this response was helpful! If you have any follow-up questions, please do not hesitate to ask.
Regards,
Luis Avendaño.
First of all, when editing the default decoders you can lose the information applied to it in an update, so it is recommended to override the default decoder with a custom decoder.
To override a default decoder you shouldn't update the original file, since any changes in the /var/ossec/ruleset/decoders folder will be lost in the update process. The override procedure is:
1. Copy the decoder file from the default folder to the user folder /var/ossec/etc/decoders in order to keep the changes.
2. Exclude the original decoder file from the OSSEC loading list. To do this, use the tag <decoder_exclude> in the ossec.conf file. Thus, the specified decoder will not be loaded from the default decoder folder, and the decoder file saved in the user folder will be loaded instead.
3. Perform the changes in the file you copied in /var/ossec/etc/decoders.
Bear in mind that, if updates to the public Wazuh Ruleset include changes to the decoder you override, they will not apply to you since you are no longer loading that decoder file from the standard location that gets updates. Here's the documentation section about overriding a decoder:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-decoder
Now, in order to extract the user field from this decoder, it is as simple as adding this child decoder to the end of the file:
<decoder name="paloalto_system_fields">
<parent>paloalto_system</parent>
<regex>for user '(\S+)'</regex>
<order>pa_user</order>
</decoder>
Now we will have to add a custom rule to create the rule you want, since just like the defaults decoders you can lose your information in an update if you edit the default rules. For custom rules we will use rules ids greater than 10000.
1. We will create a new custom rules file as "paloalto_custom_rules.xml" in the path /var/ossec/etc/rules.
2. We will add the following content to this file:
<group name="paloalto_auth,">
<rule id="164515" level="3">
<if_sid>64501</if_sid>
<match>SAML SSO authentication failed</match>
<group>access_control,authentication_failed</group>
</rule>
</group>
Once these steps have been carried out, we will obtain the following output that we can see in the attached image.
I hope this response was helpful! If you have any follow-up questions, please do not hesitate to ask.
Regards,
Luis Avendaño.
Reply all
Reply to author
Forward
0 new messages