Change level to rule id only for agent id
151 views
Skip to first unread message
Daniel Hinojo
Nov 3, 2023, 5:52:43 PM11/3/23
to Wazuh | Mailing List
Good evening dear,
I currently have version 4.5 of Wazuh and I would like to know if the configurations as an exception to a rule described in the following POST are maintained : Change level to rule id only for agent id (google.com)
I currently have version 4.5 of Wazuh and I would like to know if the configurations as an exception to a rule described in the following POST are maintained : Change level to rule id only for agent id (google.com)
I currently have a false positive of an alert number 10 on a particular hostname and I would like to exclude it so that it does not reach me that alert or change the level.
tanks
Julio Gasco
Nov 5, 2023, 10:09:06 AM11/5/23
to Wazuh | Mailing List
Hi Daniel,
You can use the location tagto filter by agent if that information has the agent name in it
If you can send me a log sample I can run some tests to help you with the solution.
<location>Agent_name1</location>
But for some logs the agent name is not in the location data field so you would need to filter by other value that identifies de agent (can be the hostname for example)
Please share with me the logs and I will take a look to see how they are decoded.
Also below is our rule syntax with the fields you can filter by to get the desired result:
The data fields that do not have a tag for them, can be filtered using the <field name="field_name"> tag.
I will be waiting your input on this.
Regards!
Daniel Hinojo
Nov 6, 2023, 6:10:19 PM11/6/23
to Wazuh | Mailing List
Good afternoon Dear,
I send the rule that I found which is generating too many alerts for an Agent, which I have detected is a false positive, which is why it needs to be excluded so that this type of alerts does not arrive or change the level.
<rule id="31533" level="10" timeframe="20" frequency="8">
<if_matched_sid>31530</if_matched_sid>
<same_source_ip />
<description>High amount of POST requests in a small period of time (likely bot).</description>
<group>pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2 ,tsc_CC7 .3,</group>
<mitre>
<id>T1498</id>
</mitre>
</rule>
I send the rule that I found which is generating too many alerts for an Agent, which I have detected is a false positive, which is why it needs to be excluded so that this type of alerts does not arrive or change the level.
<rule id="31533" level="10" timeframe="20" frequency="8">
<if_matched_sid>31530</if_matched_sid>
<same_source_ip />
<description>High amount of POST requests in a small period of time (likely bot).</description>
<group>pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2 ,tsc_CC7 .3,</group>
<mitre>
<id>T1498</id>
</mitre>
</rule>
Julio Gasco
Nov 13, 2023, 2:49:33 PM11/13/23
to Wazuh | Mailing List
Hi Daniel,
So if the location does have the agent_name, a rule to silence it would be the following:
<rule id="100200" level="0" timeframe="20" frequency="8" overwr>
<if_sid>31533</if_sid>
<if_sid>31533</if_sid>
<location>AGENT_NAME</location>
<description>Silence 31533 Alert for AGENT_NAME</description>
</rule>
<description>Silence 31533 Alert for AGENT_NAME</description>
</rule>
So if rule 31533 is triggered and the location is the agent it will be an alert 0 which will not be visible.
What I was wanting you to share is the log event that is triggering the alert to check if location has the agent name value (it can be the event that triggers rule 31530) to check if this is correct.
Will be waiting your input on this.
Regards!
Daniel Hinojo
Nov 13, 2023, 4:51:32 PM11/13/23
to Wazuh | Mailing List
Thank you for your response, and where or in what part should I put all that? I understand that in rules?
Daniel Hinojo
Nov 16, 2023, 3:07:43 PM11/16/23
to Wazuh | Mailing List
Good afternoon,
I applied the exception that I recommended but it still detects it as level 10. Below I detail how I have configured the exception, how I am receiving the alert and the rule that is triggering it.
<mitre>
<id>T1498</id>
</mitre>
</rule>
<mitre>
<id>T1498</id>
</mitre>
</rule>
I applied the exception that I recommended but it still detects it as level 10. Below I detail how I have configured the exception, how I am receiving the alert and the rule that is triggering it.
Configured exception rule
<rule id="100002" level="3" timeframe="20" frequency="8">
<if_matched_sid>31530</if_matched_sid>
<location>10-NAME_NAME</location>
<same_source_ip/>
<description>Silence 31533 for 10-NAME_NAME - High amount of POST requests in a small period of time (likely bot).</description>
<group>pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<if_matched_sid>31530</if_matched_sid>
<location>10-NAME_NAME</location>
<same_source_ip/>
<description>Silence 31533 for 10-NAME_NAME - High amount of POST requests in a small period of time (likely bot).</description>
<group>pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1498</id>
</mitre>
</rule>
Rule that triggers the alert
<rule id="31533" level="10" timeframe="20" frequency="8">
<if_matched_sid>31530</if_matched_sid>
<same_source_ip />
<description>High amount of POST requests in a small period of time (likely bot).</description>
<if_matched_sid>31530</if_matched_sid>
<same_source_ip />
<description>High amount of POST requests in a small period of time (likely bot).</description>
<group>pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1498</id>
</mitre>
</rule>
Alert received in JSON format
{
"agent": {
"ip": "XX.XX.XX.XX",
"name": "10-NAME_NAME",
"id": "016"
},
"previous_output": "XX.XX.XX.XX - - [16/Nov/2023:14:58:24 -0500] \"POST /zabbix/jsrpc.php?output=json-rpc HTTP/1.1\" 200 776 \"https://XX.XX.XX.XX/zabbix/history.php?action=showgraph&itemids%5B%5D=121670\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\"\nXX.XX.XX.XX - - [16/Nov/2023:14:58:20 -0500] \"POST /zabbix/zabbix.php?action=widget.problemsbysv.view HTTP/1.1\" 200 328045 \"https://XX.XX.XX.XX/zabbix/zabbix.php?action=dashboard.view&page=2\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\"\nXX.XX.XX.XX - - [16/Nov/2023:14:58:20 -0500] \"POST /zabbix/zabbix.php?action=widget.tophosts.view HTTP/1.1\" 200 10997 \"https://XX.XX.XX.XX/zabbix/zabbix.php?action=dashboard.view&page=2\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\"\nXX.XX.XX.XX - - [16/Nov/2023:14:58:20 -0500] \"POST /zabbix/zabbix.php?action=widget.problems.view HTTP/1.1\" 200 73565 \"https://XX.XX.XX.XX/zabbix/zabbix.php?action=dashboard.view&page=2\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\"\nXX.XX.XX.XX - - [16/Nov/2023:14:58:20 -0500] \"POST /zabbix/zabbix.php?action=notifications.get&output=ajax HTTP/1.1\" 200 1957 \"https://XX.XX.XX.XX/zabbix/history.php?action=showgraph&itemids%5B%5D=121670\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\"\nXX.XX.XX.XX - - [16/Nov/2023:14:58:20 -0500] \"POST /zabbix/zabbix.php?action=notifications.get&output=ajax HTTP/1.1\" 200 1957 \"https://XX.XX.XX.XX/zabbix/zabbix.php?action=dashboard.view\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\"\nXX.XX.XX.XX - - [16/Nov/2023:14:58:20 -0500] \"POST /zabbix/zabbix.php?action=notifications.get&output=ajax HTTP/1.1\" 200 4356 \"https://XX.XX.XX.XX/zabbix/zabbix.php?action=dashboard.view&dashboardid=293\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\"",
"manager": {
"name": "2048-pelim-08"
},
"data": {
"protocol": "POST",
"srcip": "XX.XX.XX.XX",
"id": "200",
"url": "/zabbix/jsrpc.php?output=json-rpc"
},
"rule": {
"firedtimes": 5,
"mail": true,
"level": 10,
"pci_dss": [
"6.5",
"11.4"
],
"tsc": [
"CC6.6",
"CC7.1",
"CC8.1",
"CC6.1",
"CC6.8",
"CC7.2",
"CC7.3"
],
"description": "High amount of POST requests in a small period of time (likely bot).",
"groups": [
"web",
"appsec",
"attack"
],
"mitre": {
"technique": [
"Network Denial of Service"
],
"id": [
"T1498"
],
"tactic": [
"Impact"
]
},
"id": "31533",
"nist_800_53": [
"SA.11",
"SI.4"
],
"frequency": 8,
"gdpr": [
"IV_35.7.d"
]
},
"decoder": {
"name": "web-accesslog"
},
"full_log": "XX.XX.XX.XX - - [16/Nov/2023:14:58:25 -0500] \"POST /zabbix/jsrpc.php?output=json-rpc HTTP/1.1\" 200 776 \"https://XX.XX.XX.XX/zabbix/zabbix.php?action=dashboard.view&dashboardid=293\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\"",
"input": {
"type": "log"
},
"@timestamp": "2023-11-16T19:58:25.729Z",
"location": "/var/log/apache2/access.log",
"id": "1700164705.144396198",
"timestamp": "2023-11-16T14:58:25.729-0500",
"_id": "eue22YsB66a147urouU5"
}
"agent": {
"ip": "XX.XX.XX.XX",
"name": "10-NAME_NAME",
"id": "016"
},
"previous_output": "XX.XX.XX.XX - - [16/Nov/2023:14:58:24 -0500] \"POST /zabbix/jsrpc.php?output=json-rpc HTTP/1.1\" 200 776 \"https://XX.XX.XX.XX/zabbix/history.php?action=showgraph&itemids%5B%5D=121670\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\"\nXX.XX.XX.XX - - [16/Nov/2023:14:58:20 -0500] \"POST /zabbix/zabbix.php?action=widget.problemsbysv.view HTTP/1.1\" 200 328045 \"https://XX.XX.XX.XX/zabbix/zabbix.php?action=dashboard.view&page=2\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\"\nXX.XX.XX.XX - - [16/Nov/2023:14:58:20 -0500] \"POST /zabbix/zabbix.php?action=widget.tophosts.view HTTP/1.1\" 200 10997 \"https://XX.XX.XX.XX/zabbix/zabbix.php?action=dashboard.view&page=2\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\"\nXX.XX.XX.XX - - [16/Nov/2023:14:58:20 -0500] \"POST /zabbix/zabbix.php?action=widget.problems.view HTTP/1.1\" 200 73565 \"https://XX.XX.XX.XX/zabbix/zabbix.php?action=dashboard.view&page=2\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\"\nXX.XX.XX.XX - - [16/Nov/2023:14:58:20 -0500] \"POST /zabbix/zabbix.php?action=notifications.get&output=ajax HTTP/1.1\" 200 1957 \"https://XX.XX.XX.XX/zabbix/history.php?action=showgraph&itemids%5B%5D=121670\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\"\nXX.XX.XX.XX - - [16/Nov/2023:14:58:20 -0500] \"POST /zabbix/zabbix.php?action=notifications.get&output=ajax HTTP/1.1\" 200 1957 \"https://XX.XX.XX.XX/zabbix/zabbix.php?action=dashboard.view\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\"\nXX.XX.XX.XX - - [16/Nov/2023:14:58:20 -0500] \"POST /zabbix/zabbix.php?action=notifications.get&output=ajax HTTP/1.1\" 200 4356 \"https://XX.XX.XX.XX/zabbix/zabbix.php?action=dashboard.view&dashboardid=293\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\"",
"manager": {
"name": "2048-pelim-08"
},
"data": {
"protocol": "POST",
"srcip": "XX.XX.XX.XX",
"id": "200",
"url": "/zabbix/jsrpc.php?output=json-rpc"
},
"rule": {
"firedtimes": 5,
"mail": true,
"level": 10,
"pci_dss": [
"6.5",
"11.4"
],
"tsc": [
"CC6.6",
"CC7.1",
"CC8.1",
"CC6.1",
"CC6.8",
"CC7.2",
"CC7.3"
],
"description": "High amount of POST requests in a small period of time (likely bot).",
"groups": [
"web",
"appsec",
"attack"
],
"mitre": {
"technique": [
"Network Denial of Service"
],
"id": [
"T1498"
],
"tactic": [
"Impact"
]
},
"id": "31533",
"nist_800_53": [
"SA.11",
"SI.4"
],
"frequency": 8,
"gdpr": [
"IV_35.7.d"
]
},
"decoder": {
"name": "web-accesslog"
},
"full_log": "XX.XX.XX.XX - - [16/Nov/2023:14:58:25 -0500] \"POST /zabbix/jsrpc.php?output=json-rpc HTTP/1.1\" 200 776 \"https://XX.XX.XX.XX/zabbix/zabbix.php?action=dashboard.view&dashboardid=293\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\"",
"input": {
"type": "log"
},
"@timestamp": "2023-11-16T19:58:25.729Z",
"location": "/var/log/apache2/access.log",
"id": "1700164705.144396198",
"timestamp": "2023-11-16T14:58:25.729-0500",
"_id": "eue22YsB66a147urouU5"
}
Julio Gasco
Nov 27, 2023, 11:29:58 AM11/27/23
to Wazuh | Mailing List
Hi Daniel,
<description>Silence 31533 Alert for AGENT_NAME</description>
</rule>
Sorry for the delay.
The problem with the rule I provided is that Location does not contain agent name. So the filter won't be working.
Is the srcip the same ip of the agent IP ? In that case the following rule may help you
<rule id="100200" level="0" timeframe="20" frequency="8" overwr>
<if_sid>31533</if_sid>
<if_sid>31533</if_sid>
<srcip>XX.XX.XX.XX</srcip>
<description>Silence 31533 Alert for AGENT_NAME</description>
</rule>
Instead of using the Agent name we could use the IP for this alert instead.
Please let me know how it goes.
Regards!
Reply all
Reply to author
Forward
0 new messages