I followed the steps for Detecting Netcat activity in Linux systems but no rule neither Alert are fired .

325 views
Skip to first unread message

Yolanda Prieto

unread,
Jan 29, 2018, 8:07:25 PM1/29/18
to Wazuh mailing list
Hi Team
I followed the steps to detection of netcat based on video:
https://www.youtube.com/watch?v=Cx2rIpGA3V8

I configured the agent adding this configuration: ossec.conf


<localfile>
 <log_format>command</log_format>
 <command>ps aux</command>
 <frequency>5</frequency>
</localfile>


In the manager I put the custom rules in local_rules.xml

<group name="ossec,">
<rule id="100050" level="0">
  <match>^ossec: output: 'ps aux'</match>
  <description>List of running process.</description>
  <group>process_monitor,</group>
</rule>

<rule id="100051" level="7">
  <if_sid>100050</if_sid>
  <match>nc -l</match>
  <description>Netcat listening for incoming connections.</description>
  <group>process_monitor,</group>
</rule>
</group>


I can see the out put of the command ps aux in archive/archive.log, in the manager,  but looks like truncated, I can not see all the output.

And the part of the output  that should match ( nc -l) is  not there

Maybe for this reason t i can not see the rule triggered in kibana, neither the Alert.
What I am missing?

Under which circumstances the rule 530 is fired?

I have been researching before ask here, but I can not find the answer.
Any help will be highly appreciate.
Regards
 Yolanda

Santiago Bassett

unread,
Jan 29, 2018, 11:44:34 PM1/29/18
to Yolanda Prieto, Wazuh mailing list
Hi Yolanda,

most likely the output of your 'ps' command is bigger than the message size limit (6KB). In the future we are planning to increase these limit to 64KB, to avoid situations like this one.

In the meanwhile try using this configuration instead (in your agent configuration file, ossec.conf):

  <localfile>

    <log_format>full_command</log_format>

    <alias>process list</alias>

    <command>ps -e -o pid,uname,command</command>

    <frequency>30</frequency>

  </localfile>


And here are the rules I used for the video (/var/ossec/etc/rules/local_rules.xml):


<group name="ossec,">

  <rule id="100050" level="0">

    <if_sid>530</if_sid>

    <match>^ossec: output: 'process list'</match>

    <description>List of running processes.</description>

    <group>process_monitor,</group>

  </rule>


  <rule id="100051" level="7" ignore="900">

    <if_sid>100050</if_sid>

    <match>nc -l</match>

    <description>Netcat listening for incoming connections.</description>

    <group>process_monitor,</group>

  </rule>

</group>


Rule 530 is included by default, you don't need to add it to your local_rules.xml file. It matches everything that uses 'command' or 'full_command' in <log_format> configuration section. It does it by looking to the string 'ossec: output: ' at the beginning of the event coming from the agent. Here is the rule (it belongs to file /var/ossec/ruleset/rules/0015-ossec_rules.xml):


  <rule id="530" level="0">

    <if_sid>500</if_sid>

    <match>^ossec: output: </match>

    <description>OSSEC process monitoring rules.</description>

    <group>process_monitor,</group>

  </rule>


Best regards,

Santiago.



--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/707c355c-990b-499d-b5e7-0f92a804cb3c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Yolanda Prieto

unread,
Jan 31, 2018, 4:16:12 PM1/31/18
to Wazuh mailing list
Hi Santiago,

Thanks for your answer. I really appreciate a good support that wazuh team provide to all of us.

Yesterday I was trying  to apply the solution you advise me.But the rules get not fired.


I configured the logfile in the agent.conf

  <localfile>

    <log_format>full_command</log_format>

    <alias>process list</alias>

    <command>ps -e -o pid,uname,command</command>

    <frequency>30</frequency>

  </localfile>


and I configured this rules in the manager:

<group name="ossec,">

  <rule id="100050" level="0">

    <if_sid>530</if_sid>

    <match>^ossec: output: 'process list'</match>

    <description>List of running processes.</description>

    <group>process_monitor,</group>

  </rule>


  <rule id="100051" level="7" ignore="900">

    <if_sid>100050</if_sid>

    <match>nc -l</match>

    <description>Netcat listening for incoming connections.</description>

    <group>process_monitor,</group>

  </rule>

</group>


I saw in archive.log, and in the command out still i can not see the pattern I am looking for: the occurrence of netcat command: nc-l

I was trying different  ways to try to get the command out , but still the out put doesn't bring the pattern I am looking for: nc -l.
looks like still  the output of command is  too  long for wazuh.

1 question)

In the agent,  I could I appended  commands like this:


<localfile>
    <log_format>full_command</log_format>
    <alias>process list</alias>
    <command>'ps aux|grep "nc -l"'</command>
    <frequency>10</frequency>
 </localfile>


'ps aux|grep nc' ????  I was trying it, to try to reduce the output but looks like doesn't work.



What I am missing?

Some another idea to try to reduce the command output and catch the pattern I am looking for?

Any idea will be highly   appreciate.
Regards
 Yolanda

Yolanda Prieto

unread,
Feb 9, 2018, 5:22:00 PM2/9/18
to Wazuh mailing list
Hi Team

Somebody had the occasion to look into this question?


Any help could be highly  appreciate.
Regards
 Yolanda Prieto.

Santiago Bassett

unread,
Feb 14, 2018, 5:15:10 AM2/14/18
to Yolanda Prieto, Wazuh mailing list
Hi Yolanda,

I am not sure what the cause of the problem may be, but most likely we do not parse the double quotes in the command correctly (I've never tried that myself).

What OS are you running? When you run ps -e -o pid,uname,command  do you see the output including netcat process (nc -l) ?

Regards


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/99c92910-a4e2-4c54-b39f-b6908f5402c3%40googlegroups.com.

Santiago Bassett

unread,
Feb 15, 2018, 5:23:31 AM2/15/18
to yol...@saitechnology.com, Yolanda Prieto, Wazuh mailing list
I still think that the output is being truncated, is it larger than 6KB? We are working in supporting up to 128KB messages in the next release.

Best regards,

Santiago.

On Wed, Feb 14, 2018 at 10:30 AM, <yol...@saitechnology.com> wrote:
Hi Santiago
Thanks very much for your response.
 
I am running the wazuh agent in a Ubuntu server 16.04  and
the wazuh manager is in Centos7
 
When I run
 ps -e -o -pid, uname command   i was not able to see the total ( all ) log, and I was not 
able to see the nc -l.
 
The goal is detects  if a netcat process is running, but because the list of process get truncated, I can not detected it.
 
Some another idea?
 
Thanks and Regards
 Yolanda Prieto
 
 
On 2018-02-14 03:15, Santiago Bassett wrote:
Hi Yolanda,

I am not sure what the cause of the problem may be, but most likely we
do not parse the double quotes in the command correctly (I've never
tried that myself).

What OS are you running? When you run PS -E -O PID,UNAME,COMMAND  do
[3].

For more options, visit https://groups.google.com/d/optout [4].


 --
You received this message because you are subscribed to the Google
Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit

For more options, visit https://groups.google.com/d/optout.



yol...@saitechnology.com

unread,
Feb 19, 2018, 12:54:54 PM2/19/18
to Santiago Bassett, Yolanda Prieto, Wazuh mailing list
Hi Santiago
Thanks very much for your response.
 
I am running the wazuh agent in a Ubuntu server 16.04  and
the wazuh manager is in Centos7
 
When I run
 ps -e -o -pid, uname command   i was not able to see the total ( all ) log, and I was not 
able to see the nc -l.
 
The goal is detects  if a netcat process is running, but because the list of process get truncated, I can not detected it.
 
Some another idea?
 
Thanks and Regards
 Yolanda Prieto
 
 
On 2018-02-14 03:15, Santiago Bassett wrote:
Hi Yolanda,

I am not sure what the cause of the problem may be, but most likely we
do not parse the double quotes in the command correctly (I've never
tried that myself).

What OS are you running? When you run PS -E -O PID,UNAME,COMMAND  do

To post to this group, send email to wa...@googlegroups.com.
[3].

For more options, visit https://groups.google.com/d/optout [4].


 --
You received this message because you are subscribed to the Google
Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit

For more options, visit https://groups.google.com/d/optout.


Reply all
Reply to author
Forward
0 new messages