Sonicwall logs being received, but no alert generated (even though ossec-ruletest
158 views
Skip to first unread message
DaveK
Oct 15, 2019, 11:38:15 AM10/15/19
to Wazuh mailing list
Hi,
We are trying monitor our sonicwall in wazuh. So far the syslog has been set up and we know we are receiving messages because they are in our ossec archive log. Example entry:
[root@wazuhmanager archives]# grep "Administrator login denied" archives.log
2019 Oct 15 14:39:51 wazuhmanager->192.168.xx.xxx id=SonicWall sn=XXXXXXXXXX time="2019-10-15 14:39:51 UTC" fw=XXX.XXX.XXX.XXX pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" sess="Web" dur=0 n=21 usr="admin" src=192.168.xx.xxx:56733:X0 dst=192.168.xx.xxx:80:X0 proto=tcp/http note=" - authentication failed: admin"
I run the ossec-testrule and it shows a level 8 alert will be generated, so it should show up in my security alerts, but it does not. I search by decoder.name: sonicwall and nothing. I search by time and agent name, nothing. We looked in the alert log and do not see it there either (there were no sonicwall alerts).
Here is an example of the ossec-testrule output
ossec-testrule: Type one log per line.
id=SonicWall sn=XXXXXXXXXXXX time="2019-10-14 17:12:49 UTC" fw=XXX.XXX.XXX.XXX pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" sess="Web" dur=0 n=17 usr="admin" src=192.168.xx.xxx:58989:X0 dst=192.168.xx.xxx:80:X0 proto=tcp/http note=" - authentication failed: admin"
**Phase 1: Completed pre-decoding.
full event: 'id=SonicWall sn=XXXXXXXXXXXX time="2019-10-14 17:12:49 UTC" fw=XXX.XXX.XXX.XXX pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" sess="Web" dur=0 n=17 usr="admin" src=192.168.xx.xxx:58989:X0 dst=192.168.XX.XXX:80:X0 proto=tcp/http note=" - authentication failed: admin"'
timestamp: '(null)'
hostname: 'wazuhmanager'
program_name: '(null)'
log: 'id=SonicWall sn=XXXXXXXXXXXX time="2019-10-14 17:12:49 UTC" fw=XXX.XXX.XXX.XXX pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" sess="Web" dur=0 n=17 usr="admin" src=192.168.xx.xxx:58989:X0 dst=192.168.xx.xxx:80:X0 proto=tcp/http note=" - authentication failed: admin"'
**Phase 2: Completed decoding.
decoder: 'sonicwall'
status: '1'
action: 'Administrator login denied due to bad credentials'
srcip: '192.168.xx.xxx'
srcport: '58989'
dstip: '192.168.xx.xxx'
dstport: '80'
**Phase 3: Completed filtering (rules).
Rule id: '4801'
Level: '8'
Description: 'SonicWall critical message.'
**Alert to be generated.
Any help would be greatly appreciated.
Thanks,
Dave
Miguel Keane
Oct 15, 2019, 1:25:26 PM10/15/19
to Wazuh mailing list
Hello Dave,
If you could try this commands and send me their results it would be very helpful.
And make sure that ossec-analysisd is present as in the following image:
If your results are similar to the ones I've sent you, please make sure that your configuration in /var/ossec/etc/ossec.conf is correct (as it should be by default). And that alerts_log is set to yes
I hope we can soon solve this issue for you, I will wait for your response and see how we can solve it as soon as possible,
I have tested it in my environment and I was able to receive the security alert.
First we are going to check a few things to find out where the problem might be.
If you could try this commands and send me their results it would be very helpful.
[root@master vagrant]# lsof /var/ossec/logs/alerts/alerts.json COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEossec-ana 6979 ossec 9w REG 8,1 241838 411896 /var/ossec/logs/alerts/alerts.jsonfilebeat 7621 root 3r REG 8,1 241838 411896 /var/ossec/logs/alerts/alerts.json
And try:
ps aux | grep ossecIf your results are similar to the ones I've sent you, please make sure that your configuration in /var/ossec/etc/ossec.conf is correct (as it should be by default). And that alerts_log is set to yes
I hope we can soon solve this issue for you, I will wait for your response and see how we can solve it as soon as possible,
Best regards,
Miguel Keane
Miguel Keane
Oct 15, 2019, 1:28:58 PM10/15/19
to Wazuh mailing list
Hi sorry, it seems as one of the images I sent was not properly attached.
Best regards,
When executing:
You should be getting something similar to this:
ps aux | grep ossec
Best regards,
Miguel Keane
DaveK
Oct 15, 2019, 2:36:18 PM10/15/19
to Wazuh mailing list
Hi Miguel,
First thank you for looking into this.
Here are the results of lsof:
[root@wazuhmanager dave]# lsof /var/ossec/logs/alerts/alerts.json
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
filebeat 790 root 3r REG 253,1 25160051 34706627 /var/ossec/logs/alerts/alerts.json
ossec-ana 9244 ossec 9w REG 253,1 25161164 34706627 /var/ossec/logs/alerts/alerts.json
and the other results:
[root@wazuhmanager dave]# ps aux | grep ossec
ossec 789 0.0 0.8 929916 33236 ? Ssl Oct07 1:38 /bin/node /var/ossec/api/app.js
root 9210 0.0 0.0 243520 3508 ? Sl 09:15 0:00 /var/ossec/bin/ossec-authd
ossec 9216 0.6 1.4 638556 55136 ? Sl 09:15 0:51 /var/ossec/bin/wazuh-db
root 9233 0.0 0.0 30372 1368 ? Sl 09:15 0:00 /var/ossec/bin/ossec-execd
ossec 9244 4.7 1.7 909396 66120 ? Sl 09:15 6:21 /var/ossec/bin/ossec-analysisd
root 9250 0.0 0.0 38776 1352 ? Sl 09:15 0:00 /var/ossec/bin/ossec-syscheckd
ossecr 9259 5.1 0.1 703760 5752 ? Sl 09:15 6:56 /var/ossec/bin/ossec-remoted
ossecr 9260 0.1 0.0 22316 1368 ? S 09:15 0:11 /var/ossec/bin/ossec-remoted
ossecr 9261 0.0 0.0 22316 1372 ? S 09:15 0:00 /var/ossec/bin/ossec-remoted
root 9266 0.1 0.0 63156 1412 ? Sl 09:15 0:12 /var/ossec/bin/ossec-logcollector
ossec 9272 0.0 0.0 30556 2648 ? Sl 09:15 0:00 /var/ossec/bin/ossec-monitord
root 9278 0.7 0.1 491244 5064 ? Sl 09:15 1:03 /var/ossec/bin/wazuh-modulesd
root 15504 0.0 0.0 22044 2508 pts/0 S+ 11:01 0:00 /var/ossec/bin/manage_agents
root 16986 0.0 0.0 112716 932 pts/3 S+ 11:30 0:00 grep --color=auto ossec
Thanks again,
Dave
DaveK
Oct 15, 2019, 2:39:16 PM10/15/19
to Wazuh mailing list
Almost forgot, the config file looks OK
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>no</logall_json>
Thanks,
Dave
Miguel Keane
Oct 15, 2019, 2:55:13 PM10/15/19
to Wazuh mailing list
Hello Dave,
Now, for this to work we have two options.
This way, if you upgrade Wazuh you would still be using the one you have created. And whenever this problem is fixed (feel free to ask us in the future), you can just undo these changes and it should work properly.
The issue is that SonicWall will sometimes introduce additional whitespace characters which were not considered when this decoder was first created, this is why when it is pasted into the ossec-ruletest utility, it works as we were removing the additional whitespace.
This has been reported here: https://github.com/wazuh/wazuh/issues/2757 and will be fixed in a future version.
In the meantime, the solution is to modify the decoder to make it compatible with such messages:
<decoder name="sonicwall">
<prematch>\s*^id=\w+\s+sn=\w+\s+time="\.+"\s+fw=\S+ </prematch>
<plugin_decoder>SonicWall_Decoder</plugin_decoder>
</decoder>
Now, for this to work we have two options.
- One is to change the decoder in:
/var/ossec/ruleset/decoders/0295-sonicwall_decoders.xmlThe problem with this solution is that whenever you upgrade Wazuh the changes in the decoder will be overwritten.
Alternatively, you may make the change persistent through Wazuh upgrades, but then you must take into account that you will not be updating SonicWall's decoder unless you manually undo this action.
For this, you need to copy the original decoder into the custom decoders folder:
cp /var/ossec/ruleset/decoders/0295-sonicwall_decoders.xml /var/ossec/etc/decoders/ --preserve=all
And edit that file with the solution mentioned previously.
Then you have to add an exclusion in /var/ossec/etc/ossec.conf with <rule_exclude>. Here you can see an example in bold on how it would look like:
<ruleset> <!-- Default ruleset --> <decoder_dir>ruleset/decoders</decoder_dir> <rule_dir>ruleset/rules</rule_dir> <rule_exclude>0295-sonicwall_decoders.xml</rule_exclude> <list>etc/lists/audit-keys</list> <list>etc/lists/amazon/aws-eventnames</list> <list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset --> <decoder_dir>etc/decoders</decoder_dir> <rule_dir>etc/rules</rule_dir> </ruleset>
This way, if you upgrade Wazuh you would still be using the one you have created. And whenever this problem is fixed (feel free to ask us in the future), you can just undo these changes and it should work properly.
Best regards,
Miguel Keane
DaveK
Oct 15, 2019, 7:58:38 PM10/15/19
to Wazuh mailing list
Hi Miguel
Thank you for your help!
Thank you so much, your suggestions were very helpful and I appreciate your effort!
I had to adjust the regex a bit but got it working....
Final decoder is this and I am now getting the alerts.
<decoder name="sonicwall">
<prematch>\s*id=\w+\s+sn=\w+\s+time="\S*\s*\S*\s*\S*\s*fw=\S*</prematch>
<plugin_decoder>SonicWall_Decoder</plugin_decoder>
</decoder>
Thank you so much, your suggestions were very helpful and I appreciate your effort!
Dave
Miguel Keane
Oct 16, 2019, 8:35:00 AM10/16/19
to Wazuh mailing list
I am glad we could be of help. Do not hesitate to contact us further if you ever need help in the future
Regards,
Regards,
Miguel Keane Cañizares
Reply all
Reply to author
Forward
0 new messages