Rule precedence between 2 decoders ?

[Gaël Marziou]

Hello all,

I have configured a program (Vault) to log its audit trail in JSON to syslog and I have configured a decoder using json.

In ossec-logtest, I can see my json decoder is called but my custom rule is not triggered, only the default rule 1002 of syslog is triggered because event matches "error" word.

It's not clear to me how the analysis decides between 2 rules that match same event with 2 different decoders.

Regards,

Gael

<decoder name="vault">
  <program_name>^vault$</program_name>
  <plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>  

<group name="actoll,ossec,syslog,vault,">


  <rule id="100105" level="7">
    <decoded_as>vault</decoded_as>

    <field name="request.path">^auth/auth/ldap/login/</field>
    <description>Vault audit response errors for authentication</description>
    <group>vault_error,authentication_failed,pci_dss_10.2.4,pci_dss_10.6.1,</group>
  </rule>


</group>

ossec-logtest

Jun 13 17:48:21 ps-vault1 vault[3881]: {"time":"2018-06-13T15:48:21.697524573Z","type":"request","auth":{"client_token":"","accessor":"","display_name":"","policies":null,"metadata":null,"entity_id":""},"request":{"id":"0db6af6c-65ed-4bbe-71b3-45f759cc5c6f","operation":"update","client_token":"","client_token_accessor":"","path":"auth/ldap/login/marziou","data":{"password":"hmac-sha256:1509bd55629fb62baf8dce9bd3055b53a9204dde7b0dcb79ae126a8c758b03b7"},"policy_override":false,"remote_address":"192.168.89.10","wrap_ttl":0,"headers":{}},"error":""}

**Phase 1: Completed pre-decoding.

       full event: 'Jun 13 17:48:21 ps-vault1 vault[3881]: {"time":"2018-06-13T15:48:21.697524573Z","type":"request","auth":{"client_token":"","accessor":"","display_name":"","policies":null,"metadata":null,"entity_id":""},"request":{"id":"0db6af6c-65ed-4bbe-71b3-45f759cc5c6f","operation":"update","client_token":"","client_token_accessor":"","path":"auth/ldap/login/marziou","data":{"password":"hmac-sha256:1509bd55629fb62baf8dce9bd3055b53a9204dde7b0dcb79ae126a8c758b03b7"},"policy_override":false,"remote_address":"192.168.89.10","wrap_ttl":0,"headers":{}},"error":""}'

       timestamp: 'Jun 13 17:48:21'

       hostname: 'ps-vault1'

       program_name: 'vault'

       log: '{"time":"2018-06-13T15:48:21.697524573Z","type":"request","auth":{"client_token":"","accessor":"","display_name":"","policies":null,"metadata":null,"entity_id":""},"request":{"id":"0db6af6c-65ed-4bbe-71b3-45f759cc5c6f","operation":"update","client_token":"","client_token_accessor":"","path":"auth/ldap/login/marziou","data":{"password":"hmac-sha256:1509bd55629fb62baf8dce9bd3055b53a9204dde7b0dcb79ae126a8c758b03b7"},"policy_override":false,"remote_address":"192.168.89.10","wrap_ttl":0,"headers":{}},"error":""}'

**Phase 2: Completed decoding.

       decoder: 'vault'

       time: '2018-06-13T15:48:21.697524573Z'

       type: 'request'

       auth.client_token: ''

       auth.accessor: ''

       auth.display_name: ''

       auth.policies: 'null'

       auth.metadata: 'null'

       auth.entity_id: ''

       request.id: '0db6af6c-65ed-4bbe-71b3-45f759cc5c6f'

       request.operation: 'update'

       request.client_token: ''

       request.client_token_accessor: ''

       request.path: 'auth/ldap/login/marziou'

       request.data.password: 'hmac-sha256:1509bd55629fb62baf8dce9bd3055b53a9204dde7b0dcb79ae126a8c758b03b7'

       request.policy_override: 'false'

       request.remote_address: '192.168.89.10'

       request.wrap_ttl: '0'

       error: ''

**Phase 3: Completed filtering (rules).

       Rule id: '1002'

       Level: '2'

       Description: 'Unknown problem somewhere in the system.'

**Alert to be generated.

[Jesus Linares]

Hi,

It looks like you added an extra "auth":

request.path: 'auth/ldap/login/marziou'

<field name="request.path">^auth/auth/ldap/login/</field>

Regards,

Jesus Linares.

[Gaël Marziou]

Thanks Jesus, shame on me :)

I fixed the regex and it works now but I don't understand why only my rule is triggered and not the default one syslog 1002.

[Jesus Linares]

Your rule is level 7, and syslog 1002 rule is level 2. So, your rule is triggered.

I'm glad that it is working!.

Regards,

Jesus Linares

[Gaël Marziou]

Thanks it makes sense.

Is there a documentation where this behavior is described?

[Jesus Linares]

Hi,

We don't have documentation about the mechanism to process decoders and rules. We will add it.

You can check online resources, like the book: OSSEC HIDS Host-Based Intrusion Detection Guide. It covers the most part of the rule engine, but obviously, the improvements developed by Wazuh are missing (JSON decoders, dynamic fields, dynamic rule descriptions, etc).

We are working hard to improve our public content (web, documentation, etc). Please, feel free to open an issue with recommendations in the public repository: https://github.com/wazuh/wazuh-documentation.

Thanks,

Jesus Linares.