Log4j exploit rule is not detected

[Iman Mikhael]

Hello, 

I have added the rule to detect Log4j exlpoits in the /var/ossec/etc/rules/local_rules.xml as in https://wazuh.com/blog/detecting-log4shell-with-wazuh/ . As the system is running in a docker container, I have also configured the wazuh server to pull logs from docker container in the /var/ossec/etc/ossec.conf.

However, whenever I run a Log4j POC as in https://github.com/taise-hub/log4j-poc , no logs appeared. Any idea or thoughts on what I did wrong?

[Mariano Koremblum]

Hi Iman,

Did you reset your manager after adding the rule to such a file? Do you get to see any errors/warnings related to rules loading on the /var/ossec/logs/ossec.log?

I will be waiting for your reply,

Mariano Koremblum

​

[Iman Mikhael]

Hello Mariano, 

I have added the rule to detect Log4j exlpoits in the /var/ossec/etc/rules/local_rules.xml as in https://wazuh.com/blog/detecting-log4shell-with-wazuh/ . As the system is running in a docker container, I have also configured the wazuh server to pull logs from docker container in the /var/ossec/etc/ossec.conf.

However, whenever I run a Log4j POC as in https://github.com/taise-hub/log4j-poc , no logs appeared. Any idea or thoughts on what I did wrong?

[Mariano Koremblum]

Hi again Iman,

What version of the manager and agents are you using?

[Iman Mikhael]

Hey there, 

I am currently using version 4.3.10

[Iman Mikhael]

Plus, I am using the OVA version

[Mariano Koremblum]

Could you please try following the steps again, but in this case, when you change the permissions, change them to wazuh:wazuh instead of ossec:ossec as follows:

chown wazuh:wazuh /var/ossec/etc/shared/default/log4j_check.yml

Please, let us know if it worked

​

[Iman Mikhael]

Hi Mariano,

I did as you told but it still did not work.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/E3G4pGTiKHs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8334f865-69c3-4525-b85c-59ad66b7a5fdn%40googlegroups.com.

[Mariano Koremblum]

Hi Iman,

Could you please show us how did you configure, on the ossec.conf file, the docker’s log collection that you have added?

Regards

​

[Iman Mikhael]

Hi Mariano, 

This is my ossec.conf file on the agent kali linux. I do want to ask do I need to do the same on the wazuh-manager? because I did it on both and could that be the cause of this issue?

Thank you,

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7515a6b2-9e27-43c8-bf0f-c0524acec614n%40googlegroups.com.

[Mariano Koremblum]

Hi Iman,

Please let us get this clear, I have a few questions:

• Do you have a Wazuh agent installed inside your docker container?

• Are you running the log4j POC inside the docker?

• Could you please show us the contents of the /var/log/docker/ directory?

• Could you please share with us some file’s content that you are trying to monitor?

I will be waiting for your reply,

Mariano Koremblum

​

On Thursday, December 8, 2022 at 11:31:28 AM UTC-5 imanmik...@gmail.com wrote:

Hello Mariano, 

All of a sudden a new issue has arise. When I started with Wazuh I configured my wazuh to use a static IP from this https://groups.google.com/g/wazuh/c/GWqq1yyzZBo/m/0mL1MdvWEwAJ#fromHistory . Just now, I can no longer open my wazuh dashboard. I figure this has something to do with the API. I'm thinking of restarting everything (reset everything and restart from 0). Your thoughts on this?

[Iman Mikhael]

Hi Mariano,

Regarding your questions,

• Do you have a Wazuh agent installed inside your docker container?

No, only an agent installed inside the Kali Linux hosting the docker container.

• Are you running the log4j POC inside the docker?

Yes, the target/victim tomcat server is running inside the docker. 

• Could you please show us the contents of the /var/log/docker/ directory?

• Could you please share with us some file’s content that you are trying to monitor?

I don't really get this question. Is it the content of the log file?

[Mariano Koremblum]

Hi Iman,

I mean if you can share any of the log files you are trying to collect, to see what it has inside.

On the other hand, the guide was made to detect log4j vulnerabilities on the very same OS, it does not work if the threat is inside a docker container as the commands are run on the same OS as the Wazuh agent, so you wouldn’t be able to detect if the vulnerability is inside the container.

But still, you have to be able to collect logs from /var/log/docker/, please inspect the /var/ossec/logs/ossec.log file from your agent and grep it to check if it is collecting such logs, you have to see something like “2022/12/15 08:13:08 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/docker/docker.log“ among others.

Regards

​