Log4j exploit rule is not detected

118 views
Skip to first unread message

Iman Mikhael

unread,
Dec 3, 2022, 12:50:39 PM12/3/22
to Wazuh mailing list
Hello, 

I have added the rule to detect Log4j exlpoits in the /var/ossec/etc/rules/local_rules.xml as in https://wazuh.com/blog/detecting-log4shell-with-wazuh/ . As the system is running in a docker container, I have also configured the wazuh server to pull logs from docker container in the /var/ossec/etc/ossec.conf.

However, whenever I run a Log4j POC as in https://github.com/taise-hub/log4j-poc , no logs appeared. Any idea or thoughts on what I did wrong?

Mariano Koremblum

unread,
Dec 5, 2022, 12:25:01 AM12/5/22
to Wazuh mailing list

Hi Iman,

Did you reset your manager after adding the rule to such a file? Do you get to see any errors/warnings related to rules loading on the /var/ossec/logs/ossec.log?

I will be waiting for your reply,

Mariano Koremblum

Iman Mikhael

unread,
Dec 5, 2022, 9:57:42 AM12/5/22
to Wazuh mailing list
Hello Mariano, 

I have added the rule to detect Log4j exlpoits in the /var/ossec/etc/rules/local_rules.xml as in https://wazuh.com/blog/detecting-log4shell-with-wazuh/ . As the system is running in a docker container, I have also configured the wazuh server to pull logs from docker container in the /var/ossec/etc/ossec.conf.

However, whenever I run a Log4j POC as in https://github.com/taise-hub/log4j-poc , no logs appeared. Any idea or thoughts on what I did wrong?


Mariano Koremblum

unread,
Dec 5, 2022, 10:32:14 AM12/5/22
to Wazuh mailing list
Hi again Iman,

What version of the manager and agents are you using?

Iman Mikhael

unread,
Dec 6, 2022, 3:53:49 AM12/6/22
to Wazuh mailing list
Hey there, 

I am currently using version 4.3.10

Iman Mikhael

unread,
Dec 6, 2022, 3:55:49 AM12/6/22
to Wazuh mailing list
Plus, I am using the OVA version

Mariano Koremblum

unread,
Dec 6, 2022, 8:49:38 AM12/6/22
to Wazuh mailing list

Could you please try following the steps again, but in this case, when you change the permissions, change them to wazuh:wazuh instead of ossec:ossec as follows:

chown wazuh:wazuh /var/ossec/etc/shared/default/log4j_check.yml

Please, let us know if it worked

Iman Mikhael

unread,
Dec 6, 2022, 11:04:55 AM12/6/22
to Mariano Koremblum, Wazuh mailing list
Hi Mariano,

I did as you told but it still did not work.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/E3G4pGTiKHs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8334f865-69c3-4525-b85c-59ad66b7a5fdn%40googlegroups.com.

Mariano Koremblum

unread,
Dec 7, 2022, 10:30:18 AM12/7/22
to Wazuh mailing list

Hi Iman,

Could you please show us how did you configure, on the ossec.conf file, the docker’s log collection that you have added?

Regards

Iman Mikhael

unread,
Dec 8, 2022, 1:47:28 AM12/8/22
to Mariano Koremblum, Wazuh mailing list
Hi Mariano, 

This is my ossec.conf file on the agent kali linux. I do want to ask do I need to do the same on the wazuh-manager? because I did it on both and could that be the cause of this issue?

Thank you,




You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7515a6b2-9e27-43c8-bf0f-c0524acec614n%40googlegroups.com.
Ossec.conf.wazuh-agent.jpg
Ossec.conf.wazuh-manager.jpg
Message has been deleted

Mariano Koremblum

unread,
Dec 14, 2022, 1:00:46 PM12/14/22
to Wazuh mailing list

Hi Iman,

Please let us get this clear, I have a few questions:

  • Do you have a Wazuh agent installed inside your docker container?

  • Are you running the log4j POC inside the docker?

  • Could you please show us the contents of the /var/log/docker/ directory?

  • Could you please share with us some file’s content that you are trying to monitor?

I will be waiting for your reply,

Mariano Koremblum

On Thursday, December 8, 2022 at 11:31:28 AM UTC-5 imanmik...@gmail.com wrote:
Hello Mariano, 

All of a sudden a new issue has arise. When I started with Wazuh I configured my wazuh to use a static IP from this https://groups.google.com/g/wazuh/c/GWqq1yyzZBo/m/0mL1MdvWEwAJ#fromHistory . Just now, I can no longer open my wazuh dashboard. I figure this has something to do with the API. I'm thinking of restarting everything (reset everything and restart from 0). Your thoughts on this?

Iman Mikhael

unread,
Dec 14, 2022, 1:21:47 PM12/14/22
to Wazuh mailing list
Hi Mariano,

Regarding your questions,
  • Do you have a Wazuh agent installed inside your docker container?

No, only an agent installed inside the Kali Linux hosting the docker container.
  • Are you running the log4j POC inside the docker?

Yes, the target/victim tomcat server is running inside the docker. 
  • Could you please show us the contents of the /var/log/docker/ directory?

  • Could you please share with us some file’s content that you are trying to monitor?

I don't really get this question. Is it the content of the log file?
va_log_docker_content.jpg

Mariano Koremblum

unread,
Dec 15, 2022, 3:15:50 AM12/15/22
to Wazuh mailing list

Hi Iman,

I mean if you can share any of the log files you are trying to collect, to see what it has inside.

On the other hand, the guide was made to detect log4j vulnerabilities on the very same OS, it does not work if the threat is inside a docker container as the commands are run on the same OS as the Wazuh agent, so you wouldn’t be able to detect if the vulnerability is inside the container.

But still, you have to be able to collect logs from /var/log/docker/, please inspect the /var/ossec/logs/ossec.log file from your agent and grep it to check if it is collecting such logs, you have to see something like “2022/12/15 08:13:08 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/docker/docker.log“ among others.

Regards

Reply all
Reply to author
Forward
0 new messages