creation of my first rule

242 views
Skip to first unread message

Felipe Andres Concha Sepúlveda

unread,
Sep 27, 2018, 3:57:14 AM9/27/18
to Wazuh mailing list
Hello everyone, I am creating my first rule in Wazuh and I have some problems, I do not see it in kibana.





I created the rule in /var/ossec/etc/rules/local_rules.xml
The rule searches a file for an ip list



The decode was already created in /var/ossec/ruleset/decoders/0006-json_decoders.xml




In my agent I created a file /var/log/testfelipelog And inside that file I copied a sample of a json log


{"timestamp": 1537350772472, "host": "www.google.com", "method": "GET", "path": "/searchdomaincheck?format=domain&type=chrome", "headers": {":authority": "www.google.com", "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36", "accept-encoding": "gzip, deflate, br", "accept-language": "es-ES,es;q=0.9", "cookie": "CONSENT=YES+ES.es+V11; NID=139=Qhx72haErNSZ_TEdpepW7Zx-8EV2HXolENhX0BMT0uwQ3xq1LxsNTALYxgaY3y2C7XrTTMzrxXe1SHFFVmiK_lEVwKmIi7_-fzoC8sDtgJvOA7qBgnmn_MxLRMYvb2vc; 1P_JAR=2018-9-18-16"}, "query": {"format": "domain", "type": "chrome"}, "content": {}, "address": "10.80.70.73"}
{"timestamp": 1537350774414, "host": "sec-tws-prod-vip.webex.com", "method": "POST", "path": "/metric/v1", "headers": {"Host": "sec-tws-prod-vip.webex.com", "Connection": "keep-alive", "Content-Length": "301", "Origin": "chrome-extension://jlhmfgmfgeifomenelglieieghnjghma", "confId": "00000000", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36", "Content-Type": "text/plain", "siteId": "000000", "timeStamp": "1537350768398", "metricsTicket": "YzJWakxYUjNjeTF3Y205a0xYWnBjQzUzWldKbGVDNWpiMjA9", "appName": "Cisco-WebEx-Extension", "appId": "65014E32-67C8-4698-9D92-9528BE74F65A", "ver": "2.0", "Accept": "*/*", "Accept-Encoding": "gzip, deflate, br", "Accept-Language": "es-ES,es;q=0.9"}, "query": {}, "content": "{\"telemetrics\":[{\"t\":\"PageView\",\"ts\":\"2018-09-19T11:52:48.403+0200\",\"tid\":\"0acd5e1c-5e96-9576-eff9-2a73567af579\",\"cid\":\"ef3ece12-d51f-c43c-2860-dab5333b570d\",\"pd\":\"unknown\",\"ver\":\"2.0\",\"v\":{\"title\":\"\",\"location\":\"chrome-extension://jlhmfgmfgeifomenelglieieghnjghma/_generated_background_page.html\"}}]}", "address": "10.80.70.73"}
{"timestamp": 1537350815661, "host": "www.google.es", "method": "GET", "path": "/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw", "headers": {":authority": "www.google.es", "x-client-data": "CI+2yQEIo7bJAQjBtskBCKmdygEI2J3KAQjancoBCKijygEYmpjKARj5pcoB", "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36", "accept-encoding": "gzip, deflate, br", "accept-language": "es-ES,es;q=0.9", "cookie": "CGIC=IlV0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSxpbWFnZS93ZWJwLGltYWdlL2FwbmcsKi8qO3E9MC44; CONSENT=YES+ES.es+V11; OGPC=19008104-1:; _gcl_au=1.1.2043446817.1537287892; NID=139=OnRwm056lILnLnJKCRvx1wgbEJ57Adm19HE37y1m-4Ilw2yIxbHk5OvSlb95RdSTM8LGcj66iIANlYktUHKhiKWxtUtTHhP3W1691mBL8bKlvyNc4y6jqeX_y6keJCpi1gwNtuCmyQuiJH6F4KZQWOHTGlYX2_XkZg; 1P_JAR=2018-9-19-9"}, "query": {"client": "chrome-omni", "gs_ri": "chrome-ext-ansg", "xssi": "t", "q": "", "oit": "0", "gs_rn": "42", "sugkey": "AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw"}, "content": {}, "address": "10.80.70.73"}
{"timestamp": 1537350816687, "host": "www.google.es", "method": "GET", "path": "/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw", "headers": {":authority": "www.google.es", "x-client-data": "CI+2yQEIo7bJAQjBtskBCKmdygEI2J3KAQjancoBCKijygEYmpjKARj5pcoB", "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36", "accept-encoding": "gzip, deflate, br", "accept-language": "es-ES,es;q=0.9", "cookie": "CGIC=IlV0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSxpbWFnZS93ZWJwLGltYWdlL2FwbmcsKi8qO3E9MC44; CONSENT=YES+ES.es+V11; OGPC=19008104-1:; _gcl_au=1.1.2043446817.1537287892; NID=139=OnRwm056lILnLnJKCRvx1wgbEJ57Adm19HE37y1m-4Ilw2yIxbHk5OvSlb95RdSTM8LGcj66iIANlYktUHKhiKWxtUtTHhP3W1691mBL8bKlvyNc4y6jqeX_y6keJCpi1gwNtuCmyQuiJH6F4KZQWOHTGlYX2_XkZg; 1P_JAR=2018-9-19-9"}, "query": {"client": "chrome-omni", "gs_ri": "chrome-ext-ansg", "xssi": "t", "q": "", "oit": "0", "gs_rn": "42", "sugkey": "AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw"}, "content": {}, "address": "10.80.70.73"}


In my agent I edited the ossec.conf file to read that file



In my wazuh manager to test the rule looks good. But when I add a line in the agent's log, I do not see any alerts in kibana.

Jesus Linares

unread,
Sep 27, 2018, 6:44:49 AM9/27/18
to Wazuh mailing list
Hi Felipe,

Usually, you need to link the rule with the decoder. In your case, I would use decoded_as json and some specific field. Here a similar example:




    <rule id="80200" level="0">
        <decoded_as>json</decoded_as>
        <field name="aws.eventSource">\.+</field>
        <description>Amazon $(aws.source) alerts.</description>
    </rule>

On the other hand, review if you compiled the CDB list: /var/ossec/bin/ossec-makelists (https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html). Then, restart the manager in order to load the new decoders/rules/lists.

Let me know if that works.

Thanks,
Jesus Linares.

Felipe Andres Concha Sepúlveda

unread,
Sep 28, 2018, 7:54:31 AM9/28/18
to Jesus Linares, Wazuh mailing list
Thank you Jesus, I added the decoder and now I am seeing the alerts !!!
I also had a problem with the versions and I was not receiving any alerts, now everything is fine!




Thank you!!!

-- 
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b7fcc797-d081-4815-8e36-4235fb1f9f06%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jesus Linares

unread,
Sep 28, 2018, 12:55:04 PM9/28/18
to Wazuh mailing list
I'm glad that it is working. Remember that every rule needs a "link": decoded_as, if_sid, if_group, if_matched_sid, etc. Otherwise, the behavior can be hard to predict.

Regards,
Jesus Linares.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages