Wondering if this is possible...

[Jamie Navarro]

I have the latest Wazuh, v4.4.0. I'm collecting logs from my router via remote syslog. Particularly the DHCP logs. I've got decoders and rules working, with a lot of help from you guys (Wazuh support).

Here's the pertinent rule:

<rule id="100010" level="3">

    <decoded_as>SGPfsense</decoded_as>

    <field name="dhcpreqorack">DHCPACK</field>

    <description>SG - IP address $(ipassigned) assigned to $(tomacaddress)</description>

</rule>

Again, this is working great, thank you.

Now for my actual question. I was wondering if it's possible to do something like this - have a text file (maybe a .csv file, or .txt file, or some other type of text file) somewhere on the Wazuh server that contains a list of known MAC addresses that connect to my network. So something like this:

 

knownmacaddressesonmynetwork.txt

59:09:aa:dd:58:8c

a9:b8:6c:04:05:77

b9:7b:34:7b:95:96

9c:f8:2e:f9:e6:ae

58:4c:94:a6:2d:9b

 

With that file in place, I would like the following to happen:

Every time my rule#100010 fires, compare the $(tomacaddress) to the list of MAC addresses in my 'knownmacaddressesonmynetwork.txt' file. If it's not in the list, then alert me with another alert and/or email. And then possibly automatically add the new MAC address to the end of the file (I'm still deciding if I want to do that or not, but leaning toward I would like to do that).

I have a feeling that Wazuh being so awesome that this is possible, but being a Wazuh newbie, I have no idea where to even start. I'm guessing it would involve some sort of Python script, which I'm totally fine with - I know some basic Python scripting, but I just don't know what has to happen on the Wazuh side of things.

 I'm not trying to ask anyone to do this for me or spell out every single step in every single detail. I was just hoping for some basic guidance or a general outline of the things I would need to do. Or at the very least, where the heck do I start?

Thank you,

Jamie

[Antonio Kim]

Hi Jamie,

Thanks for using Wazuh.
As you mentioned before, I suggest to you:

1. Write a Python script that reads the list of known MAC addresses from the file 'knownmacaddressesonmynetwork.txt' and stores them in a data structure such as a list or a set.
2. Use the Wazuh ElasticSearch API to query the alerts generated by your rule #100010.
3. For each alert returned by the API, extract the MAC address from the $(tomacaddress) field.
4. Check if the MAC address is in the list of known MAC addresses you read from the file in step 1. If it's not, generate a new alert or send an email to alert you about the new device on the network.

This last step could be handled adding a line in event log that can be detected by a different alert-rule and then send an Email.

In relation to the API and the alert information:

Since the Wazuh alerts are indexed, I’m afraid you will have to use the ElasticSearch API instead of the Wazuh one. This should not be any harder though.

Taking a look at the ElasticSearch API documentation, there’s the Search API, which returns hits that match the query in the request from an index. To build the request, you will need the following:

• Wazuh indexer IP
• Wazuh alerts index: wazuh-alerts*
• Elastic admin user credentials: The credentials you use to access the Wazuh dashboard.

Now, the basic request to retrieve all your alerts would be:

curl -k -u <USER>:<PASSWORD> -X GET "https://<WAZUH_INDEXER_IP>:9200/wazuh-alerts-4.x-*/_search"

Keep in mind that this API can receive several parameters to filter results. For instance, if you want to retrieve all the alerts from a certain day, taking a look at the index format from a hit in the general request (response.hits.hits[0]):

{ "_index" : "wazuh-alerts-4.x-2022.07.04", "_type" : "_doc", "_id" : "H-v8x4EB0YHjKc-sy-p-", "_score" : 0.41501677, "_source" : { "syscheck" : { "uname_after" : "root", "mtime_after" : "2022-07-04T06:53:57", "size_after" : "0", "gid_after" : "0", "mode" : "realtime", "path" : "/test/testing_file", "sha1_after" : "da39a3ee5e6b4b0d3255bfef95601890afd80709", "gname_after" : "root", "uid_after" : "0", "perm_after" : "rw-r--r--", "event" : "added", "md5_after" : "d41d8cd98f00b204e9800998ecf8427e", "sha256_after" : "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "inode_after" : 29017 }, "agent" : { "name" : "wazuh.manager", "id" : "000" }, "manager" : { "name" : "wazuh.manager" }, (...)

Hope this information will be useful for you.

If you have some questions, do not hesitate to contact me.

Antonio

[Jamie Navarro]

Hi Antonio,

Thank you for the explanation!

But, now that brings up a couple more questions:

1. Would a Python script be the best/easiest way to query the Elasticsearch API, or is there a better way?

2. Assuming I do go with a Python script, how would I determine when/how to run the script? Is there a way that Wazuh could execute the Python script every time my rule #100010 is triggered? If Wazuh does not do this, then would I just use cron to execute the Python script every 5 minutes or something like that? And how would I keep track of what alerts I've already queried? Would I choose an arbitrary number of past alerts to query like 50? (So for example: every 5 minutes, query the past 50 alerts for my rule #100010?)

If Wazuh could trigger the Python script every time an alert for rule#100010 is created then I could just simply query that alert, and that alert only, so I'm hoping that that's possible. ;)

OK, I think that's it...for now. ;)

Thank you again Antonio,

Jamie

[Antonio Kim]

Hi Jamie!

Thanks for using Wazuh.
You can handle your Python script without a cron execution. There is a custom Active Response that you can find in this documentation.

Hope this information will be useful for you.

Antonio