Rule match issue

[Sandeep Renjith]

Hey Team, 

I have a rule that doesn't seem to want to match. 

Below is the rule. 

  <rule id="125720" level="3">
          <if_sid>125714</if_sid>
          <match>Trinity.txt.bak</match>
          <description>nmap scan detected</description>
  </rule>

This was tried using <field> tag and <url> tag as well with same result.

Parent Rule:

  <rule id="125714" level="3">
    <if_sid>125387</if_sid>
    <url>.swp$|.bak$|/.htaccess|/server-status|/.ssh|/.history|/wallet.dat</url>
    <description>Suspicious URL access.</description>
    <mitre>
      <id>T1055</id>
    </mitre>
   <group>pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
   </rule>

Grandparent Rule:

  <rule id="125387" level="0">
    <category>web-log</category>
    <description>Access log messages grouped.</description>
  </rule>

Below is the sample log. 

{"TenantId": "REDACTED", "TimeGenerated": "2023-03-31T02:07:33Z", "ResourceId": "/SUBSCRIPTIONS/REDACTED/RESOURCEGROUPS/REDACTED-PRODENV-WORKLOADS-RG-DR/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/REDACTED-APPGW-WAF-PROD-DR", "Category": "ApplicationGatewayAccessLog", "ResourceGroup": "REDACTED-PRODENV-WORKLOADS-RG-DR", "SubscriptionId": "REDACTED", "ResourceProvider": "MICROSOFT.NETWORK", "Resource": "REDACTED-APPGW-WAF-PROD-DR", "ResourceType": "APPLICATIONGATEWAYS", "OperationName": "ApplicationGatewayAccess", "ResultType": "", "CorrelationId": "", "ResultDescription": "", "Tenant_g": "", "JobId_g": "", "RunbookName_s": "", "StreamType_s": "", "Caller_s": "", "requestUri_s": "/nice ports,/Trinity.txt.bak", "Level": "", "DurationMs": null, "CallerIPAddress": "", "OperationVersion": "", "ResultSignature": "", "id_s": "", "status_s": "", "LogicalServerName_s": "", "Message": "", "clientInfo_s": "", "httpStatusCode_d": null, "identity_claim_appid_g": "", "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g": "", "userAgent_s": "", "ruleName_s": "REDACTED-app", "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s": "", "systemId_g": "", "isAccessPolicyMatch_b": null, "EventName_s": "", "httpMethod_s": "GET", "subnetId_s": "", "type_s": "", "instanceId_s": "appgw_0", "macAddress_s": "", "vnetResourceGuid_g": "", "direction_s": "", "subnetPrefix_s": "", "primaryIPv4Address_s": "", "conditions_sourcePortRange_s": "", "priority_d": null, "conditions_destinationPortRange_s": "", "conditions_destinationIP_s": "", "conditions_None_s": "", "conditions_sourceIP_s": "", "httpVersion_s": "HTTP/1.0", "matchedConnections_d": null, "startTime_t": null, "endTime_t": null, "DatabaseName_s": "", "clientIP_s": "20.97.48.32", "host_s": "", "requestQuery_s": "", "sslEnabled_s": "on", "clientPort_d": 56809, "httpStatus_d": 500, "receivedBytes_d": 53, "sentBytes_d": 391, "timeTaken_d": 0.002, "resultDescription_ErrorJobs_s": "", "resultDescription_ChildJobs_s": "", "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s": "", "workflowId_s": "", "resource_location_s": "", "resource_workflowId_g": "", "resource_resourceGroupName_s": "", "resource_subscriptionId_g": "", "resource_runId_s": "", "resource_workflowName_s": "", "_schema_s": "", "correlation_clientTrackingId_s": "", "properties_sku_Family_s": "", "properties_sku_Name_s": "", "properties_tenantId_g": "", "properties_enabledForDeployment_b": null, "code_s": "", "resultDescription_Summary_MachineId_s": "", "resultDescription_Summary_ScheduleName_s": "", "resultDescription_Summary_Status_s": "", "resultDescription_Summary_StatusDescription_s": "", "resultDescription_Summary_MachineName_s": "", "resultDescription_Summary_TotalUpdatesInstalled_d": null, "resultDescription_Summary_RebootRequired_b": null, "resultDescription_Summary_TotalUpdatesFailed_d": null, "resultDescription_Summary_InstallPercentage_d": null, "resultDescription_Summary_StartDateTimeUtc_t": null, "resource_triggerName_s": "", "resultDescription_Summary_InitialRequiredUpdatesCount_d": null, "properties_enabledForTemplateDeployment_b": null, "resultDescription_Summary_EndDateTimeUtc_s": "", "resultDescription_Summary_DurationInMinutes_s": "", "resource_originRunId_s": "", "properties_enabledForDiskEncryption_b": null, "resource_actionName_s": "", "correlation_actionTrackingId_g": "", "resultDescription_Summary_EndDateTimeUtc_t": null, "resultDescription_Summary_DurationInMinutes_d": null, "conditions_protocols_s": "", "identity_claim_ipaddr_s": "", "ElasticPoolName_s": "", "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s": "", "RunOn_s": "", "query_hash_s": "", "SourceSystem": "Azure", "MG": "", "ManagementGroupName": "", "Computer": "", "RawData": "", "time_s": "", "collectedBy_s": "", "clientPort_s": "", "site_s": "", "EndpointName_s": "", "Status_s": "", "prefix_s": "", "detail_s": "", "errorLevel_s": "", "domain_s": "", "schemaName_s": "", "tableName_s": "", "columnName_s": "", "datatypeName_s": "", "clientIp_s": "", "ruleSetType_s": "", "ruleSetVersion_s": "", "ruleId_s": "", "ruleGroup_s": "", "action_s": "", "details_message_s": "", "details_data_s": "", "details_file_s": "", "details_line_s": "", "hostname_s": "", "policyId_s": "", "policyScope_s": "", "policyScopeName_s": "", "engine_s": "", "timeStamp_t": "2023-03-31T02:07:33Z", "listenerName_s": "REDACTED-https-listener", "backendPoolName_s": "redacted-app-be", "backendSettingName_s": "redacted-app", "originalRequestUriWithArgs_s": "/nice%20ports%2C/Tri%6Eity.txt%2ebak", "clientResponseTime_d": 0.002, "WAFEvaluationTime_s": "0.000", "WAFMode_s": "Detection", "transactionId_g": "c2ee09ee-c101-a7b9-b531-0107d09380dd", "sslCipher_s": "ECDHE-RSA-AES256-GCM-SHA384", "sslProtocol_s": "TLSv1.2", "sslClientVerify_s": "NONE", "sslClientCertificateFingerprint_s": "", "sslClientCertificateIssuerName_s": "", "serverRouted_s": "", "serverStatus_s": "", "serverResponseLatency_s": "", "upstreamSourcePort_s": "", "originalHost_s": "~.*", "attrs_s": "", "containerID_s": "", "ccpNamespace_s": "", "log_s": "", "stream_s": "", "pod_s": "", "Cloud_s": "", "Environment_s": "", "UnderlayClass_s": "", "UnderlayName_s": "", "AdditionalFields": null, "Type": "AzureDiagnostics", "_ResourceId": "/subscriptions/redacted/resourcegroups/redacted-prodenv-workloads-rg-dr/providers/microsoft.network/applicationgateways/redacted-appgw-waf-prod-dr", "azure_tag": "azure-log-analytics", "log_analytics_tag": "AzureDiagnostics"}

Any help would be much appreciated

[Benjamin Nworah]

Hello Sandeep,

I have evaluated your sample log, and I observed that the rule "1002" was triggered.  The rule is usually triggered when you have one of the key words in your logs (bad, illegal, corrupted, error, failure, etc) To suppress this rule your grandparent rule should take this form:

  <rule id="125387" level="0">

   <if_sid>1002</if_sid>

    <category>web-log</category>
    <description>Access log messages grouped.</description>

  </rule>

In addition, your parent rule contains a decoded field called "url",  and for this rule to match, you must have the value in this field decoded. From your sample log, it seems this field is not present.

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#url

Please let me know if this helps.

Regards,

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/bbeb0c8a-3092-4733-8c00-675801ad2414n%40googlegroups.com.

[Chukwudi Ben]

Hello Sandeep,

Thank you for using Wazuh.

Please give me some time to review this and revert back.

Thank you,

--

[Benjamin Nworah]

Hello Sandeep,

Are you saying that the Parent rule 125714 is working, while the rule 125720 is not  triggered?

Please can you confirm you don't have a duplicate rule id (125720).

Regards,

On Mon, Apr 3, 2023 at 3:40 PM Sandeep Renjith <sandeep...@gmail.com> wrote:

Hey Benjamin, 

Sorry I didnt make this clearer earlier. 

In my case, the rule thats getting hit is  125714. which is the parent rule for the rule I created. 

Below for reference.
---

Below is the rule. 

  <rule id="125720" level="3">
          <if_sid>125714</if_sid>
          <match>Trinity.txt.bak</match>
          <description>nmap scan detected</description>
  </rule>

This was tried using <field> tag and <url> tag as well with same result.

Parent Rule:

  <rule id="125714" level="3">
    <if_sid>125387</if_sid>
    <url>.swp$|.bak$|/.htaccess|/server-status|/.ssh|/.history|/wallet.dat</url>
    <description>Suspicious URL access.</description>
    <mitre>
      <id>T1055</id>
    </mitre>
   <group>pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
   </rule>

---

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/51977488-22af-42af-a07a-3303c178a332n%40googlegroups.com.