Value comparison by rule
322 views
Skip to first unread message
Kotory
Oct 11, 2022, 2:29:18 AM10/11/22
to Wazuh mailing list
Hello wazuh team.
For a few days i'm trying to wrap my head around a way to compare specific extracted field with previous value in the same field.
the plot - i have custom generated logs where alongside with different fields also presented versions of installed software. Logs are properly decoded and ingested.
the goal - create child rules with different severity lvl which will be fired when this value is changing (upgrade or downgrade)
Is where anyway to read already indexed previously by wazuh value and compare it with the new one?
Or maybe there is another smart way to achieve my goal which i'm missing.
Thank you.
For a few days i'm trying to wrap my head around a way to compare specific extracted field with previous value in the same field.
the plot - i have custom generated logs where alongside with different fields also presented versions of installed software. Logs are properly decoded and ingested.
the goal - create child rules with different severity lvl which will be fired when this value is changing (upgrade or downgrade)
Is where anyway to read already indexed previously by wazuh value and compare it with the new one?
Or maybe there is another smart way to achieve my goal which i'm missing.
Thank you.
Kotory
Oct 11, 2022, 6:10:47 AM10/11/22
to Wazuh mailing list
My current attempt looks like this although i'm not sure how to compare version numbers (up or downgrade) since their syntax is vastly different from software to software
<rule id="100560" level="10" frequency="2" timeframe="86400">
<if_matched_sid>100550</if_matched_sid>
<same_field>ComputerName</same_field>
<same_field>DisplayName</same_field>
<different_field>DisplayVersion</different_field>
<description>Software Version has been changed</description>
</rule>
<rule id="100560" level="10" frequency="2" timeframe="86400">
<if_matched_sid>100550</if_matched_sid>
<same_field>ComputerName</same_field>
<same_field>DisplayName</same_field>
<different_field>DisplayVersion</different_field>
<description>Software Version has been changed</description>
</rule>
Christian Borla
Oct 11, 2022, 9:48:55 AM10/11/22
to Wazuh mailing list
Hi!
I hope you are doing fine!
I'm working on this, I think your rule is correct. Maybe it will necessary modify a decoder to capture the numbers on a new field. But that will work only for a specific format.
Do you have any exampe log to tes it?
I will keep looking for more information.
Regards!
I hope you are doing fine!
I'm working on this, I think your rule is correct. Maybe it will necessary modify a decoder to capture the numbers on a new field. But that will work only for a specific format.
Do you have any exampe log to tes it?
I will keep looking for more information.
Regards!
Kotory
Oct 11, 2022, 10:10:33 AM10/11/22
to Wazuh mailing list
Thank you for response. Sure. There is some sample logs
{"DisplayName":"Nmap 7.92","DisplayVersion":"7.92","InstallDate":null,"Publisher":"Nmap Project","InstallLocation":null,"InstallSource":null,"ComputerName":"WIN10X64","Client-IP":"192.168.50.102","Installed-software":19,"LogID":11},
{"DisplayName":"Npcap","DisplayVersion":"1.50","InstallDate":null,"Publisher":"Nmap Project","InstallLocation":null,"InstallSource":null,"ComputerName":"WIN10X64","Client-IP":"192.168.50.102","Installed-software":19,"LogID":12},
{"DisplayName":"VMware Tools","DisplayVersion":"11.3.5.18557794","InstallDate":"20220804","Publisher":"VMware, Inc.","InstallLocation":"C:\\Program Files\\VMware\\VMware Tools\\","InstallSource":"C:\\Program Files\\Common Files\\VMware\\InstallerCache\\","ComputerName":"WIN10X64","Client-IP":"192.168.50.102","Installed-software":19,"LogID":3},
{"DisplayName":"Wazuh Agent","DisplayVersion":"4.3.5","InstallDate":"20220804","Publisher":"Wazuh, Inc.","InstallLocation":"","InstallSource":"C:\\Users\\root\\AppData\\Local\\Temp\\","ComputerName":"WIN10X64","Client-IP":"192.168.50.102","Installed-software":19,"LogID":18},
I've added custom "LogID" field with simple incremented counter to my logs in order to destignuish installed software since "DisplayName" field sometimes contains version number (like in Nmap example) and therefor is not reliable to match against. Current version of my rule -
<rule id="100560" level="10" frequency="2" timeframe="86400">
<if_matched_sid>100550</if_matched_sid>
<same_field>ComputerName</same_field>
<same_field>LogID</same_field>
<different_field>DisplayVersion</different_field>
<description>Software Version has been changed</description>
</rule>
{"DisplayName":"Nmap 7.92","DisplayVersion":"7.92","InstallDate":null,"Publisher":"Nmap Project","InstallLocation":null,"InstallSource":null,"ComputerName":"WIN10X64","Client-IP":"192.168.50.102","Installed-software":19,"LogID":11},
{"DisplayName":"Npcap","DisplayVersion":"1.50","InstallDate":null,"Publisher":"Nmap Project","InstallLocation":null,"InstallSource":null,"ComputerName":"WIN10X64","Client-IP":"192.168.50.102","Installed-software":19,"LogID":12},
{"DisplayName":"VMware Tools","DisplayVersion":"11.3.5.18557794","InstallDate":"20220804","Publisher":"VMware, Inc.","InstallLocation":"C:\\Program Files\\VMware\\VMware Tools\\","InstallSource":"C:\\Program Files\\Common Files\\VMware\\InstallerCache\\","ComputerName":"WIN10X64","Client-IP":"192.168.50.102","Installed-software":19,"LogID":3},
{"DisplayName":"Wazuh Agent","DisplayVersion":"4.3.5","InstallDate":"20220804","Publisher":"Wazuh, Inc.","InstallLocation":"","InstallSource":"C:\\Users\\root\\AppData\\Local\\Temp\\","ComputerName":"WIN10X64","Client-IP":"192.168.50.102","Installed-software":19,"LogID":18},
I've added custom "LogID" field with simple incremented counter to my logs in order to destignuish installed software since "DisplayName" field sometimes contains version number (like in Nmap example) and therefor is not reliable to match against. Current version of my rule -
<rule id="100560" level="10" frequency="2" timeframe="86400">
<if_matched_sid>100550</if_matched_sid>
<same_field>ComputerName</same_field>
<different_field>DisplayVersion</different_field>
<description>Software Version has been changed</description>
</rule>
Christian Borla
Oct 11, 2022, 8:09:59 PM10/11/22
to Wazuh mailing list
Hi!
I hope you are doing fine!
There is a way to compare numbers using regex, but it is not a simple way, regex it's not made for it but it's possible.I hope you are doing fine!
For example, I use Nmap example log, focus on DisplayVersion filed. I did this regex to capture only when the number on DisplayVersion filed is lower than current version (7.92).
regex: ^[0-7]\.(?:\d[0-1]|[0-8]\d)$
So it's possible create rule to fires when the version is lower than current, downgrade
<rule id="100550" level="10">
<decoded_as>json</decoded_as>
<field name="DisplayName">Nmap</field>
<field name="DisplayVersion" type="pcre2">^[0-7]\.(?:\d[0-1]|[0-8]\d)$</field>
<description>Nmap Version has downgraded</description>
</rule>
Also this is similar than above rule, the regex capture the current version too, but the condition is negated, so it works as upgraded version.
<decoded_as>json</decoded_as>
<field name="DisplayName">Nmap</field>
<field name="DisplayVersion" type="pcre2">^[0-7]\.(?:\d[0-1]|[0-8]\d)$</field>
<description>Nmap Version has downgraded</description>
</rule>
Also this is similar than above rule, the regex capture the current version too, but the condition is negated, so it works as upgraded version.
<rule id="100551" level="10">
<decoded_as>json</decoded_as>
<field name="DisplayName">Nmap</field>
<field name="DisplayVersion" negate="yes" type="pcre2">^[0-7]\.(?:\d[0-2]|[0-8]\d)$</field>
<description>Nmap Version has upgraded</description>
</rule>
Maybe you can combine this method and some frequency condition, because this method is difficult to maintain.
Let me know if this information is useful to you!
Regards.
Kotory
Oct 12, 2022, 2:18:33 AM10/12/22
to Wazuh mailing list
Thank you for advice. I will give it a try.
i was thinking about regex comparison, just wasn't sure if it worth the hassle since some versions are looking simple enough (like nmap - 7.92) but some looks like this - 106.0.1370.34
I guess i will try to compare the last 2 blocks and omit anything before it
i was thinking about regex comparison, just wasn't sure if it worth the hassle since some versions are looking simple enough (like nmap - 7.92) but some looks like this - 106.0.1370.34
I guess i will try to compare the last 2 blocks and omit anything before it
Christian Borla
Oct 12, 2022, 7:25:54 AM10/12/22
to Wazuh mailing list
Hi!
You are welcome!
Ok, I think it's a good idea, let me know if you need some help.
Regards.
You are welcome!
Ok, I think it's a good idea, let me know if you need some help.
Regards.
Reply all
Reply to author
Forward
0 new messages