CBD List
364 views
Skip to first unread message
riccait
Apr 5, 2023, 9:47:01 AM4/5/23
to Wazuh mailing list
Good morning,
I would like to use the CDB list to create a whitelist of applications, but unfortunately I can’t get it to work.
I created the list as screenshot:
I created the list as screenshot:
This is conf ossec.conf
This is the rule I created by calling the cdb list:
Is there something wrong?
Alternatively, if I can’t use cdb lists, how can I reduce the level of these alerts?
Thank you very much
Greetings
Thank you very much
Greetings
riccait
Apr 5, 2023, 9:51:29 AM4/5/23
to Wazuh mailing list
I insert screenshots that are not displayed:
Julián Morales
Apr 5, 2023, 10:20:45 AM4/5/23
to riccait, Wazuh mailing list
Hi Riccait,
It seems like you've followed the correct steps:
1. Created the list file with escaped content.
2. Added the condition to the rule.
3. Restarted the manager.
However, upon reviewing the rule, I noticed that you used the field "data.win.eventdata....". In reality, the rule uses the "data" object fields, so the correct field to use in the rule would be "win.eventdata....".
I hope this resolves the issue. If not, could you please send me the rule in text format, the list, and an alert? Having this information will be useful for testing and identifying any remaining issues.
Regards,It seems like you've followed the correct steps:
1. Created the list file with escaped content.
2. Added the condition to the rule.
3. Restarted the manager.
However, upon reviewing the rule, I noticed that you used the field "data.win.eventdata....". In reality, the rule uses the "data" object fields, so the correct field to use in the rule would be "win.eventdata....".
I hope this resolves the issue. If not, could you please send me the rule in text format, the list, and an alert? Having this information will be useful for testing and identifying any remaining issues.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f39be0f6-03f9-452e-98c0-7940cacd4f97n%40googlegroups.com.
Message has been deleted
Francesco Narciso
Apr 7, 2023, 4:16:19 AM4/7/23
to Julián Morales, Wazuh mailing list
I tried to edit the cdb list and local rules, I restarted wazuh-server but without success.
This is the event taken from the alerts.log file
Rule:
92910 (level 12) -> 'Explorer process was accessed by C:\\Program
Files (x86)\\Kaspersky Lab\\KES.11.11.0\\avp.exe, possible process
injection'
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","eventID":"10","version":"3","level":"4","task":"10","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-04-05T00:33:10.376336400Z","eventRecordID":"34970289","processID":"1896","threadID":"2624","channel":"Microsoft-Windows-Sysmon/Operational","computer":"DC-MI.essenza.local","severityValue":"INFORMATION","message":"\"Process accessed:\r\nRuleName: technique_id=T1055.001,technique_name=Dynamic-link Library Injection\r\nUtcTime: 2023-04-05 00:33:10.376\r\nSourceProcessGUID: {F8FB345F-2C06-6407-1C00-000000006000}\r\nSourceProcessId: 1552\r\nSourceThreadId: 5020\r\nSourceImage: C:\\Program Files (x86)\\Kaspersky Lab\\KES.11.11.0\\avp.exe\r\nTargetProcessGUID: {F8FB345F-DCD1-641A-911C-000000006000}\r\nTargetProcessId: 8832\r\nTargetImage: C:\\Windows\\Explorer.EXE\r\nGrantedAccess: 0x1F3FFF\r\nCallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9043a|C:\\Windows\\SYSTEM32\\wow64.dll+7184|C:\\Windows\\SYSTEM32\\wow64.dll+9c8b|C:\\Windows\\system32\\wow64cpu.dll+1dc5|C:\\Windows\\SYSTEM32\\wow64.dll+1236a|C:\\Windows\\SYSTEM32\\wow64.dll+122a2|C:\\Windows\\SYSTEM32\\ntdll.dll+18edb|C:\\Windows\\SYSTEM32\\ntdll.dll+18dbe|C:\\Windows\\SYSTEM32\\ntdll.dll+3c25c(wow64)|C:\\Windows\\SYSTEM32\\KERNELBASE.dll+16668(wow64)|UNKNOWN(000000002FA3ABDC)|UNKNOWN(000000002FA7831B)|UNKNOWN(000000002FA7860E)|UNKNOWN(000000002F9A9C71)|UNKNOWN(000000002F9A9F96)|UNKNOWN(000000002F9A8DD9)|UNKNOWN(000000002F94FFBE)|UNKNOWN(000000002EAF0EDC)|UNKNOWN(000000002EB641CF)|UNKNOWN(000000002EB65797)|UNKNOWN(000000002EB670CD)|UNKNOWN(000000002EB6A045)|UNKNOWN(000000002EB6A3D5)|UNKNOWN(000000002EA98A93)\r\nSourceUser: NT AUTHORITY\\SYSTEM\r\nTargetUser: ESSENZA\\rgueli\""},"eventdata":{"ruleName":"technique_id=T1055.001,technique_name=Dynamic-link Library Injection","utcTime":"2023-04-05 00:33:10.376","sourceProcessGUID":"{F8FB345F-2C06-6407-1C00-000000006000}","sourceProcessId":"1552","sourceThreadId":"5020","sourceImage":"C:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\KES.11.11.0\\\\avp.exe","targetProcessGUID":"{F8FB345F-DCD1-641A-911C-000000006000}","targetProcessId":"8832","targetImage":"C:\\\\Windows\\\\Explorer.EXE","grantedAccess":"0x1f3fff","callTrace":"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+9043a|C:\\\\Windows\\\\SYSTEM32\\\\wow64.dll+7184|C:\\\\Windows\\\\SYSTEM32\\\\wow64.dll+9c8b|C:\\\\Windows\\\\system32\\\\wow64cpu.dll+1dc5|C:\\\\Windows\\\\SYSTEM32\\\\wow64.dll+1236a|C:\\\\Windows\\\\SYSTEM32\\\\wow64.dll+122a2|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+18edb|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+18dbe|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+3c25c(wow64)|C:\\\\Windows\\\\SYSTEM32\\\\KERNELBASE.dll+16668(wow64)|UNKNOWN(000000002FA3ABDC)|UNKNOWN(000000002FA7831B)|UNKNOWN(000000002FA7860E)|UNKNOWN(000000002F9A9C71)|UNKNOWN(000000002F9A9F96)|UNKNOWN(000000002F9A8DD9)|UNKNOWN(000000002F94FFBE)|UNKNOWN(000000002EAF0EDC)|UNKNOWN(000000002EB641CF)|UNKNOWN(000000002EB65797)|UNKNOWN(000000002EB670CD)|UNKNOWN(000000002EB6A045)|UNKNOWN(000000002EB6A3D5)|UNKNOWN(000000002EA98A93)","sourceUser":"NT AUTHORITY\\\\SYSTEM","targetUser":"ESSENZA\\\\test1"}}}
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","eventID":"10","version":"3","level":"4","task":"10","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-04-05T00:33:10.376336400Z","eventRecordID":"34970289","processID":"1896","threadID":"2624","channel":"Microsoft-Windows-Sysmon/Operational","computer":"DC-MI.essenza.local","severityValue":"INFORMATION","message":"\"Process accessed:\r\nRuleName: technique_id=T1055.001,technique_name=Dynamic-link Library Injection\r\nUtcTime: 2023-04-05 00:33:10.376\r\nSourceProcessGUID: {F8FB345F-2C06-6407-1C00-000000006000}\r\nSourceProcessId: 1552\r\nSourceThreadId: 5020\r\nSourceImage: C:\\Program Files (x86)\\Kaspersky Lab\\KES.11.11.0\\avp.exe\r\nTargetProcessGUID: {F8FB345F-DCD1-641A-911C-000000006000}\r\nTargetProcessId: 8832\r\nTargetImage: C:\\Windows\\Explorer.EXE\r\nGrantedAccess: 0x1F3FFF\r\nCallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9043a|C:\\Windows\\SYSTEM32\\wow64.dll+7184|C:\\Windows\\SYSTEM32\\wow64.dll+9c8b|C:\\Windows\\system32\\wow64cpu.dll+1dc5|C:\\Windows\\SYSTEM32\\wow64.dll+1236a|C:\\Windows\\SYSTEM32\\wow64.dll+122a2|C:\\Windows\\SYSTEM32\\ntdll.dll+18edb|C:\\Windows\\SYSTEM32\\ntdll.dll+18dbe|C:\\Windows\\SYSTEM32\\ntdll.dll+3c25c(wow64)|C:\\Windows\\SYSTEM32\\KERNELBASE.dll+16668(wow64)|UNKNOWN(000000002FA3ABDC)|UNKNOWN(000000002FA7831B)|UNKNOWN(000000002FA7860E)|UNKNOWN(000000002F9A9C71)|UNKNOWN(000000002F9A9F96)|UNKNOWN(000000002F9A8DD9)|UNKNOWN(000000002F94FFBE)|UNKNOWN(000000002EAF0EDC)|UNKNOWN(000000002EB641CF)|UNKNOWN(000000002EB65797)|UNKNOWN(000000002EB670CD)|UNKNOWN(000000002EB6A045)|UNKNOWN(000000002EB6A3D5)|UNKNOWN(000000002EA98A93)\r\nSourceUser: NT AUTHORITY\\SYSTEM\r\nTargetUser: ESSENZA\\rgueli\""},"eventdata":{"ruleName":"technique_id=T1055.001,technique_name=Dynamic-link Library Injection","utcTime":"2023-04-05 00:33:10.376","sourceProcessGUID":"{F8FB345F-2C06-6407-1C00-000000006000}","sourceProcessId":"1552","sourceThreadId":"5020","sourceImage":"C:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\KES.11.11.0\\\\avp.exe","targetProcessGUID":"{F8FB345F-DCD1-641A-911C-000000006000}","targetProcessId":"8832","targetImage":"C:\\\\Windows\\\\Explorer.EXE","grantedAccess":"0x1f3fff","callTrace":"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+9043a|C:\\\\Windows\\\\SYSTEM32\\\\wow64.dll+7184|C:\\\\Windows\\\\SYSTEM32\\\\wow64.dll+9c8b|C:\\\\Windows\\\\system32\\\\wow64cpu.dll+1dc5|C:\\\\Windows\\\\SYSTEM32\\\\wow64.dll+1236a|C:\\\\Windows\\\\SYSTEM32\\\\wow64.dll+122a2|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+18edb|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+18dbe|C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+3c25c(wow64)|C:\\\\Windows\\\\SYSTEM32\\\\KERNELBASE.dll+16668(wow64)|UNKNOWN(000000002FA3ABDC)|UNKNOWN(000000002FA7831B)|UNKNOWN(000000002FA7860E)|UNKNOWN(000000002F9A9C71)|UNKNOWN(000000002F9A9F96)|UNKNOWN(000000002F9A8DD9)|UNKNOWN(000000002F94FFBE)|UNKNOWN(000000002EAF0EDC)|UNKNOWN(000000002EB641CF)|UNKNOWN(000000002EB65797)|UNKNOWN(000000002EB670CD)|UNKNOWN(000000002EB6A045)|UNKNOWN(000000002EB6A3D5)|UNKNOWN(000000002EA98A93)","sourceUser":"NT AUTHORITY\\\\SYSTEM","targetUser":"ESSENZA\\\\test1"}}}
This is the custom cdb file:
"C:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\KES.11.10.0\\\\avp.exe":Kaspersky_11
"C:\\\\Windows\\\\System32\\\\wsmprovhost.exe":Server_Manager
"C:\\\\Windows\\\\System32\\\\wsmprovhost.exe":Server_Manager
This is the custom rules from local_rules.xml
<group name="sysmon, sysmon_eid10_detections, windows">
<rule id="110001" level="0">
<if_sid>92910</if_sid>
<list field="win.eventdata.sourceImage" lookup="match_key">etc/lists/whitelist-process</list>
<description>Process $(win.eventdata.sourceImage) is permitted</description>
<mitre>
<id>T1003.001</id>
</mitre>
<group>whitelist_process</group>
</rule>
</group>
<rule id="110001" level="0">
<if_sid>92910</if_sid>
<list field="win.eventdata.sourceImage" lookup="match_key">etc/lists/whitelist-process</list>
<description>Process $(win.eventdata.sourceImage) is permitted</description>
<mitre>
<id>T1003.001</id>
</mitre>
<group>whitelist_process</group>
</rule>
</group>
Thanks for support
Greetings
riccait
Apr 11, 2023, 6:04:56 AM4/11/23
to Wazuh mailing list
Any news?
Thanks
Julián Morales
Apr 11, 2023, 12:48:55 PM4/11/23
to riccait, Wazuh mailing list
Hi Riccait,
There seem to be two issues with your CDB list. Firstly, it's important to note that in JSON, the backslash character is a special character that needs to be escaped with another backslash. Therefore, the value of the JSON string:
There seem to be two issues with your CDB list. Firstly, it's important to note that in JSON, the backslash character is a special character that needs to be escaped with another backslash. Therefore, the value of the JSON string:
"C:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\KES.11.11.0\\\\avp.exe"
is actually:
C:\\Program Files (x86)\\Kaspersky Lab\\KES.11.11.0\\avp.exe
Additionally, you are trying to match the folder "KES.11.10.0" when it should actually be "KES.11.11.0".
I have tested the CDB list with the following content and it works without any issues:
"C:\\Program Files (x86)\\Kaspersky Lab\\KES.11.11.0\\avp.exe":
I have tested the CDB list with the following content and it works without any issues:
"C:\\Program Files (x86)\\Kaspersky Lab\\KES.11.11.0\\avp.exe":
Please make these changes to your CDB list and let me know if works.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9fb817b2-46d3-4807-80ed-cf5d3bd1ad4an%40googlegroups.com.
riccait
Apr 14, 2023, 12:05:54 PM4/14/23
to Wazuh mailing list
The problem has been solved.
Thank you so much for your support
Thank you so much for your support
alishay noor
Dec 26, 2024, 12:23:45 AM12/26/24
to Wazuh | Mailing List
CBD gummies are a popular and easy way to experience the benefits of CBD (cannabidiol), a natural compound found in hemp plants. These gummies offer a tasty and convenient alternative to oils and capsules, making it simple to add CBD to your daily routine.
alishay noor
Dec 26, 2024, 12:23:49 AM12/26/24
to Wazuh | Mailing List
CBD gummies are a popular and easy way to experience the benefits of CBD (cannabidiol), a natural compound found in hemp plants. These gummies offer a tasty and convenient alternative to oils and capsules, making it simple to add CBD to your daily routine.
On Friday, April 14, 2023 at 9:05:54 AM UTC-7 riccait wrote:
Reply all
Reply to author
Forward
0 new messages