Modifying the default rules and decoders
1,655 views
Skip to first unread message
Robert H
Aug 2, 2017, 11:56:57 AM8/2/17
to Wazuh mailing list
Hi,
I'm trying to modify the rules sets and decoders to our particular situation to conserve system resources by removing decoders and rulesets that don't apply. For example 0410-imperva_rules.xml or 0290-solaris_decoders.xml. I copied all rules and decoders to another location to save/backup them up. Then copied the ones that seem to apply in our environment back to the corresponding directories. Before moving the files. I stopped the Wazuh manager.
After copying the .xml file we'd use back to the corresponding directory I tried to start the Wazuh manager, but received this error.
Starting Wazuh v2.0.1 (maintained by Wazuh Inc.)...
OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
Is this type of modification do-able? Should a configuration file be updated after making this type of change? Or is the design that all default decoders and rules need to be left untouched?
Thanks,
Robert
Robert H
Aug 2, 2017, 12:08:18 PM8/2/17
to Wazuh mailing list
Also, I've run this update ruleset script but it errors looking for a file.
The file does exist in my custom install location
/bin/update_ruleset.py
### Wazuh ruleset ###
ERROR: Unkown: [Errno 2] No such file or directory: '/var/ossec/ruleset/VERSION'.
Exiting.
# ll /<path>/ossec/ruleset/VERSION
-rw-r-----. 1 root ossec 25 Aug 1 07:52 /<path>/ossec/ruleset/VERSION
cat = RULESET_VERSION="v2.0.2"
Jose Luis Ruiz
Aug 2, 2017, 2:02:32 PM8/2/17
to Wazuh mailing list, Robert H
Hi Robert,
Can you run the following command?
/var/ossec/bin/ossec-logtest
The output from this command can give us more information about the error.
The bests practice is exclude the rules that you don’t need in ossec.conf configuration, if for example you want to exclude the file 0455-docker_rules.xml :
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<rule_exclude>0455-docker_rules.xmll</rule_exclude>
<list>etc/lists/audit-keys</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
Also take care about the files permissions if you copy or move from folders the permissions should be 650 - root-ossec. :
Example:
-rw-r-----. 1 root ossec 2046 Aug 2 06:55 0400-openvpn_rules.xml
-rw-r-----. 1 root ossec 1560 Aug 2 06:55 0405-rsa-auth-manager_rules.xml
-rw-r-----. 1 root ossec 566 Aug 2 06:55 0410-imperva_rules.xml
-rw-r-----. 1 root ossec 1251 Aug 2 06:55 0415-sophos_rules.xml
-rw-r-----. 1 root ossec 1093 Aug 2 06:55 0420-freeipa_rules.xml
-rw-r-----. 1 root ossec 1934 Aug 2 06:55 0425-cisco-estreamer_rules.xml
-rw-r-----. 1 root ossec 3146 Aug 2 06:55 0430-ms_wdefender_rules.xml
-rw-r-----. 1 root ossec 1581 Aug 2 06:55 0435-ms_logs_rules.xml
-rw-r-----. 1 root ossec 4521 Aug 2 06:55 0440-ms_sqlserver_rules.xml
-rw-r-----. 1 root ossec 1288 Aug 2 06:55 0445-identity_guard_rules.xml
-rw-r-----. 1 root ossec 4564 Aug 2 06:55 0450-mongodb_rules.xml
-rw-r-----. 1 root ossec 2824 Aug 2 06:55 0455-docker_rules.xml
-rw-r-----. 1 root ossec 1939 Aug 2 06:55 0460-jenkins_rules.xml
-rw-r-----. 1 root ossec 1111 Aug 2 06:55 0465-amazon-s3_rules.xml
-rw-r-----. 1 root ossec 2012 Aug 2 06:55 0470-vshell_rules.xml
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c2049a17-8dd7-4ffb-ae01-e272e1614cbb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jose Luis Ruiz
Aug 2, 2017, 2:06:19 PM8/2/17
to Wazuh mailing list, Robert H
Hi Robert,
You can run update_ruleset.py with the parameter -o ’new path’ to give a different path, by default the path is /var/ossec.
[root@manager ossec]# /var/ossec/bin/update_ruleset.py -h
Update ruleset v3.0.0
Github repository: https://github.com/wazuh/wazuh-ruleset
Full documentation: http://documentation.wazuh.com/en/latest/wazuh_ruleset.html
Usage: ./update_ruleset.py # Update Decoders, Rules and Rootchecks
./update_ruleset.py -b # Restore last backup
Restart:
-r, --restart Restart OSSEC when required.
-R, --no-restart Do not restart OSSEC when required.
Backups:
-b , --backups Restore last backup.
Additional Params:
-f, --force-update Force to update the ruleset. By default, only it is updated the new/changed decoders/rules/rootchecks.
-o, --ossec-path Set OSSEC path. Default: '/var/ossec'
-s, --source Select ruleset source path (instead of download it).
-j, --json JSON output. It should be used with '-s' or '-S' argument.
-d, --debug Debug mode.
-u, --url URL of ruleset zip (default: https://github.com/wazuh/wazuh-ruleset/archive/stable.zip)
[root@manager ossec]#
i hope it helps.
On August 2, 2017 at 6:08:21 PM, Robert H (rhe...@proficio.com) wrote:
update_ruleset.py
Robert H
Aug 2, 2017, 2:20:41 PM8/2/17
to Wazuh mailing list
Thanks Jose!
Supplying the custom path with - o worked and the update_ruleset.py ran without error.
### Wazuh ruleset ###
You already have the latest version of ruleset.
Also, I copied all the xml rules and decoder files back into place and the Manager started up without error also.
Regards,
Robert
Jose Luis Ruiz
Aug 2, 2017, 2:26:38 PM8/2/17
to Wazuh mailing list, Robert H
Hi Robert,
How you move ossec to other path? I mean, you did the installation through sources and then when the install.sh asks you for the path you give the new one?
Or you did the installation trough packages and only move to different folder (this option is incorrect btw).
Can you runt the following command?:
yourpath/ossec/bin/ossec-logtest and send the few last lines?
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b7d728f0-115f-401c-a983-47d6d5f5a604%40googlegroups.com.
Robert H
Aug 2, 2017, 2:39:52 PM8/2/17
to Wazuh mailing list
Hi Jose,
I installed through sources and supplied an alternative path.
The last few lines of the logtest are:
2017/08/02 11:35:27 ossec-testrule: INFO: Reading decoder file ruleset/decoders/0410-docker_decoders.xml.
2017/08/02 11:35:27 ossec-testrule: INFO: Reading decoder file ruleset/decoders/0415-jenkins_decoders.xml.
2017/08/02 11:35:27 ossec-testrule: INFO: Reading decoder file ruleset/decoders/0420-vshell_decoders.xml.
2017/08/02 11:35:27 ossec-testrule: INFO: Reading decoder file etc/decoders/local_decoder.xml.
2017/08/02 11:35:27 ossec-testrule: INFO: Reading the lists file: 'etc/lists/audit-keys'
2017/08/02 11:35:27 ossec-testrule: INFO: Started (pid: 23228).
ossec-testrule: Type one log per line.
Regards,
Robert
Jose Luis Ruiz
Aug 2, 2017, 2:49:29 PM8/2/17
to Wazuh mailing list, Robert H
Hi Robert,
Looks perfect now, run the command yourpath/ossec/bin/ossec-logtest after modify rules or decoders are a nice practice to detect if the configuration is correct before restart the manager.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4493ba98-5158-4905-9eaf-f974f16765eb%40googlegroups.com.
Robert H
Aug 2, 2017, 2:54:09 PM8/2/17
to Wazuh mailing list
Jose,
I've modified the ossec.conf file as follows: The manager starts up fine and the update_ruleset.py run reporting I already have the latest rules. Is this the expected confirmation that all is working normally?
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude> <--- This rule was already in the file by default
<rule_exclude>0080-sonicwall_rules.xml</rule_exclude>
<decoder_exclude>0295-sonicwall_decoders.xml</decoder_exclude> <-- Is this correct for a decoder or should decoders also use the <rule_exclude> tag?
<list>etc/lists/audit-keys</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
//////////////////////////////////
/ossec/bin/update_ruleset.py -o <path>
### Wazuh ruleset ###
You already have the latest version of ruleset.
Regards,
Robert
Jose Luis Ruiz
Aug 2, 2017, 2:58:08 PM8/2/17
to Wazuh mailing list, Robert H
Hi Robert,
Thats correct, look the following link and the example there you can find a better explanation that how this works:
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d7615dc1-5144-4efe-8153-e797fac6af3d%40googlegroups.com.
Jesus Linares
Aug 2, 2017, 3:02:14 PM8/2/17
to Wazuh mailing list, rhe...@proficio.com
Hi Robert,
if update_ruleset.py shows "You already have the latest version of ruleset." and ossec-logtest runs without errors, it means that everything is working fine.
Review the documentation that Jose sent you. I would recommend you to use the full path in the exclude:
<decoder_exclude>ruleset/decoders/0310-ssh_decoders.xml</decoder_exclude>
In this way, you are excluding the file inside /path/ossec/ruleset and not any name named "0310-ssh_decoders.xml".
I hope it helps.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Robert H
Aug 2, 2017, 3:08:56 PM8/2/17
to Wazuh mailing list
I'm looking at it now.
Thanks so much Jose and Jesus!
Robert H
Aug 2, 2017, 4:34:24 PM8/2/17
to Wazuh mailing list
Jose or Jesus,
It looks like the rules and decoders path is defined already in this code. Is it still recommended to add the rules/decoders/ path to the exclude></exclude> tags?
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir> <- The directory is indicated here
<rule_dir>ruleset/rules</rule_dir> <- The directory is indicated here
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<rule_exclude>ruleset/rules/0080-sonicwall_rules.xml</rule_exclude>
<decoder_exclude>ruleset/decoders/0295-sonicwall_decoders.xml</decoder_exclude> <- Is it still recommended to include it here also?
<decoder_exclude>ruleset/decoders/0015-aix-ipsec_decoders.xml</decoder_exclude>
<decoder_exclude>ruleset/decoders/0020-amazon_decoders.xml</decoder_exclude>
Regards,
Robert
Robert H
Aug 2, 2017, 6:28:36 PM8/2/17
to Wazuh mailing list
Actually,
When I added a decoder to the ossec.conf, the ossec-logtest error's.
2017/08/02 08:21:52 ossec-testrule: INFO: Reading decoder file etc/decoders/local_decoder.xml.
2017/08/02 08:21:52 ossec-testrule: INFO: Reading the lists file: 'etc/lists/audit-keys'
2017/08/02 08:21:52 ossec-analysisd: Invalid decoder name: 'racoon'.
2017/08/02 08:21:52 ossec-testrule(1220): ERROR: Error loading the rules: 'ruleset/rules/0205-racoon_rules.xml'.
The above example I posted in the previous comment also error'd so I reset the ossec.conf to default and logtest ran clean. Then I added the mail scanner exclude below and logtest ran clean. But after adding the decoder_exclude the log test error's.
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<rule_exclude>0045-mailscanner_rules.xml</rule_exclude>
<decoder_exclude>0245-racoon_decoders.xml</decoder_exclude>
<list>etc/lists/audit-keys</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
Any suggestions?
Robert
Jose Luis Ruiz
Aug 3, 2017, 5:29:13 AM8/3/17
to Wazuh mailing list, Robert H
Hi Robert,
If you exclude one decoder <decoder_exclude>0245-racoon_decoders.xml</decoder_exclude> you need to exclude all rules that use this decoder, this is why you are having the error: Error loading the rules: 'ruleset/rules/0205-racoon_rules.xml’.
Add to your configuration <rule_exclude>0205-racoon_rules.xml</rule_exclude> as well.
You can exclude rules, keeping the decoders, but you cannot exclude decoders keeping the rules that need these decoders.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d1acd8aa-7eee-4bb0-b09a-dbb03689a194%40googlegroups.com.
Robert H
Aug 3, 2017, 12:03:44 PM8/3/17
to Wazuh mailing list
Thanks Jose! Will do.
Reply all
Reply to author
Forward
0 new messages