False Postive webshell detection

[Tengku Arya Saputra]

full log

"type=SYSCALL msg=audit(1768560955.346:405946): arch=c000003e syscall=41 success=yes exit=7 a0=2 a1=1 a2=0 a3=0 items=0 ppid=850 pid=2496 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm=\"php\" exe=\"/usr/bin/php8.2\" subj=unconfined key=\"webshell_net_connect\"\u001dARCH=x86_64 SYSCALL=socket AUID=\"unset\" UID=\"www-data\" GID=\"www-data\" EUID=\"www-data\" SUID=\"www-data\" FSUID=\"www-data\" EGID=\"www-data\" SGID=\"www-data\" FSGID=\"www-data\" type=PROCTITLE msg=audit(1768560955.346:405946): proctitle=706870002F7661722F7777772F68746D6C2F4D61696C65722F6172746973616E0071756575653A776F726B002D2D736C6565703D33002D2D74726965733D33002D2D74696D656F75743D3930"

This is the Laravel queue worker that runs php artisan queue:work.

How do I resolve this false positive?

[John E]

Hello Tengku,

You can exclude the alert entirely. Follow the below steps to achieve that.

1. Edit the file /var/ossec/etc/rules/local_rules.xml

2. Add the below rule.

<group name="audit,laravel,php,false_positive">
  <rule id="100200" level="3">
    <if_sid>80700</if_sid>
    <field name="comm">php</field>
    <field name="exe">/usr/bin/php8.2</field>
    <match>artisan queue:work</match>
    <description>
      Laravel queue worker opening network socket (expected behavior)
    </description>
    <options>no_full_log</options>
  </rule>
</group>

3. Save and restart your wazuh manager.

If you want to be a little more strict. you can use the below rule.

<group name="audit,laravel,php,false_positive">
  <rule id="100200" level="3" noalert="1">
    <if_sid>80700</if_sid>
    <field name="comm">php</field>
    <field name="exe">/usr/bin/php8.2</field>
    <match>queue:work</match>
    <description>
      Laravel queue worker opening network socket (expected behavior)
    </description>
    <options>no_full_log</options>
  </rule>
</group>

Let me know how it goes.