Custom Rule Passes Test but Doesnt Appear
95 views
Skip to first unread message
Mark Pearson
Jun 14, 2023, 9:59:48 AM6/14/23
to Wazuh mailing list
Hi
Ive created a custom rule below, when i run it through the test it seems fine - also below but it never appears in the security events in my dashboard
<rule id="800001" level="12">
<if_sid>1002</if_sid>
<field name="data.win.system.eventID">^20271$</field>
<description>Remote Access Failure</description>
<group>authentication_failed</group>
</rule>
<if_sid>1002</if_sid>
<field name="data.win.system.eventID">^20271$</field>
<description>Remote Access Failure</description>
<group>authentication_failed</group>
</rule>
Phase 2: Completed decoding.
name: 'json'
agent.id: '036'
agent.ip: '192.168.16.2'
agent.name: 'WOSL-RRAS-001'
data.win.eventdata.binary: '2C030000'
data.win.eventdata.data: '{BD9BB82F-9A61-0000-5C4B-14BE619AD901}, dddd, 80.209.187.162, The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error., 0x70'
data.win.system.channel: 'System'
data.win.system.computer: 'WOSL-RRAS-001.Oil.local'
data.win.system.eventID: '20271'
data.win.system.eventRecordID: '26615'
data.win.system.keywords: '0x80000000000000'
data.win.system.level: '3'
data.win.system.message: '"CoId={BD9BB82F-9A61-0000-5C4B-14BE619AD901}: The user dddd connected from 80.209.187.162 but failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error."'
data.win.system.providerName: 'RemoteAccess'
data.win.system.severityValue: 'WARNING'
data.win.system.systemTime: '2023-06-14T13:33:31.883184400Z'
data.win.system.task: '0'
decoder.name: 'windows_eventchannel'
full_log: '{"win":{"system":{"providerName":"RemoteAccess","eventID":"20271","level":"3","task":"0","keywords":"0x80000000000000","systemTime":"2023-06-14T13:33:31.883184400Z","eventRecordID":"26615","channel":"System","computer":"WOSL-RRAS-001.Oil.local","severityValue":"WARNING","message":"\"CoId={BD9BB82F-9A61-0000-5C4B-14BE619AD901}: The user dddd connected from 80.209.187.162 but failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.\""},"eventdata":{"binary":"2C030000","data":"{BD9BB82F-9A61-0000-5C4B-14BE619AD901}, dddd, 80.209.187.162, The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error., 0x70"}}}'
id: '1686749671.2647051532'
location: 'EventChannel'
manager.name: 'pnts-wazuh-001'
timestamp: '2023-06-14T13:34:31.238+0000'
**Phase 3: Completed filtering (rules).
id: '800001'
level: '12'
description: 'Remote Access Failure'
groups: '['RRAS', 'authentication_failed']'
firedtimes: '1'
mail: 'True'
**Alert to be generated.
name: 'json'
agent.id: '036'
agent.ip: '192.168.16.2'
agent.name: 'WOSL-RRAS-001'
data.win.eventdata.binary: '2C030000'
data.win.eventdata.data: '{BD9BB82F-9A61-0000-5C4B-14BE619AD901}, dddd, 80.209.187.162, The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error., 0x70'
data.win.system.channel: 'System'
data.win.system.computer: 'WOSL-RRAS-001.Oil.local'
data.win.system.eventID: '20271'
data.win.system.eventRecordID: '26615'
data.win.system.keywords: '0x80000000000000'
data.win.system.level: '3'
data.win.system.message: '"CoId={BD9BB82F-9A61-0000-5C4B-14BE619AD901}: The user dddd connected from 80.209.187.162 but failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error."'
data.win.system.providerName: 'RemoteAccess'
data.win.system.severityValue: 'WARNING'
data.win.system.systemTime: '2023-06-14T13:33:31.883184400Z'
data.win.system.task: '0'
decoder.name: 'windows_eventchannel'
full_log: '{"win":{"system":{"providerName":"RemoteAccess","eventID":"20271","level":"3","task":"0","keywords":"0x80000000000000","systemTime":"2023-06-14T13:33:31.883184400Z","eventRecordID":"26615","channel":"System","computer":"WOSL-RRAS-001.Oil.local","severityValue":"WARNING","message":"\"CoId={BD9BB82F-9A61-0000-5C4B-14BE619AD901}: The user dddd connected from 80.209.187.162 but failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.\""},"eventdata":{"binary":"2C030000","data":"{BD9BB82F-9A61-0000-5C4B-14BE619AD901}, dddd, 80.209.187.162, The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error., 0x70"}}}'
id: '1686749671.2647051532'
location: 'EventChannel'
manager.name: 'pnts-wazuh-001'
timestamp: '2023-06-14T13:34:31.238+0000'
**Phase 3: Completed filtering (rules).
id: '800001'
level: '12'
description: 'Remote Access Failure'
groups: '['RRAS', 'authentication_failed']'
firedtimes: '1'
mail: 'True'
**Alert to be generated.
Maximiliano Ibarra
Jun 14, 2023, 11:02:41 AM6/14/23
to Wazuh mailing list
Hi Mark. First of all, thanks for contacting us.
I saw that your rule is okay. When you are in the Security events, do you try to filter by rule ID?
Also, you can check the events in the OpenSearch > Discover section.
I saw that your rule is okay. When you are in the Security events, do you try to filter by rule ID?
Also, you can check the events in the OpenSearch > Discover section.
Mark Pearson
Jun 14, 2023, 11:21:06 AM6/14/23
to Maximiliano Ibarra, Wazuh mailing list
Thanks
It doesnt appear in security events searching by rule id nor does it appear in opensearch > discover
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/N_D0SSAbWo0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/90ccc551-c504-4db0-9c4a-bd75d3604f77n%40googlegroups.com.
Mark Pearson
Jun 16, 2023, 4:44:57 AM6/16/23
to Wazuh mailing list
Anyone have any ideas why this might not be working? the events are definitely hitting the archives.json but never appear in the console or trigger my rules
Maximiliano Ibarra
Jun 16, 2023, 8:56:18 AM6/16/23
to Wazuh mailing list
Hi Mark.
Sorry for the delay. I researched this problem and we need to do some checks to try to find the cause of you aren't seeing the events in your dashboard.
Sorry for the delay. I researched this problem and we need to do some checks to try to find the cause of you aren't seeing the events in your dashboard.
Check if the services are running correctly. Run these commands with root privileges:
systemctl status wazuh-manager
systemctl status filebeat
Also, we can execute the following command to verify the connection between Filebeat and the Wazuh-indexer is working correctly:
filebeat test output
If your using an All In One deployment all the commands need to be executed in the server, otherwise, please run them on the Wazuh manager nodes.
We can take a look at the logs for the Wazuh manager in search of errors:
grep -i -E "error|warn|crit" /var/ossec/logs/ossec.log
And then search the events in the alerts.json.
cat /var/ossec/logs/alerts/alerts.json | grep '"id":"800001"' | tail -n 1 >tmp_alert.json
Or instead by rule ID search by your rule description "Remote Access Failure".
Please, feel free to add all the information that you consider necessary in this thread including commands result, screenshots, etc.
systemctl status wazuh-manager
systemctl status filebeat
Also, we can execute the following command to verify the connection between Filebeat and the Wazuh-indexer is working correctly:
filebeat test output
If your using an All In One deployment all the commands need to be executed in the server, otherwise, please run them on the Wazuh manager nodes.
We can take a look at the logs for the Wazuh manager in search of errors:
grep -i -E "error|warn|crit" /var/ossec/logs/ossec.log
And then search the events in the alerts.json.
cat /var/ossec/logs/alerts/alerts.json | grep '"id":"800001"' | tail -n 1 >tmp_alert.json
Or instead by rule ID search by your rule description "Remote Access Failure".
Please, feel free to add all the information that you consider necessary in this thread including commands result, screenshots, etc.
Mark Pearson
Jun 17, 2023, 5:01:00 AM6/17/23
to Wazuh mailing list
Hi - thanks for the response.. please see below the output of each command - the tmp_alert.json file is empty after i run the cat command
wazuh-manager.service - Wazuh manager
Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2023-06-16 17:06:44 UTC; 15h ago
Process: 241703 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
Tasks: 142 (limit: 18571)
Memory: 4.1G
CPU: 6h 57min 26.078s
CGroup: /system.slice/wazuh-manager.service
├─440714 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─440735 /var/ossec/bin/wazuh-integratord
├─440756 /var/ossec/bin/wazuh-authd
├─440772 /var/ossec/bin/wazuh-db
├─440787 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─440790 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─440802 /var/ossec/bin/wazuh-execd
├─440816 /var/ossec/bin/wazuh-maild
├─440822 /var/ossec/bin/wazuh-analysisd
├─440884 /var/ossec/bin/wazuh-syscheckd
├─440900 /var/ossec/bin/wazuh-remoted
├─440932 /var/ossec/bin/wazuh-logcollector
├─440961 /var/ossec/bin/wazuh-monitord
└─441010 /var/ossec/bin/wazuh-modulesd
Jun 16 17:06:36 pnts-wazuh-001 env[241703]: Started wazuh-execd...
Jun 16 17:06:36 pnts-wazuh-001 env[241703]: Started wazuh-maild...
Jun 16 17:06:36 pnts-wazuh-001 env[241703]: Started wazuh-analysisd...
Jun 16 17:06:37 pnts-wazuh-001 env[241703]: Started wazuh-syscheckd...
Jun 16 17:06:38 pnts-wazuh-001 env[241703]: Started wazuh-remoted...
Jun 16 17:06:40 pnts-wazuh-001 env[241703]: Started wazuh-logcollector...
Jun 16 17:06:41 pnts-wazuh-001 env[241703]: Started wazuh-monitord...
Jun 16 17:06:42 pnts-wazuh-001 env[241703]: Started wazuh-modulesd...
Jun 16 17:06:44 pnts-wazuh-001 env[241703]: Completed.
Jun 16 17:06:44 pnts-wazuh-001 systemd[1]: Started Wazuh manager.
Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2023-06-16 17:06:44 UTC; 15h ago
Process: 241703 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
Tasks: 142 (limit: 18571)
Memory: 4.1G
CPU: 6h 57min 26.078s
CGroup: /system.slice/wazuh-manager.service
├─440714 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─440735 /var/ossec/bin/wazuh-integratord
├─440756 /var/ossec/bin/wazuh-authd
├─440772 /var/ossec/bin/wazuh-db
├─440787 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─440790 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─440802 /var/ossec/bin/wazuh-execd
├─440816 /var/ossec/bin/wazuh-maild
├─440822 /var/ossec/bin/wazuh-analysisd
├─440884 /var/ossec/bin/wazuh-syscheckd
├─440900 /var/ossec/bin/wazuh-remoted
├─440932 /var/ossec/bin/wazuh-logcollector
├─440961 /var/ossec/bin/wazuh-monitord
└─441010 /var/ossec/bin/wazuh-modulesd
Jun 16 17:06:36 pnts-wazuh-001 env[241703]: Started wazuh-execd...
Jun 16 17:06:36 pnts-wazuh-001 env[241703]: Started wazuh-maild...
Jun 16 17:06:36 pnts-wazuh-001 env[241703]: Started wazuh-analysisd...
Jun 16 17:06:37 pnts-wazuh-001 env[241703]: Started wazuh-syscheckd...
Jun 16 17:06:38 pnts-wazuh-001 env[241703]: Started wazuh-remoted...
Jun 16 17:06:40 pnts-wazuh-001 env[241703]: Started wazuh-logcollector...
Jun 16 17:06:41 pnts-wazuh-001 env[241703]: Started wazuh-monitord...
Jun 16 17:06:42 pnts-wazuh-001 env[241703]: Started wazuh-modulesd...
Jun 16 17:06:44 pnts-wazuh-001 env[241703]: Completed.
Jun 16 17:06:44 pnts-wazuh-001 systemd[1]: Started Wazuh manager.
filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-06-15 07:45:46 UTC; 2 days ago
Docs: https://www.elastic.co/products/beats/filebeat
Main PID: 733 (filebeat)
Tasks: 11 (limit: 18571)
Memory: 33.2M
CPU: 26min 58.637s
CGroup: /system.slice/filebeat.service
└─733 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat>
Jun 15 07:45:46 pnts-wazuh-001 systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..
Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-06-15 07:45:46 UTC; 2 days ago
Docs: https://www.elastic.co/products/beats/filebeat
Main PID: 733 (filebeat)
Tasks: 11 (limit: 18571)
Memory: 33.2M
CPU: 26min 58.637s
CGroup: /system.slice/filebeat.service
└─733 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat>
Jun 15 07:45:46 pnts-wazuh-001 systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..
2023/06/17 08:13:19 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2023/06/17 08:13:19 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: ConnectionRefusedError: [Errno 111] Connection refused
2023/06/17 08:13:19 wazuh-integratord: ERROR: Exit status was: 1
2023/06/17 08:13:20 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2023/06/17 08:13:20 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: ConnectionRefusedError: [Errno 111] Connection refused
2023/06/17 08:13:20 wazuh-integratord: ERROR: Exit status was: 1
2023/06/17 08:13:21 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2023/06/17 08:13:21 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: ConnectionRefusedError: [Errno 111] Connection refused
2023/06/17 08:13:21 wazuh-integratord: ERROR: Exit status was: 1
2023/06/17 08:13:22 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2023/06/17 08:13:22 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: ConnectionRefusedError: [Errno 111] Connection refused
2023/06/17 08:13:22 wazuh-integratord: ERROR: Exit status was: 1
2023/06/17 08:18:52 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2023/06/17 08:24:50 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2023/06/17 08:29:50 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2023/06/17 08:34:51 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2023/06/17 08:37:22 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2023/06/17 08:42:23 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2023/06/17 08:47:37 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2023/06/17 08:48:27 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2023/06/17 08:13:19 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: ConnectionRefusedError: [Errno 111] Connection refused
2023/06/17 08:13:19 wazuh-integratord: ERROR: Exit status was: 1
2023/06/17 08:13:20 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2023/06/17 08:13:20 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: ConnectionRefusedError: [Errno 111] Connection refused
2023/06/17 08:13:20 wazuh-integratord: ERROR: Exit status was: 1
2023/06/17 08:13:21 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2023/06/17 08:13:21 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: ConnectionRefusedError: [Errno 111] Connection refused
2023/06/17 08:13:21 wazuh-integratord: ERROR: Exit status was: 1
2023/06/17 08:13:22 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2023/06/17 08:13:22 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: ConnectionRefusedError: [Errno 111] Connection refused
2023/06/17 08:13:22 wazuh-integratord: ERROR: Exit status was: 1
2023/06/17 08:18:52 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2023/06/17 08:24:50 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2023/06/17 08:29:50 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2023/06/17 08:34:51 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2023/06/17 08:37:22 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2023/06/17 08:42:23 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2023/06/17 08:47:37 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2023/06/17 08:48:27 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
Reply all
Reply to author
Forward
0 new messages