New agents and Rule ID 554
233 views
Skip to first unread message
Stephen K
Nov 8, 2018, 3:10:39 PM11/8/18
to Wazuh mailing list
Some initial background
I tried updating to the new Wazuh server package and it didn't go well. Instead of troubleshooting the issue I decided to start from scratch by removing and re-installing wazuh-manager
Question
When adding new agents to the Wazuh manager using the agent.conf below, I'm receiving a large number of 554 alarms. Is this due to the alert_new_files flag or am I missing something ?
<agent_config os="Windows"> <!-- Rootcheck - Policy monitor config -->
<rootcheck>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
<remove_old_diff>yes</remove_old_diff>
<frequency>79200</frequency>
<disabled>no</disabled>
<alert_new_files>yes</alert_new_files>
<directories check_all="yes">C:\Windows</directories>
<directories check_all="yes" realtime="yes">C:\ProgramData/Microsoft/Windows/Start Menu/Programs/StartUp</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
<ignore>C:\WINDOWS/WinSxS/</ignore>
<ignore>C:\WINDOWS/AppCompat</ignore>
<!-- Added by Operations -->
<ignore>C:\Windows/WID/Log</ignore>
<ignore>C:\Windows/rescache</ignore>
<ignore>C:\Windows/assembly</ignore>
<ignore>C:\Windows/security/templates</ignore>
<ignore>C:\Windows/Microsoft.NET/Framework64/v4.0.30319/Temporary ASP.NET Files</ignore>
<ignore>C:\Windows/Logs/WindowsServerBackup</ignore>
<ignore>C:\Windows/WinSxS</ignore>
<ignore>C:\Windows/servicing</ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
<!-- Added by Operations -->
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASP.NET_4.0.30319\Names</registry_ignore>
</syscheck>
<active-response>
<disabled>yes</disabled>
</active-response>
</agent_config>
Borja Arroba
Nov 16, 2018, 3:08:55 AM11/16/18
to stephe...@gmail.com, wa...@googlegroups.com
Hello, Stephen,
I’m glad to help here,
The quick answer would be that all 554 alerts have appeared because the first FIM scan has finished and the new directories have been added to monitor through agent.conf.
We can go directly to the database to find out if that is what has happened.
In /var/ossec/queue/db/<agent_id>.db you can find the FIM database of that agent.
To open the database:
sqlite3 /var/ossec/queue/db/
<agent_id>.db
In the table `scan_info` we have the dates of execution of the first and last scan. The third column of this table indicates the completion date of the first scan.
schema scan_info
TABLE scan_info ( module TEXT PRIMARY KEY, first_start INTEGER, first_end INTEGER, start_scan INTEGER, end_scan INTEGER, fim_first_check INTEGER, fim_second_check INTEGER, fim_third_check INTEGER);
select first_end from scan_info where module=’fim’;
Having this reference we can execute the following query:
select file date from fim_entry where date>’
<first_end>`
If the result of the query coincides with the alerts received, we have the answer.
Hope it help. Regards.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6f01b532-495c-4a49-a7ef-f6db7c7796c2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Stephen K
Nov 16, 2018, 10:33:21 AM11/16/18
to Wazuh mailing list
Firstly, I would like to thank you for assisting me Borja
I setup a new agent and added it to the manager, ran the sqlite command and it returned the value of 0
sqlite> select first_end from scan_info where module='fim';
0To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Borja Arroba
Nov 16, 2018, 11:18:07 AM11/16/18
to Stephen Keeler, wa...@googlegroups.com
Hi Stephen,
If you have just added the new agent, the most likely is that the scan has not finished. And if it has not finished that value will remain at 0.
Also, I've seen that you have in the configuration `C:\Windows`, that's a lot of directories. Taking into account the default configuration of FIM:
Also, I've seen that you have in the configuration `C:\Windows`, that's a lot of directories. Taking into account the default configuration of FIM:
> syscheck.sleep=1
> syscheck.sleep_after=100
> syscheck.sleep_after=100
There is a 1-second wait for every 100 files. It is normal that it takes a little while.
What would not be normal is that now you have alerts 554 for that agent. Is that so?
Regards.
What would not be normal is that now you have alerts 554 for that agent. Is that so?
Regards.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6f01b532-495c-4a49-a7ef-f6db7c7796c2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f410de76-fd2f-4b5f-ba14-ebefe02907cf%40googlegroups.com.
Stephen K
Nov 16, 2018, 1:05:00 PM11/16/18
to Wazuh mailing list
What would not be normal is that now you have alerts 554 for that agent. Is that so?
That's correct. When adding a new agent on the manager, I'm getting these alerts.
{"timestamp":"2018-11-07T16:45:55.255-0500","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":95601,"mail":false,"groups":["ossec","syscheck"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"002","name":"SANITIZED","ip":"SANITIZED"},"manager":{"name":"SANITIZED"},"id":"1541627155.226259532","full_log":"New file 'C:\\Windows\\WinSxS\\x86_windows-media-speechsynthesis-winrt_31bf3856ad364e35_6.3.9600.17415_none_148a01188942cbc3\\xml.xsd' added to the file system.\n","syscheck":{"path":"C:\\Windows\\WinSxS\\x86_windows-media-speechsynthesis-winrt_31bf3856ad364e35_6.3.9600.17415_none_148a01188942cbc3\\xml.xsd","size_after":"10205","perm_after":"100666","uid_after":"S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464","md5_after":"79f05e58d3ac430625bacf952f55b857","sha1_after":"e2399d6447ad9084ee5db3c35afe4b9a67781d7d","sha256_after":"c58ef0320d55ed3dba9d6665ae984326a82beb46cb56472ad4c22d6dc15e07ea","uname_after":"TrustedInstaller","mtime_after":"2013-06-18T07:36:03","event":"added"},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"}
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6f01b532-495c-4a49-a7ef-f6db7c7796c2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Borja Arroba
Nov 26, 2018, 9:29:45 AM11/26/18
to Stephen Keeler, wa...@googlegroups.com
Hello Stephen,
Sorry for the late response.
I’ve been trying to replicate the problem and haven’t got any ADD alerts. I think the problem is that there was a previous FIM scan and the alerts are subsequent to this scan.
Is it possible that the agent is less than 3.7.0? If so, to check that there are no false positives I would do the following:
In Agent: Stop the wazuh agent:
ossec/bin/ossec-control stop
In Manager: Delete the DDBB in the manager of that agent (FIM and Syscollector records from previous scans will be lost)
rm /var/ossec/queue/db/<id-agent-windows>.db
In Agent: Restart the agent:
ossec/bin/ossec-control start
Now the FIM scan will start again and ADD alerts should NOT appear.
IMPORTANT NOTE:
It is possible that when there are so many FIM events, the agent queue will be flooded. In this case, an alert will appear in the manager with id 202. When it is full in a high percentage and with id 203 when it is already full, in this case, the agent has lost events, which could cause that in the next scan ADD alerts appear because the manager did not receive those events.
This can be solved by increasing the waiting time after a certain number of FIM events, in the internal_options.conf should increase the value of:
syscheck.sleep=1 (by default)
For example, double. This way you will wait 2 seconds every 100 events.
Hope it help. Regards.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6f01b532-495c-4a49-a7ef-f6db7c7796c2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f410de76-fd2f-4b5f-ba14-ebefe02907cf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9aad0e58-56d8-45ec-b2c3-e7d72346a8c4%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages