Writing rule for correlation

128 views
Skip to first unread message

Jayakrishnan P

unread,
Feb 28, 2023, 5:57:30 AM2/28/23
to Wazuh mailing list
Hi all, 
 I was writing a rule which will get fired depending upon two other rule.

<rule id="10010" level="3">
        <decoded_as>json</decoded_as>
        <match>suspicious</match>
        <description>FIREWALL1 suspecious traffic</description>
  </rule>
   
    <rule id="10011" level="3">
        <decoded_as>json</decoded_as>
        <match>failure</match>
        <description>Host1 login failure</description>
    </rule>
   
    <rule id="10012" level="10" frequency="5" timeframe="20">
        <if_sid>10010</if_sid>
        <if_matched_sid>10011</if_matched_sid>
        <same_srcip/>
        <description>Multiple login failure from suspecious traffic</description>
    </rule>

What I want to do is rule with id 10012 should get fired when first rule 10010 is fired and then rule 10011 is fired 4 times within 20 seconds. 

1. I am not able to write the rule as it will be fired when the rule that is firing multiple time(10011) comes second. I have to write rule that is firing multiple times inside <if_matched_sid> tag, right?  if_matched_sid tag seems to be checked before <if_sid>.

Is there any way I can acquire what I needed?

Thanks
Jayakrishnan 

Christian Borla

unread,
Feb 28, 2023, 6:49:15 AM2/28/23
to Wazuh mailing list
Hi  Jayakrishnan P!
I will be triying to reproduce this case. I will comeback as soon possible with more information.
Regards.

Christian Borla

unread,
Feb 28, 2023, 10:14:07 AM2/28/23
to Wazuh mailing list
Hi Jayakrishnan  !

I think it could be possible with some changes, first, to make a rule trigger by 2 differents rules I made it works matching by rule id and group (you can customise group names), adding <group>suspicious_event</group> to rule 10010, then split the 4 times frequency to another rule, as an previous check, only for one rule, and finaly include both checks in a time range rule.

rules 


<rule id="10010" level="3">
    <decoded_as>json</decoded_as>
    <match>suspicious</match>
    <description>FIREWALL1 suspecious traffic</description>
    <group>suspicious_event</group>

</rule>

<rule id="10011" level="3">
    <decoded_as>json</decoded_as>
    <match>failure</match>
    <description>Host1 login failure</description>
</rule>

<rule id="10012" level="6" frequency="4" timeframe="20">
    <if_matched_sid>10011</if_matched_sid>
    <same_srcip/>
    <description>Multiple Host1 login failure</description>
</rule>

<rule id="10013" level="10" timeframe="20">
    <if_matched_sid>10012</if_matched_sid>
    <if_group>suspicious_event</if_group>>

    <same_srcip/>
    <description>Multiple login failure from suspecious traffic</description>
</rule>

I don't have any examples logs to test it, let me know if that works.
Regards.

Jayakrishnan P

unread,
Mar 1, 2023, 12:12:36 AM3/1/23
to Wazuh mailing list
Thanks a lot Christian for your effort. I tried the mentioned scenario with your rules. It didn't work as expected. My scenario is one firewall1 suspicious traffic come first and then the four Host1 login failures. I was able to write rules when 4 login failures come first.

Thanks
Jayakrishnan

Jayakrishnan P

unread,
Mar 1, 2023, 2:54:36 AM3/1/23
to Wazuh mailing list
Host1 sample log:
{"date":"03/01/2023 10:37:18","srcip":"192.168.1.23","name":"Host1","login":"failure"}

Firewall1 sample log:
{"date":"03/01/2023 10:37:20","srcip":"192.168.1.23","name":"FIREWALL1","status":"suspicious"}

Christian Borla

unread,
Mar 1, 2023, 5:20:31 PM3/1/23
to Wazuh mailing list
Hi  Jayakrishnan!
I have been testing the scenario and custom rules, I did following test.

Test #1
Four times event "login":"failure", followed by 


{"date":"03/01/2023 10:37:18","srcip":"192.168.1.23","name":"Host1","login":"failure"}

**Phase 1: Completed pre-decoding.
    full event: '{"date":"03/01/2023 10:37:18","srcip":"192.168.1.23","name":"Host1","login":"failure"}'

**Phase 2: Completed decoding.
    name: 'json'
    date: '03/01/2023 10:37:18'
    login: 'failure'
    name: 'Host1'
    srcip: '192.168.1.23'

**Phase 3: Completed filtering (rules).
    id: '10011'                                   <--------- first "login":"failure", generate event 10011
    level: '3'
    description: 'Host1 login failure'
    groups: '['local', 'syslog', 'sshd']'
    firedtimes: '1'
    mail: 'False'
**Alert to be generated.


{"date":"03/01/2023 10:37:18","srcip":"192.168.1.23","name":"Host1","login":"failure"}

**Phase 1: Completed pre-decoding.
    full event: '{"date":"03/01/2023 10:37:18","srcip":"192.168.1.23","name":"Host1","login":"failure"}'

**Phase 2: Completed decoding.
    name: 'json'
    date: '03/01/2023 10:37:18'
    login: 'failure'
    name: 'Host1'
    srcip: '192.168.1.23'

**Phase 3: Completed filtering (rules).
    id: '10011'                                   <--------- second "login":"failure", generate event 10011
    level: '3'
    description: 'Host1 login failure'
    groups: '['local', 'syslog', 'sshd']'
    firedtimes: '2'
    mail: 'False'
**Alert to be generated.


{"date":"03/01/2023 10:37:18","srcip":"192.168.1.23","name":"Host1","login":"failure"}

**Phase 1: Completed pre-decoding.
    full event: '{"date":"03/01/2023 10:37:18","srcip":"192.168.1.23","name":"Host1","login":"failure"}'

**Phase 2: Completed decoding.
    name: 'json'
    date: '03/01/2023 10:37:18'
    login: 'failure'
    name: 'Host1'
    srcip: '192.168.1.23'

**Phase 3: Completed filtering (rules).
    id: '10011'                                   <--------- third "login":"failure", generate event 10011
    level: '3'
    description: 'Host1 login failure'
    groups: '['local', 'syslog', 'sshd']'
    firedtimes: '3'
    mail: 'False'
**Alert to be generated.


{"date":"03/01/2023 10:37:18","srcip":"192.168.1.23","name":"Host1","login":"failure"}

**Phase 1: Completed pre-decoding.
    full event: '{"date":"03/01/2023 10:37:18","srcip":"192.168.1.23","name":"Host1","login":"failure"}'

**Phase 2: Completed decoding.
    name: 'json'
    date: '03/01/2023 10:37:18'
    login: 'failure'
    name: 'Host1'
    srcip: '192.168.1.23'

**Phase 3: Completed filtering (rules).
    id: '10012'                                         <---------------- After fires 4 times "login":"failure", it triggers event 10012.
    level: '6'
    description: 'Multiple Host1 login failure'
    groups: '['local', 'syslog', 'sshd']'
    firedtimes: '2'
    frequency: '4'
    mail: 'False'
**Alert to be generated.


{"date":"03/01/2023 10:37:20","srcip":"192.168.1.23","name":"FIREWALL1","status":"suspicious"}

**Phase 1: Completed pre-decoding.
    full event: '{"date":"03/01/2023 10:37:20","srcip":"192.168.1.23","name":"FIREWALL1","status":"suspicious"}'

**Phase 2: Completed decoding.
    name: 'json'
    date: '03/01/2023 10:37:20'
    name: 'FIREWALL1'
    srcip: '192.168.1.23'
    status: 'suspicious'

**Phase 3: Completed filtering (rules).
    id: '10013'                                       <----------------- If the event "status": "suspicious" is triggered before the 20 second timeout, the level 10 alert is generated.
    level: '10'
    description: 'Multiple login failure from suspecious traffic'
    groups: '['local', 'syslog', 'sshd']'
    firedtimes: '1'
    frequency: '2'
    mail: 'False'
**Alert to be generated.

If the timeout expires, it will fires a 10010 rule with suspicious event.

The sequence login failure 4 times event (in a 20 seconds spam), followed by a FIREWALL1 "status":"suspicious" event, generates a level 10 alert, number 10013.
It's working as the example shows.


Test #2
 One firewall1 suspicious traffic come first and then the four Host1 login failures

I did some changes to make it works as you need,  one firewall1 suspicious traffic come first and then the four Host1 login failures  , set next rule configuraiton.


<rule id="10010" level="3">
    <decoded_as>json</decoded_as>
    <match>suspicious</match>
    <description>FIREWALL1 suspecious traffic</description>
</rule>

<rule id="10011" level="3">
    <decoded_as>json</decoded_as>
    <match>failure</match>
    <description>Host1 login failure</description>
</rule>

<rule id="10012" level="6" frequency="4" timeframe="20">
    <if_matched_sid>10011</if_matched_sid>
    <group>suspicious_event</group>

    <same_srcip/>
    <description>Multiple Host1 login failure</description>
</rule>

<rule id="10013" level="10" timeframe="30">
    <if_matched_sid>10010</if_matched_sid>

    <if_group>suspicious_event</if_group>>
    <same_srcip/>
    <description>Multiple login failure from suspecious traffic</description>
</rule>

Wazuh-logtest

/var/ossec/bin/wazuh-logtest
Type one log per line


{"date":"03/01/2023 10:37:20","srcip":"192.168.1.23","name":"FIREWALL1","status":"suspicious"}

**Phase 1: Completed pre-decoding.
    full event: '{"date":"03/01/2023 10:37:20","srcip":"192.168.1.23","name":"FIREWALL1","status":"suspicious"}'

**Phase 2: Completed decoding.
    name: 'json'
    date: '03/01/2023 10:37:20'
    name: 'FIREWALL1'
    srcip: '192.168.1.23'
    status: 'suspicious'

**Phase 3: Completed filtering (rules).
    id: '10010'
    level: '3'
    description: 'FIREWALL1 suspecious traffic'
    groups: '['local', 'syslog', 'sshd']'
    firedtimes: '1'
    mail: 'False'
**Alert to be generated.


{"date":"03/01/2023 10:37:18","srcip":"192.168.1.23","name":"Host1","login":"failure"}

**Phase 1: Completed pre-decoding.
    full event: '{"date":"03/01/2023 10:37:18","srcip":"192.168.1.23","name":"Host1","login":"failure"}'

**Phase 2: Completed decoding.
    name: 'json'
    date: '03/01/2023 10:37:18'
    login: 'failure'
    name: 'Host1'
    srcip: '192.168.1.23'

**Phase 3: Completed filtering (rules).
    id: '10011'
    level: '3'
    description: 'Host1 login failure'
    groups: '['local', 'syslog', 'sshd']'
    firedtimes: '1'
    mail: 'False'
**Alert to be generated.


{"date":"03/01/2023 10:37:18","srcip":"192.168.1.23","name":"Host1","login":"failure"}

**Phase 1: Completed pre-decoding.
    full event: '{"date":"03/01/2023 10:37:18","srcip":"192.168.1.23","name":"Host1","login":"failure"}'

**Phase 2: Completed decoding.
    name: 'json'
    date: '03/01/2023 10:37:18'
    login: 'failure'
    name: 'Host1'
    srcip: '192.168.1.23'

**Phase 3: Completed filtering (rules).
    id: '10011'
    level: '3'
    description: 'Host1 login failure'
    groups: '['local', 'syslog', 'sshd']'
    firedtimes: '2'
    mail: 'False'
**Alert to be generated.


{"date":"03/01/2023 10:37:18","srcip":"192.168.1.23","name":"Host1","login":"failure"}

**Phase 1: Completed pre-decoding.
    full event: '{"date":"03/01/2023 10:37:18","srcip":"192.168.1.23","name":"Host1","login":"failure"}'

**Phase 2: Completed decoding.
    name: 'json'
    date: '03/01/2023 10:37:18'
    login: 'failure'
    name: 'Host1'
    srcip: '192.168.1.23'

**Phase 3: Completed filtering (rules).
    id: '10011'
    level: '3'
    description: 'Host1 login failure'
    groups: '['local', 'syslog', 'sshd']'
    firedtimes: '3'
    mail: 'False'
**Alert to be generated.


{"date":"03/01/2023 10:37:18","srcip":"192.168.1.23","name":"Host1","login":"failure"}

**Phase 1: Completed pre-decoding.
    full event: '{"date":"03/01/2023 10:37:18","srcip":"192.168.1.23","name":"Host1","login":"failure"}'

**Phase 2: Completed decoding.
    name: 'json'
    date: '03/01/2023 10:37:18'
    login: 'failure'
    name: 'Host1'
    srcip: '192.168.1.23'

**Phase 3: Completed filtering (rules).
    id: '10013'
    level: '10'
    description: 'Multiple login failure from suspecious traffic'
    groups: '['local', 'syslog', 'sshd']'
    firedtimes: '1'
    frequency: '2'
    mail: 'False'
**Alert to be generated.

Let me know if that works for you.
Regards.

Jayakrishnan P

unread,
Mar 1, 2023, 11:07:31 PM3/1/23
to Wazuh mailing list
Thanks a lot christian. That worked. Now I am getting what I want. Thanks again for Your efforts. I didn't know I could use if_group tag for this. Thanks for teaching me.

Regards
Jayakrishnan

Christian Borla

unread,
Mar 3, 2023, 6:19:17 AM3/3/23
to Wazuh mailing list
Hi  Jayakrishnan.
You are welcome!!
Regards!
Reply all
Reply to author
Forward
0 new messages