Sysmon - Event 3: Network connection to 127.0.0.1

121 views
Skip to first unread message

Viacheslav

unread,
Apr 10, 2024, 9:22:40 AMApr 10
to Wazuh | Mailing List
Hello, 
We receive thousands of logs from sysmon: "Sysmon - Event 3: Network connection to 127.0.0.1:61379 by C:\\Program Files\\Lens\\Lens.exe"
How to exclude this log?
I tried to create exclusion in agent.conf bu receive error, so something wrong there. May be some one can help with this? My "broken" exclusion added:
<localfile>
    <log_format>eventchannel</log_format>
    <query>Event[System[Provider[@Name='Microsoft-Windows-Sysmon'] and (EventID=3)]] and not (EventData[Data[@Name='DestinationIp'] and (Data='127.0.0.1')])</query>
</localfile>

J. Rome

unread,
Apr 10, 2024, 10:54:54 AMApr 10
to Wazuh | Mailing List
Hello Viacheslav,

Can you share the error message you're getting?

You could also specify the location to look into sysmon with:
<location>Microsoft-Windows-Sysmon/Operational</location>

Viacheslav

unread,
Apr 10, 2024, 3:02:36 PMApr 10
to Wazuh | Mailing List
Error on screenshot. 
The problem with flooded sysmon logs. I already excluded eventID = 4673 but dont know what to do with connections to local host 127.0.0.1. We used docker/kuber and this software generate annormous numbers of logs in sysmon. Ofc I can just shutdown all  Sysmon - Event 3 logs using <query></query> but realy dont wont, and hope someone can help me :)
середу, 10 квітня 2024 р. о 17:54:54 UTC+3 J. Rome пише:
2024-04-10 215323.png

J. Rome

unread,
Apr 11, 2024, 8:05:55 AMApr 11
to Wazuh | Mailing List
Hi again,

The error says that the <location> tag is missing. Have you tried adding it? As in:
<location>Microsoft-Windows-Sysmon/Operational</location>

Viacheslav

unread,
Apr 11, 2024, 9:32:51 AMApr 11
to Wazuh | Mailing List

Hello, 

Add <location>Microsoft-Windows-Sysmon/Operational</location>, so rule looks like:

<localfile>

        <location>Microsoft-Windows-Sysmon/Operational</location>

        <log_format>eventchannel</log_format>

        <query>Event[System[Provider[@Name='Microsoft-Windows-Sysmon'] and (EventID=3)]] and not (EventData[Data[@Name='DestinationIp'] and (Data='127.0.0.1')])</query>

    </localfile>

No errors, but now I don’t receive all sysmon event 3 logs, not only DestinationIp='127.0.0.1'

Looks like Wazuh don’t understand part after EventID=3

Tried and not (EventData[Data[@Name='DestinationIp'] and (Data='127.0.0.1')])

Tried and (EventData[Data[@Name='DestinationIp'] and (Data='127.0.0.1')])

With same result.

Thanks for your help.
четвер, 11 квітня 2024 р. о 15:05:55 UTC+3 J. Rome пише:

J. Rome

unread,
Apr 15, 2024, 1:11:25 PMApr 15
to Wazuh | Mailing List

hi Viacheslav, sorry for the delay in getting back to you.

Could you try the following configuration to check that you're getting events with the expected id?

<localfile>
        <location>Microsoft-Windows-Sysmon/Operational</location>
        <log_format>eventchannel</log_format>
        <query>Event[System/EventID = 3]</query>
</localfile>

By the way, have you seen this blog post on how to setup sysmon? https://wazuh.com/blog/using-wazuh-to-monitor-sysmon-events/

Also, can you share with us one of the original events you want to filter (the xml or json logged event) and your ossec.log file? (please hide any sensitive data)

Thank you.





Viacheslav

unread,
Apr 16, 2024, 4:51:56 AMApr 16
to Wazuh | Mailing List

Hello,

Your rule:

<localfile>
        <location>Microsoft-Windows-Sysmon/Operational</location>
        <log_format>eventchannel</log_format>

        <query>Event[System/EventID = 3]</query>
</localfile>

do nothing, for suppressing all EventID = 3 you must change <query> part to:

<query>Event/System[EventID != 3]</query>

With lack of documentation, I’m tried a lot of different variants and this looks like the best.

But problems begin when you need to specify not all EventID = 3 but EventID = 3 + IP (127.0.0.1)

Ofc you can silence this event using rule with level = 0, but I don’t need to store hundreds of billions of events on server (One PC with Kubernetes generate ~1000-2000 events per 10 sec)

May be there is some solution how to ignore all events from Programs\\\\Lens\\\\Lens.exe if this possible.

Original massage added:

{"true":1713256214.809649,"timestamp":"2024-04-16T08:30:14.794+0000","rule":{"level":3,"description":"Sysmon - Event 3: Network connection to 127.0.0.1:65503 by C:\\\\Users\\\\ \\\\AppData\\\\Local\\\\Programs\\\\Lens\\\\Lens.exe","id":"61605","firedtimes":39125,"mail":false,"groups":["windows","sysmon","sysmon_event3"]},"agent":{"id":"013","name":"sb159","ip":"10.14.2.26","labels":{"customer":"zaritskyi"}},"manager":{"name":"wazuhserver"},"id":"1713256214.2278996538","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"3","version":"5","level":"4","task":"3","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-04-16T08:30:13.5386528Z","eventRecordID":"798566980","processID":"5204","threadID":"5432","channel":"Microsoft-Windows-Sysmon/Operational","computer":"","severityValue":"INFORMATION","message":"\"Network connection detected:\r\nRuleName: -\r\nUtcTime: 2024-04-16 08:30:15.770\r\nProcessGuid: {c3656c19-cd33-661c-7424-00000000b101}\r\nProcessId: 7772\r\nImage: C:\\Users\\ \\AppData\\Local\\Programs\\Lens\\Lens.exe\r\nUser: IT\\ \r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 127.0.0.1\r\nSourceHostname: sb159.it.ua\r\nSourcePort: 58475\r\nSourcePortName: -\r\nDestinationIsIpv6: false\r\nDestinationIp: 127.0.0.1\r\nDestinationHostname: sb159.it.ua\r\nDestinationPort: 65503\r\nDestinationPortName: -\""},"eventdata":{"utcTime":"2024-04-16 08:30:15.770","processGuid":"{c3656c19-cd33-661c-7424-00000000b101}","processId":"7772","image":"C:\\\\Users\\\\ \\\\AppData\\\\Local\\\\Programs\\\\Lens\\\\Lens.exe","user":"","protocol":"tcp","initiated":"true","sourceIsIpv6":"false","sourceIp":"127.0.0.1","sourceHostname":"","sourcePort":"58475","destinationIsIpv6":"false","destinationIp":"127.0.0.1","destinationHostname":"","destinationPort":"65503"}}},"location":"EventChannel"}


понеділок, 15 квітня 2024 р. о 20:11:25 UTC+3 J. Rome пише:

J. Rome

unread,
Apr 16, 2024, 4:17:21 PMApr 16
to Wazuh | Mailing List
Could you please provide the original XML event before it goes through any filters, as well as the ossec.log file? This will help ensure that everything is being captured correctly. Also, could you send it in debug mode? Thank you!

Viacheslav

unread,
Apr 17, 2024, 5:19:37 AMApr 17
to Wazuh | Mailing List
Hello, I cant provide xml from OS with this event, but add json from discovery. What ossec.log you need, from serve or agent? And debug mode controlled from /var/ossec/etc/internal_options.conf? If yes so what you need windows.debug=2 or else? May be you can say if some one tried to create same type of ryle for supressing agent logs? May be not for IP but for process_image?Its looks like common task in my perspective, but I more experiensed with commertial solutions :(
вівторок, 16 квітня 2024 р. о 23:17:21 UTC+3 J. Rome пише:
log.txt
Message has been deleted

J. Rome

unread,
Apr 17, 2024, 11:59:52 AMApr 17
to Wazuh | Mailing List
Hello again,

Using this tool xml as example:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
        <EventID>3</EventID>
        <Version>5</Version>
        <Level>4</Level>
        <Task>3</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2017-04-28T22:12:23.657698300Z" />
        <EventRecordID>10953</EventRecordID>
        <Correlation />
        <Execution ProcessID="3216" ThreadID="3976" />
        <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
        <Computer>rfsH.lab.local</Computer>
        <Security UserID="S-1-5-18" />
    </System>
    <EventData>
        <Data Name="RuleName">RDP</Data>
        <Data Name="UtcTime">2017-04-28 22:12:22.557</Data>
        <Data Name="ProcessGuid">{A23EAE89-BD28-5903-0000-00102F345D00}</Data>
        <Data Name="ProcessId">13220</Data>
        <Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
        <Data Name="User">LAB\rsmith</Data>
        <Data Name="Protocol">tcp</Data>
        <Data Name="Initiated">true</Data>
        <Data Name="SourceIsIpv6">false</Data>
        <Data Name="SourceIp">192.168.1.250</Data>
        <Data Name="SourceHostname">rfsH.lab.local</Data>
        <Data Name="SourcePort">3328</Data>
        <Data Name="SourcePortName">-</Data>
        <Data Name="DestinationIsIpv6">false</Data>
        <Data Name="DestinationIp">127.0.0.1</Data>
        <Data Name="DestinationHostname">lab-sc-100</Data>
        <Data Name="DestinationPort">3389</Data>
        <Data Name="DestinationPortName">ms-wbt-server</Data>
    </EventData>
</Event>

And a tool to test the xpath query (you can search for one googling for freeformatter XPath Tester - Evaluator, for example), it looks like there's a mistake in the query after all.

Could you try this updated version?


<localfile>
    <location>Microsoft-Windows-Sysmon/Operational</location>
    <log_format>eventchannel</log_format>
    <query>Event[System[Provider[@Name='Microsoft-Windows-Sysmon'] and (EventID=3)]] and not (Event/EventData/Data[@Name='DestinationIp' and .='127.0.0.1'])</query>
</localfile>

Hope this works!

Viacheslav

unread,
Apr 18, 2024, 2:43:47 AMApr 18
to Wazuh | Mailing List
Hello, thanks for your help, you tried :) Same with this rule. As wazuh agent drop all sysmon events when I trying to use this kind of rule, I assume that agent just dont read all rule and stops catching sysmon after it find Event[System[Provider[@Name='Microsoft-Windows-Sysmon']
 Im ready to drop this task, will continue from sysmon side.
Still, Im ready to test any variation of this rule:)
Thanks for help. 
середу, 17 квітня 2024 р. о 18:59:52 UTC+3 J. Rome пише:
Reply all
Reply to author
Forward
0 new messages