Custom rules for filtering not working properly

[Andrea Franzante]

Hi all!

I had some issue regarding the creation of custom rules.

I've configured wazuh to receive sysmon logs but the default filtering rules do not work properly. So, I have overwrite it with an exact copy on custom rules and the problem is solved.

After that, I want to filter some specific alerts that are triggered every hour. I have created a new rule in this way:

  <rule id="119000" level="0">
    <if_sid>61615</if_sid>
    <field name="win.eventdata.image">^C:\\Windows\\servicing\\TrustedInstaller.exe$</field>
    <description>Sysmon - Event 13: Filtered</description>
    <group>sysmon_event_13,</group>
  </rule>

But not work, the events always trigger.

Thanks for help. 

[Juan Cabrera]

Hello,

There should be no problem with the default rules. You say you have copied exactly the same rules into local_rules.xml and they work for you ?

I need some information to be able to help you. What version of Wazuh are you using ? Have you installed by default or in a specific path ? Do you have any error message when starting Wazuh in the file /var/ossec/log/ossec.log` ?

On the other hand, if you could paste me the log you are trying to match with the 119000 rule I could see what is going on.

Remember you have a guide on creating custom decoders and rules here:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Regards,
Juan Cabrera

​

[Andrea Franzante]

I really do not know why sysmon not work with default rules, but using these make it works properly.

I've created a new custom file rule via GUI. I attach the files.

/var/ossec/bin/wazuh-control -j info

[{"WAZUH_VERSION":"v4.3.7"},{"WAZUH_REVISION":"40320"},{"WAZUH_TYPE":"server"}]}

Using: 

cat /var/ossec/logs/ossec.log | grep -E "WARN|ERR"

No errors are reported.

I have also attached the log that I want to filter.

Thank you!

[Juan Cabrera]

Hello,

I just tested your log in Wazuh 4.3.7 and it works correctly.

We can see the version:

# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.3.7"
WAZUH_REVISION="40320"
WAZUH_TYPE="server"

And the output using wazuh-logtest:

{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","eventID":"13","version":"2","level":"4","task":"13","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-09-09T09:01:23.371606400Z","eventRecordID":"24946","processID":"13432","threadID":"13544","channel":"Microsoft-Windows-Sysmon/Operational","computer":"REDACTED","severityValue":"INFORMATION","message":"\"Registry value set:\r\nRuleName: Tamper-Winlogon\r\nEventType: SetValue\r\nUtcTime: 2022-09-09 09:01:23.371\r\nProcessGuid: {45422E7E-00E3-631B-63F8-060000002900}\r\nProcessId: 8164\r\nImage: C:\\Windows\\servicing\\TrustedInstaller.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Control\\Winlogon\\Notifications\\Components\\TrustedInstaller\\Events\r\nDetails: CreateSession\r\nUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"ruleName":"Tamper-Winlogon","eventType":"SetValue","utcTime":"2022-09-09 09:01:23.371","processGuid":"{45422E7E-00E3-631B-63F8-060000002900}","processId":"8164","image":"C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe","targetObject":"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Winlogon\\\\Notifications\\\\Components\\\\TrustedInstaller\\\\Events","details":"CreateSession","user":"NT AUTHORITY\\\\SYSTEM"}}}

**Phase 1: Completed pre-decoding.

**Phase 2: Completed decoding.
    name: 'json'
    win.eventdata.details: 'CreateSession'
    win.eventdata.eventType: 'SetValue'
    win.eventdata.image: 'C:\\Windows\\servicing\\TrustedInstaller.exe'
    win.eventdata.processGuid: '{45422E7E-00E3-631B-63F8-060000002900}'
    win.eventdata.processId: '8164'
    win.eventdata.ruleName: 'Tamper-Winlogon'
    win.eventdata.targetObject: 'HKLM\\System\\CurrentControlSet\\Control\\Winlogon\\Notifications\\Components\\TrustedInstaller\\Events'
    win.eventdata.user: 'NT AUTHORITY\\SYSTEM'
    win.eventdata.utcTime: '2022-09-09 09:01:23.371'
    win.system.channel: 'Microsoft-Windows-Sysmon/Operational'
    win.system.computer: 'REDACTED'
    win.system.eventID: '13'
    win.system.eventRecordID: '24946'
    win.system.keywords: '0x8000000000000000'
    win.system.level: '4'
    win.system.message: '"Registry value set:
RuleName: Tamper-Winlogon
EventType: SetValue
UtcTime: 2022-09-09 09:01:23.371
ProcessGuid: {45422E7E-00E3-631B-63F8-060000002900}
ProcessId: 8164
Image: C:\Windows\servicing\TrustedInstaller.exe
TargetObject: HKLM\System\CurrentControlSet\Control\Winlogon\Notifications\Components\TrustedInstaller\Events
Details: CreateSession
User: NT AUTHORITY\SYSTEM"'
    win.system.opcode: '0'
    win.system.processID: '13432'
    win.system.providerGuid: '{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'
    win.system.providerName: 'Microsoft-Windows-Sysmon'
    win.system.severityValue: 'INFORMATION'
    win.system.systemTime: '2022-09-09T09:01:23.371606400Z'
    win.system.task: '13'
    win.system.threadID: '13544'
    win.system.version: '2'

**Phase 3: Completed filtering (rules).
    id: '61615'
    level: '0'
    description: 'Sysmon - Event 13: RegistryEvent (Value Set) by '
    groups: '['windows', 'sysmon', 'sysmon_event_13']'
    firedtimes: '1'
    mail: 'False'

As you can see, it works perfectly. Is it possible that you do not have the ruleset in your ossec.conf file? Can you paste me the <ruleset> block?

Regards,
Juan Cabrera

​

[Andrea Franzante]

Thank you! I do not know why those rules not work.

Here my ruleset:

<ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>

    <!-- User-defined ruleset -->
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
  </ruleset>