CDB lists not working

162 views
Skip to first unread message

Ali Holmes

unread,
Dec 11, 2024, 6:44:16 AM12/11/24
to Wazuh | Mailing List
Hello, I created a cdb list called output in “/var/ossec/etc/lists” and formatted it in the screenshot below. Then I wanted to capture the IP addresses in “win.eventdata.ipAddress” and print a rule, but this rule does not work in any way. For example; I added my own local IP address to the list of malicious IPs and RDPed to another server with agent installed. However, no rule is triggered in any way. Can you please help me?

ossec_conf.png

output.png
rule.png

Md. Nazmur Sakib

unread,
Dec 11, 2024, 7:51:26 AM12/11/24
to Wazuh | Mailing List

Hi Ali,


Please check if you have proper permission to access this file to Wazuh.
ls -l /var/ossec/etc/lists/

Comment Image

It should be like this
chmod 660 /var/ossec/etc/lists/output

chown wazuh:wazuh /var/ossec/etc/lists/output

Try restarting the Wazuh manager again.

systemctl restart wazuh-manager

For more details refer to this.

Ref:
https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html

If you still face issues share the output of this command. cat /var/ossec/logs/ossec.log | grep -iE "error|warn"
Let me know the update on the issue.

Ali Holmes

unread,
Dec 11, 2024, 8:26:17 AM12/11/24
to Wazuh | Mailing List
Unfortunately, I still can't trigger the alarm. I start an RDP to my target server, my RDP alarm goes down, the blacklisted IP address is also shown in the “data.win.eventdata.ipAddress” field, but the alarm is not triggered. I am also sharing the log file you requested. I am only getting the output in the screenshot. The last time the error occurred was at 13:21.



11 Aralık 2024 Çarşamba tarihinde saat 15:51:26 UTC+3 itibarıyla Md. Nazmur Sakib şunları yazdı:
permission.png
ossec_log.png

Md. Nazmur Sakib

unread,
Dec 12, 2024, 12:08:26 AM12/12/24
to Wazuh | Mailing List

wazuh-analysisd: WARNING: Could not read XML string: '" ... "'


The error is related to wazuh-analysisd when decoding a long event from Eventchannel decoder of Windows agent

https://github.com/wazuh/wazuh/issues/20099



I cannot see any error related to reading the CDB list. It seems to me the issue is not with the CDB list.

Can you test this rule with a single IP instead of CDB list to make sure if the rule is working or not?

I believe the rule is not working. You need to add the parent rule ID or the rule group as  if_sid or if_group to make this rule work.



<group name="windows, ">
 <rule id="180199" level="10">
<if_group>windows</if_group>
<field name="win.eventdata.ipAddress">0.0.0.1</field>
<description>IP in black list!</description>
 </rule>
 </group>


<group name="windows, ">
 <rule id="180199" level="10">
<if_group>windows</if_group>
<field name="win.eventdata.ipAddress">0.0.0.1</field>
 <list field="win.eventdata.ipAddress" Lookup="address_match_key">etc/lists/output</list> <description>IP in black list!</description>
 </rule>
 </group>



Looking forward to your update on the issue.

Ali Holmes

unread,
Dec 13, 2024, 12:53:56 AM12/13/24
to Wazuh | Mailing List
Hello again,

The rule was successfully triggered when I typed a single IP! But I can't understand why CDB lists still don't work.

12 Aralık 2024 Perşembe tarihinde saat 08:08:26 UTC+3 itibarıyla Md. Nazmur Sakib şunları yazdı:

Md. Nazmur Sakib

unread,
Dec 19, 2024, 6:50:18 AM12/19/24
to Wazuh | Mailing List

Can you share full ossec logs from your endpoint?



cat /var/ossec/logs/ossec.log | grep -iE "error|warn"


cat /var/ossec/logs/ossec.log | grep -iE "list"
 Save the log in a file and share the file.
Also, share the CDB list you are using



Looking forward to your update on the issue.

Reply all
Reply to author
Forward
0 new messages