Wazuh custom rule
496 views
Skip to first unread message
Fremie Mico
Jul 6, 2023, 1:41:20 AM7/6/23
to Wazuh mailing list
Hi Wazuh Community, recently reworked our Wazuh and we are rechecking the rules. We would like to add a custom rule for a set of hostnames/IP only how do we go about that?
Here's the custom rule:
<rule id="111001" level="2">
<if_matched_sid>31101</if_matched_sid>
<description>Negate Rule 31101 - Web server 400 errors</description>
</rule>
<rule id="111002" level="2">
<if_matched_sid>31151</if_matched_sid>
<description>Negate Rule 31151 - Multiple web server 400 errors</description>
</rule>
Logic:
If we get the web server 400 codes > new rule checks if it's gonna trigger 31101 / 31151 >
Two conditions we would like to implement before the new rule triggers so as to not let it spam on our slack channel
add <if_hostname> minio3-1,minio3-2,minio3-3 << is this
and maybe add a match condition? "url": "/thanos/xxxxxxxxxxxxxxxxxxxx/deletion-mark.json" this one? not sure how we can make it work.
Here's the custom rule:
<rule id="111001" level="2">
<if_matched_sid>31101</if_matched_sid>
<description>Negate Rule 31101 - Web server 400 errors</description>
</rule>
<rule id="111002" level="2">
<if_matched_sid>31151</if_matched_sid>
<description>Negate Rule 31151 - Multiple web server 400 errors</description>
</rule>
We are getting bombarded with web server 400 codes in the following hostnames <minio3-1,minio3-2,minio3-3>
Logic:
If we get the web server 400 codes > new rule checks if it's gonna trigger 31101 / 31151 >
Two conditions we would like to implement before the new rule triggers so as to not let it spam on our slack channel
add <if_hostname> minio3-1,minio3-2,minio3-3 << is this
and maybe add a match condition? "url": "/thanos/xxxxxxxxxxxxxxxxxxxx/deletion-mark.json" this one? not sure how we can make it work.
This is the logtest
Fremie Mico
Jul 6, 2023, 1:42:49 AM7/6/23
to Wazuh mailing list
**Phase 1: Completed pre-decoding.
full event: Jul 5 08:23:34 minio3-3 minio3-3 nginx: 11.104.123.255 - - [05/Jul/2023:08:23:34 +0000] "GET /thanos/xxxxxxxxxxxxxxxxxxxx/deletion-mark.json HTTP/1.1" 404 381 "-" "MinIO (linux; amd64) minio-go/v7.0.45 thanos-compact/0.30.2 (go1.19.5)" "-"
timestamp: Jul 5 08:23:34
hostname: minio2-2
program_name: -
**Phase 2: Completed decoding.
name: web-accesslog
data: {
"protocol": "GET",
"srcip": "minio3-3",
"id": "404",
"url": "/thanos/xxxxxxxxxxxxxxxxxxxx/deletion-mark.json"
}
**Phase 3: Completed filtering (rules).
id: 31101
level: 5
description: Web server 400 error code.
groups: ["web","accesslog","attack"]
firedtimes: 5
gdpr: ["IV_35.7.d"]
gpg13: "-"
hipaa: "-"
mail: "-"
mitre.id: "-"
mitre.technique: "-"
Awwal Ishiaku
Jul 6, 2023, 2:40:45 AM7/6/23
to Wazuh mailing list
Hi Fremie
Can you share some sample logs of these events you want to ignore?
Can you share some sample logs of these events you want to ignore?
Fremie Mico
Jul 6, 2023, 2:56:06 AM7/6/23
to Wazuh mailing list
Hi Awwal,
Sure here are some of the logs..
Multiple web server 400 error codes from same source ip.
Jul 5 08:23:34 minio2-3 minio2-3 nginx: 11.104.123.255 - - [05/Jul/2023:08:23:34 +0000] "GET /thanos/01GWM4VKMQ1AXWZA23SSBSX123/deletion-mark.json HTTP/1.1" 404 381 "-" "MinIO (linux; amd64) minio-go/v7.0.45 thanos-compact/0.30.2 (go1.19.5)" "-"
Multiple web server 400 error codes from same source ip.
Jul 5 08:23:34 minio2-3 minio2-3 nginx: 11.104.123.255 - - [05/Jul/2023:08:23:34 +0000] "GET /thanos/02H34Q1TKV65HENW8N1MGBX1AB/deletion-mark.json HTTP/1.1" 404 381 "-" "MinIO (linux; amd64) minio-go/v7.0.45 thanos-compact/0.30.2 (go1.19.5)" "-"
Multiple web server 400 error codes from same source ip.
Jul 5 08:25:52 minio3-3 minio3-3 nginx: 172.16.255.11 - - [05/Jul/2023:08:25:52 +0000] "GET /thanos/21H3DYA79T5KTXX7DD3KNFT5G6/deletion-mark.json HTTP/1.1" 404 381 "-" "MinIO (linux; amd64) minio-go/v7.0.45 thanos-compact/0.30.2 (go1.19.5)" "-"
Multiple web server 400 error codes from same source ip.
Jul 5 08:25:58 minio3-3 minio3-3 nginx: 172.16.255.11 - - [05/Jul/2023:08:25:58 +0000] "GET /thanos/01GX620534M27J6C2RNV321ZKD/deletion-mark.json HTTP/1.1" 404 381 "-" "MinIO (linux; amd64) minio-go/v7.0.45 thanos-compact/0.30.2 (go1.19.5)" "-"
Multiple web server 400 error codes from same source ip.
Jul 5 08:42:17 minio1-3 minio1-3 nginx: 172.16.255.11 - - [05/Jul/2023:08:42:17 +0000] "GET /thanos/01H165YA9FVDVPFYDPZM8YMF9S/deletion-mark.json HTTP/1.1" 404 381 "-" "MinIO (linux; amd64) minio-go/v7.0.45 thanos-compact/0.30.2 (go1.19.5)" "-"
Multiple web server 400 error codes from same source ip.
Jul 5 08:42:17 minio1-3 minio1-3 nginx: 172.16.255.11 - - [05/Jul/2023:08:42:17 +0000] "GET /thanos/01H12M63Z0K65PXD9A3DMCPPX2/deletion-mark.json HTTP/1.1" 404 381 "-" "MinIO (linux; amd64) minio-go/v7.0.45 thanos-store/0.30.2 (go1.19.5)" "-"
Jul 5 08:23:34 minio2-3 minio2-3 nginx: 11.104.123.255 - - [05/Jul/2023:08:23:34 +0000] "GET /thanos/01GWM4VKMQ1AXWZA23SSBSX123/deletion-mark.json HTTP/1.1" 404 381 "-" "MinIO (linux; amd64) minio-go/v7.0.45 thanos-compact/0.30.2 (go1.19.5)" "-"
Multiple web server 400 error codes from same source ip.
Jul 5 08:23:34 minio2-3 minio2-3 nginx: 11.104.123.255 - - [05/Jul/2023:08:23:34 +0000] "GET /thanos/02H34Q1TKV65HENW8N1MGBX1AB/deletion-mark.json HTTP/1.1" 404 381 "-" "MinIO (linux; amd64) minio-go/v7.0.45 thanos-compact/0.30.2 (go1.19.5)" "-"
Multiple web server 400 error codes from same source ip.
Jul 5 08:25:52 minio3-3 minio3-3 nginx: 172.16.255.11 - - [05/Jul/2023:08:25:52 +0000] "GET /thanos/21H3DYA79T5KTXX7DD3KNFT5G6/deletion-mark.json HTTP/1.1" 404 381 "-" "MinIO (linux; amd64) minio-go/v7.0.45 thanos-compact/0.30.2 (go1.19.5)" "-"
Multiple web server 400 error codes from same source ip.
Jul 5 08:25:58 minio3-3 minio3-3 nginx: 172.16.255.11 - - [05/Jul/2023:08:25:58 +0000] "GET /thanos/01GX620534M27J6C2RNV321ZKD/deletion-mark.json HTTP/1.1" 404 381 "-" "MinIO (linux; amd64) minio-go/v7.0.45 thanos-compact/0.30.2 (go1.19.5)" "-"
Multiple web server 400 error codes from same source ip.
Jul 5 08:42:17 minio1-3 minio1-3 nginx: 172.16.255.11 - - [05/Jul/2023:08:42:17 +0000] "GET /thanos/01H165YA9FVDVPFYDPZM8YMF9S/deletion-mark.json HTTP/1.1" 404 381 "-" "MinIO (linux; amd64) minio-go/v7.0.45 thanos-compact/0.30.2 (go1.19.5)" "-"
Multiple web server 400 error codes from same source ip.
Jul 5 08:42:17 minio1-3 minio1-3 nginx: 172.16.255.11 - - [05/Jul/2023:08:42:17 +0000] "GET /thanos/01H12M63Z0K65PXD9A3DMCPPX2/deletion-mark.json HTTP/1.1" 404 381 "-" "MinIO (linux; amd64) minio-go/v7.0.45 thanos-store/0.30.2 (go1.19.5)" "-"
Awwal Ishiaku
Jul 6, 2023, 3:21:24 AM7/6/23
to Wazuh mailing list
Thanks. The following rule suppresses alerts 31101 and 31151 from the hostnames you have specified:
**Phase 3: Completed filtering (rules).
<rule id="111002" level="0">
<if_sid>31101, 31151</if_sid>
<hostname type="pcre2">^minio1-3$|^minio2-3$|^minio3-1$|^minio3-2$|^minio3-3$</hostname>
<description>Ignore rules 31101 and 31151 - Web server 400 errors</description>
</rule>
<if_sid>31101, 31151</if_sid>
<hostname type="pcre2">^minio1-3$|^minio2-3$|^minio3-1$|^minio3-2$|^minio3-3$</hostname>
<description>Ignore rules 31101 and 31151 - Web server 400 errors</description>
</rule>
See the sample log test below
**Phase 1: Completed pre-decoding.
full event: 'Jul 5 08:42:17 minio1-3 minio1-3 nginx: 172.16.255.11 - - [05/Jul/2023:08:42:17 +0000] "GET /thanos/01H12M63Z0K65PXD9A3DMCPPX2/deletion-mark.json HTTP/1.1" 404 381 "-" "MinIO (linux; amd64) minio-go/v7.0.45 thanos-store/0.30.2 (go1.19.5)" "-"'
timestamp: 'Jul 5 08:42:17'
hostname: 'minio1-3'
**Phase 2: Completed decoding.
name: 'web-accesslog'
id: '404'
protocol: 'GET'
srcip: 'minio1-3'
url: '/thanos/01H12M63Z0K65PXD9A3DMCPPX2/deletion-mark.json'
full event: 'Jul 5 08:42:17 minio1-3 minio1-3 nginx: 172.16.255.11 - - [05/Jul/2023:08:42:17 +0000] "GET /thanos/01H12M63Z0K65PXD9A3DMCPPX2/deletion-mark.json HTTP/1.1" 404 381 "-" "MinIO (linux; amd64) minio-go/v7.0.45 thanos-store/0.30.2 (go1.19.5)" "-"'
timestamp: 'Jul 5 08:42:17'
hostname: 'minio1-3'
**Phase 2: Completed decoding.
name: 'web-accesslog'
id: '404'
protocol: 'GET'
srcip: 'minio1-3'
url: '/thanos/01H12M63Z0K65PXD9A3DMCPPX2/deletion-mark.json'
**Phase 3: Completed filtering (rules).
id: '111002'
level: '0'
description: 'Ignore rules 31101 and 31151 - Web server 400 errors'
groups: '['test']'
firedtimes: '7'
mail: 'False'
level: '0'
description: 'Ignore rules 31101 and 31151 - Web server 400 errors'
groups: '['test']'
firedtimes: '7'
mail: 'False'
Regards.
Fremie Mico
Jul 6, 2023, 3:56:54 AM7/6/23
to Wazuh mailing list
Thanks for the help Awwal it sure did work.
We have tried doing <hostname> but was probably lacking this <hostname type="pcre2"> << the `type`
We have tried doing <hostname> but was probably lacking this <hostname type="pcre2"> << the `type`
While I still have you here for the second condition just in case we want to take it another step. How does one incorporate the url? that was shown on Phase 2?
can we do it like this?
<url>deletion-mark.json$</url>
I did try and it somehow worked just wanted to ask for confirmation if that is the right element/syntax?
<url>deletion-mark.json$</url>
I did try and it somehow worked just wanted to ask for confirmation if that is the right element/syntax?
Awwal Ishiaku
Jul 6, 2023, 8:21:18 AM7/6/23
to Wazuh mailing list
Hi, you can use the <field> tag to match the URL.
For example: <field name="url">your_regex</field>
Let me know if you need further clarification.
Let me know if you need further clarification.
Reply all
Reply to author
Forward
0 new messages