Rule in Wazuh that uses a URL with the “?” element does not work
112 views
Skip to first unread message
Kleine Kirby
Jun 25, 2024, 5:34:39 AM6/25/24
to Wazuh | Mailing List
Wazuh Version 4.7.5
Hi
I wanted to set up rules in wazuh and write a new custom rule to ignore some alerts with level 5 “Web server 400 error code.”, in wazuh this is rule 31101. I want to write an additional rule that would ignore a certain URL after decoding the log, I have already managed to do this for a regular URL that does not contain special characters, there I described that if the parent rule is 31101 and there is a certain URL, then the rule becomes level 0.
However, I can’t do the same for the URL containing the query parameter at the end of the line - “?”, that is, for the URL - /example/…/…/example? or /example/…/…/?
If I insert the line described above in the URL field in the rule for ignoring, then rule 31101 is still triggered when processing the log, and not the rule I wrote.
At the same time, when decoding the wazuh log at the Phase 2 stage, it correctly determines the URL, but there is a feeling that it does not perceive the “?” sign. I tried to use the decoding of the “?” character, however, this does not help and the rule 31101 still works.
Relevant Logs:
**Phase 1: Completed pre-decoding.
full event: ‘xxx.xxx.xxx.xxx - - [xx/Jun/xxxx:xx:xx:xx +xxxx] “GET /example/example? HTTP/1.1” 404 280 “-” “xxx/x.x (xxx; U; xxx NT x.x; en-US; rv:x.x.x.x) Xxx/xxxxxx xxxxx/x.x.x”’
**Phase 2: Completed decoding.
name: ‘web-accesslog’
id: ‘404’
protocol: ‘GET’
srcip: ‘xxx.xxx.xxx.xxx’
url: ‘/example/example?’
**Phase 3: Completed filtering (rules).
id: ‘31101’
level: ‘5’
description: ‘Web server 400 error code.’
groups: ‘[‘web’, ‘accesslog’, ‘attack’]’
firedtimes: ‘1’
gdpr: ‘[‘IV_35.7.d’]’
mail: ‘False’
nist_800_53: ‘[‘SA.11’, ‘SI.4’]’
pci_dss: ‘[‘6.5’, ‘11.4’]’
tsc: ‘[‘CC6.6’, ‘CC7.1’, ‘CC8.1’, ‘CC6.1’, ‘CC6.8’, ‘CC7.2’, ‘CC7.3’]’
**Alert to be generated.
Example custom rule:
<rule id=“100111” level=“0”>
<if_sid>31101</if_sid>
<url>/example/example?</url>
<compiled_rule>is_simple_http_request</compiled_rule>
<description>Ignored extensions on 400 error codes</description>
</rule>
Hi
I wanted to set up rules in wazuh and write a new custom rule to ignore some alerts with level 5 “Web server 400 error code.”, in wazuh this is rule 31101. I want to write an additional rule that would ignore a certain URL after decoding the log, I have already managed to do this for a regular URL that does not contain special characters, there I described that if the parent rule is 31101 and there is a certain URL, then the rule becomes level 0.
However, I can’t do the same for the URL containing the query parameter at the end of the line - “?”, that is, for the URL - /example/…/…/example? or /example/…/…/?
If I insert the line described above in the URL field in the rule for ignoring, then rule 31101 is still triggered when processing the log, and not the rule I wrote.
At the same time, when decoding the wazuh log at the Phase 2 stage, it correctly determines the URL, but there is a feeling that it does not perceive the “?” sign. I tried to use the decoding of the “?” character, however, this does not help and the rule 31101 still works.
Relevant Logs:
**Phase 1: Completed pre-decoding.
full event: ‘xxx.xxx.xxx.xxx - - [xx/Jun/xxxx:xx:xx:xx +xxxx] “GET /example/example? HTTP/1.1” 404 280 “-” “xxx/x.x (xxx; U; xxx NT x.x; en-US; rv:x.x.x.x) Xxx/xxxxxx xxxxx/x.x.x”’
**Phase 2: Completed decoding.
name: ‘web-accesslog’
id: ‘404’
protocol: ‘GET’
srcip: ‘xxx.xxx.xxx.xxx’
url: ‘/example/example?’
**Phase 3: Completed filtering (rules).
id: ‘31101’
level: ‘5’
description: ‘Web server 400 error code.’
groups: ‘[‘web’, ‘accesslog’, ‘attack’]’
firedtimes: ‘1’
gdpr: ‘[‘IV_35.7.d’]’
mail: ‘False’
nist_800_53: ‘[‘SA.11’, ‘SI.4’]’
pci_dss: ‘[‘6.5’, ‘11.4’]’
tsc: ‘[‘CC6.6’, ‘CC7.1’, ‘CC8.1’, ‘CC6.1’, ‘CC6.8’, ‘CC7.2’, ‘CC7.3’]’
**Alert to be generated.
Example custom rule:
<rule id=“100111” level=“0”>
<if_sid>31101</if_sid>
<url>/example/example?</url>
<compiled_rule>is_simple_http_request</compiled_rule>
<description>Ignored extensions on 400 error codes</description>
</rule>
victor....@wazuh.com
Jun 25, 2024, 10:43:05 AM6/25/24
to Wazuh | Mailing List
Hello Kleine,
The issue appears to be with the compiled_rule option. By removing this option, your custom rule works as expected:
root@aio:/home/vagrant# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.8.0
Type one log per line
192.168.1.1 - - [24/Jun/2024:14:23:45 +0000] "GET /example/example? HTTP/1.1" 404 280 "-" "Mozilla/5.0 (Windows; U; Windows NT 10.0; en-US; rv:91.0.1) Gecko/20100101 Firefox/91.0.1"
**Phase 1: Completed pre-decoding.
full event: '192.168.1.1 - - [24/Jun/2024:14:23:45 +0000] "GET /example/example? HTTP/1.1" 404 280 "-" "Mozilla/5.0 (Windows; U; Windows NT 10.0; en-US; rv:91.0.1) Gecko/20100101 Firefox/91.0.1"'
**Phase 2: Completed decoding.
name: 'web-accesslog'
id: '404'
protocol: 'GET'
srcip: '192.168.1.1'
url: '/example/example?'
**Phase 3: Completed filtering (rules).
id: '100111'
level: '0'
description: 'Ignored extensions on 400 error codes'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
Let me know if you need further assistance
The issue appears to be with the compiled_rule option. By removing this option, your custom rule works as expected:
<rule id="100111" level="0">
<if_sid>31101</if_sid>
<url>/example/example?</url>
<if_sid>31101</if_sid>
<url>/example/example?</url>
<description>Ignored extensions on 400 error codes</description>
</rule>
</rule>
Using the wazuh-logtest tool we can confirm that it's working as expected:
root@aio:/home/vagrant# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.8.0
Type one log per line
192.168.1.1 - - [24/Jun/2024:14:23:45 +0000] "GET /example/example? HTTP/1.1" 404 280 "-" "Mozilla/5.0 (Windows; U; Windows NT 10.0; en-US; rv:91.0.1) Gecko/20100101 Firefox/91.0.1"
**Phase 1: Completed pre-decoding.
full event: '192.168.1.1 - - [24/Jun/2024:14:23:45 +0000] "GET /example/example? HTTP/1.1" 404 280 "-" "Mozilla/5.0 (Windows; U; Windows NT 10.0; en-US; rv:91.0.1) Gecko/20100101 Firefox/91.0.1"'
**Phase 2: Completed decoding.
name: 'web-accesslog'
id: '404'
protocol: 'GET'
url: '/example/example?'
**Phase 3: Completed filtering (rules).
level: '0'
description: 'Ignored extensions on 400 error codes'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
Let me know if you need further assistance
Kleine Kirby
Jun 26, 2024, 4:12:48 AM6/26/24
to Wazuh | Mailing List
Victor, thank you very much.....
Unfortunately, I did not notice this error myself ...
Could you tell me what the <compiled_rule> field is for?
вторник, 25 июня 2024 г. в 17:43:05 UTC+3, victor....@wazuh.com:
Kleine Kirby
Jun 26, 2024, 4:14:03 AM6/26/24
to Wazuh | Mailing List
Victor, thank you so much….!
Could you tell me what the <complited_rules> field is for?
Thanks!
вторник, 25 июня 2024 г. в 17:43:05 UTC+3, victor....@wazuh.com:
Hello Kleine,
victor....@wazuh.com
Jun 26, 2024, 7:52:13 AM6/26/24
to Wazuh | Mailing List
The compiled_rule option allows the extension of the default XML rules.
In this case, it uses the is_simple_http_request value, which checks if the URL is a simple GET/POST without a query.
We have an open issue to include this option, along with others, in the ruleset documentation: Missing options in rules. We apologize for any inconvenience.
Reply all
Reply to author
Forward
0 new messages