Supress Logs from an Individual Agent

[swapnils]

Hello,

Greetings!
I have came across a situation where one of my Wazuh Agent is generating infinite logs in /var/log/messages & /var/log/audit.log & sending to the Manager.
When checked it has docker running and due to which there are countless logs as :

1> Auditd: Device enables promiscuous mode.
2> Interface entered in promiscuous(sniffing) mode.

After googling, came to know that this is a normal behavior when docker is installed.

My query here is, Do I get option anywhere under agent configuration to limit or completely ignore these alert? I learnt that it is possible with setting up a custom ruleset under Manager.

Request you to please guide me here.

Thanks,
swapnils

​

[Openime Oniagbi]

Hello,

You can disable or change the default Wazuh rules.

To suppress an alert, you can add a custom rule in your /var/ossec/etc/rules/local_rules.xml file to set the desired alert level to 0 (https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html).

For example:

 <rule id="100003" level="0">
    <if_sid> 80710</if_sid>
    <description>Rule suppression</description>
 </rule>

 <rule id="100004" level="0">
    <if_sid> 5104</if_sid>
    <description>Rule suppression</description>
 </rule>

This will suppress alerts with 80710 and 5104, the rule IDs for the alerts you mentioned.

Also, you can overwrite a rule by using overwrite option to suppress it:

<rule id="60602" level="0" overwrite="yes">
 <description>Rule suppression</description>
</rule>

I hope this helps.

Regards.

[swapnils]

Thank you Openime for the steps!

I understand that these rules are to be configured on manager. Please correct me if I am wrong.

Apart from this, do we get option to configure rule at agent level?

Regards,

swapnils

[Openime Oniagbi]

Yes, the rules are to be configured on the manager.

However, if you want a rule to apply to a specific agent, you can use the <hostname> tag, for example:

<rule id="100003" level="0">
  <if_sid> 80710</if_sid>

  <hostname>decoded_hostname</hostname>

  <description>Rule suppression</description>
 </rule>

You can get the hostname from the logs because the value must be the same or match a regular expression you specify. Please take a look at this documentation for more details.

I hope this helps.

[swapnils]

Hello Openime,

I created a following file referring to the default rules. But I could see that it has not been in an effect. Could you please advise what has went wrong here?

# ls -l /var/ossec/etc/rules/custom-rule.xml
-rw-rw---- 1 wazuh wazuh 1733 Dec  5 14:09 /var/ossec/etc/rules/custom-rule.xml

File contains -

# cat custom-rule.xml

<!-- From SYSLOG FILE -->
<group name="syslog,linuxkernel,">
  <rule id="5100" level="0" noalert="1">
    <program_name>^kernel</program_name>
    <description>Pre-match rule for kernel messages.</description>
  </rule>

  <rule id="5104" level="8" timeframe="10800" ignore="3600" overwrite="yes">
    <if_sid>5100</if_sid>
    <regex>Promiscuous mode enabled|</regex>
    <regex>device \S+ entered promiscuous mode</regex>
    <description>Interface entered in promiscuous(sniffing) mode.</description>
    <mitre>
      <id>T1040</id>
    </mitre>
    <group>promisc,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_SI.4,tsc_CC7.2,tsc_CC7.3,tsc_CC6.1,tsc_CC6.8,</group>
  </rule>
</group>  

<!-- From AUDIT FILE -->
<group name="audit,">
  <rule id="80700" level="0">
    <decoded_as>auditd</decoded_as>
    <description>Audit: Messages grouped.</description>
  </rule>

  <rule id="80710" level="10" timeframe="10800" ignore="3600" overwrite="yes">
    <if_sid>80700</if_sid>
    <field name="audit.type">ANOM_PROMISCUOUS</field>
    <match>prom=256</match>
    <description>Auditd: Device enables promiscuous mode.</description>
    <group>audit_anom,gdpr_IV_30.1.g,gdpr_IV_35.7.d,gpg13_4.14,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_SI.4,pci_dss_10.6.1,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
</group>

Thanks & Regards,
swapnils

​

[Openime Oniagbi]

Hi,

I'd like to confirm something. Did you create a new file for the rules?

Regards.

[swapnils]

Hi! Yes. Created a new file as `custom-rule.xml` under `/var/ossec/etc/rules`. Added overwrite, ignore & timeframe options too.

Thanks,

swapnils

[Openime Oniagbi]

Hi again,

You do not need to create a new file. Please add the rules you created to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server.

I hope this is clear.

Regards.

[swapnils]

Hello..

I created multiple files there as under the wazuh-dashboard, I got an option to create custom files. Instead of appending multiple rules in single file and make single file lengthy, thought of creating files for segregation.

It is unlikely that it could cause the problem, is it?

When checked under security event's dashboard, I could see that the graph shows that alerts have reduced but when checked scurity alerts scrolling down below, entries still appear. Attaching snips for your reference.

Please advise.

Regards,

swapnils

[Openime Oniagbi]

Hi,

I just checked, and the issue is with your rule IDs.

Please use a rule ID of 100001 or higher. Also, ensure that there are no duplicate IDs.

Regards.

[swapnils]

Hi.. Thank you for the help!
I thought overwrite parameter will do the job. I shall get it checked and update you.

Regards,

​

[Openime Oniagbi]

You're right, it should. Please let me know the result of your test.