Hostname field for custom ruleset is not working
409 views
Skip to first unread message
Georges Bolton
Aug 21, 2023, 11:25:18 AM8/21/23
to Wazuh mailing list
Hello,
I'm trying to make a rule on the SID 533 "ossec: output: 'netstat listening ports". Unfortunately, the hostname field of the rule is not working.
Here's my log :
tcp 0.0.0.0:22 0.0.0.0:* 927/sshd
tcp6 :::22 :::* 927/sshd
tcp 0.0.0.0:1514 0.0.0.0:* 662139/wazuh-remote
tcp 0.0.0.0:1515 0.0.0.0:* 662060/wazuh-authd
tcp6 127.0.0.1:9200 :::* 569371/java
tcp6 127.0.0.1:9300 :::* 569371/java
Here's my custom rule :
<rule id="123456" level="0">
<if_sid>533</if_sid>
<hostname>test\.example\.com</hostname>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
After that, I still have the rule triggering in my Wazuh dashboard. I have restarted the Manager. I have tried to insert it in the Test Log Rule tool but it seems broken with that kind of logs.
Is there something I have done wrong ? Should I use another field for my rule ?
Thanks, Best regards,
Is there something I have done wrong ? Should I use another field for my rule ?
Thanks, Best regards,
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Nicolas Osvaldo Fernandez
Aug 28, 2023, 9:44:34 AM8/28/23
to Wazuh | Mailing List
Hello, nice to greet you.
In order to do what you want, you must use the prematch tag, which will allow you to filter for what you need.
For example:
In order to do what you want, you must use the prematch tag, which will allow you to filter for what you need.
For example:
<rule id="123456" level="0">
<if_sid>533</if_sid>
<prematch>test.example.com</prematch>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
You can check the documentation for more information.
Let me know if the information provided helped you.
Greetings,
Nicolas
Let me know if the information provided helped you.
Greetings,
Nicolas
Georges Bolton
Aug 28, 2023, 2:25:44 PM8/28/23
to Wazuh | Mailing List
Hello Nicolas,
The prematch markup is only for decoders. Here, I am trying to write a ruleset. In fact, my goal is to keep the decoder's rule intact because it is a Wazuh default ruleset. I just want to tune the rule that triggers alerts because it is too verbose.
Do you know any solution for the ruleset ?
The prematch markup is only for decoders. Here, I am trying to write a ruleset. In fact, my goal is to keep the decoder's rule intact because it is a Wazuh default ruleset. I just want to tune the rule that triggers alerts because it is too verbose.
Do you know any solution for the ruleset ?
Nicolas Osvaldo Fernandez
Aug 29, 2023, 9:35:16 AM8/29/23
to Wazuh | Mailing List
Hello, sorry for the confusion.
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
Or you can also use the tag field, which I think is more suitable for what you need.
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
Greetings,
Nicolas
To be able to do what you want you have two options.
You can use the match tag to filter the rule.
<rule id="123456" level="0">
<if_sid>533</if_sid>
<if_sid>533</if_sid>
<match>test.example.com</match>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
<rule id="123456" level="0">
<if_sid>533</if_sid>
<if_sid>533</if_sid>
<field name="hostname">test.example.com</field>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
Let me know if the help helped you.
Greetings,
Nicolas
Georges Bolton
Aug 29, 2023, 10:51:45 AM8/29/23
to Wazuh | Mailing List
Hello Nicolas,
Thanks for your time and answer.
Thanks for your time and answer.
I just have tested those solutions and unfortunately it didn't work for me.
It seems like the hostname is not in the log. Is this possible to still have the value of the hostname since the dashboard is displaying it ? How the dashboard is reading the hostname ?
Best regards,
Nicolas Osvaldo Fernandez
Aug 30, 2023, 8:32:32 AM8/30/23
to Wazuh | Mailing List
Hello, we could do the following test:
Insert the event you want to test, and please attach the full result to me.
On the other hand, could you provide me with your /var/ossec/etc/rules/local_rules.xml to review it? Please omit sensitive information.
And in another order, could you show me the event generated in the dashboard?
Thank you
Run the logtest, to verify how the event is being processed:
/var/ossec/bin/wazuh-logtest -dd
On the other hand, could you provide me with your /var/ossec/etc/rules/local_rules.xml to review it? Please omit sensitive information.
And in another order, could you show me the event generated in the dashboard?
Thank you
Nicolas
Georges Bolton
Aug 30, 2023, 11:46:49 AM8/30/23
to Wazuh | Mailing List
Hello Nicolas,
Here's the alert log generated in the file "/var/ossec/logs/alerts/alerts.log".
** Alert 1693408656.3533904: - ossec,pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2023 Aug 30 11:17:36 (agent1.example.com) any->netstat listening ports
Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).'
ossec: output: 'netstat listening ports':
tcp 0.0.0.0:22 0.0.0.0:* 1063/sshd
tcp6 :::22 :::* 1063/sshd
udp 127.0.0.1:323 0.0.0.0:* 1015/chronyd
udp6 ::1:323 :::* 1015/chronyd
tcp 127.0.0.1:8081 0.0.0.0:* 3798303/node
tcp6 :::9100 :::* 1072/node
tcp 127.0.0.1:32000 0.0.0.0:* 3607712/java
tcp6 127.0.0.1:44599 :::* 3607712/java
Previous output:
ossec: output: 'netstat listening ports':
tcp 0.0.0.0:22 0.0.0.0:* 1063/sshd
tcp6 :::22 :::* 1063/sshd
udp 127.0.0.1:323 0.0.0.0:* 1015/chronyd
udp6 ::1:323 :::* 1015/chronyd
tcp6 :::9100 :::* 1072/node
tcp 127.0.0.1:32000 0.0.0.0:* 3607712/java
tcp6 127.0.0.1:44599 :::* 3607712/java
You can find the logtest result from the log above (logtest_wazuh_ossec_533.json).
Basically the file "/var/ossec/etc/rules/local_rules.xml" is a default one but I have created the file "/var/ossec/etc/rules/my_custom_fp.xml" where the file content is :
<group name="custom,false_positive,">
<rule id="101504" level="0">
<if_sid>533</if_sid>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
</group>
Here's the alert in the dashboard is available in json (dashboard_alert.json) format as well. Sorry, I can't screenshot the Dashboard.
Hope it helps.
Best regards,
Nicolas Osvaldo Fernandez
Aug 30, 2023, 2:46:36 PM8/30/23
to Wazuh | Mailing List
Hello, I was reviewing the events and logs and I don't see that the "hostname" field is being decoded, for this reason the rule is not filtering correctly.
Another field would have to be identified to filter the rule, could it be agent.name or manager.name?
Greetings
Nicolas
Another field would have to be identified to filter the rule, could it be agent.name or manager.name?
Greetings
Nicolas
Georges Bolton
Aug 31, 2023, 9:00:08 AM8/31/23
to Wazuh | Mailing List
Hello Nicolas, I have tried multiple field such as "hostname", "agent.name", manager.name", "name". Maybe I should create an issue on Wazuh with that problem.
Best regards,
Best regards,
Nicolas Osvaldo Fernandez
Aug 31, 2023, 9:23:48 AM8/31/23
to Wazuh | Mailing List
Hi, let me do some more testing in my local environment to see if we can find a way around it. I'll be back with you in a moment.
Greetings
Nicolás
Nicolas Osvaldo Fernandez
Aug 31, 2023, 11:27:47 AM8/31/23
to Wazuh | Mailing List
Hello, sorry for the delay.
<rule id="101102" level="0">
<if_sid>530</if_sid>
<location>agent1.example.com</location>
<description>This is a TEST custom rule to suppress FP.</description>
<!-- Process monitoring rules -->
<rule id="530" level="0">
<if_sid>500</if_sid>
<match>^ossec: output: </match>
<description>OSSEC process monitoring rules.</description>
<group>process_monitor,</group>
<rule id="101102" level="0">
<if_sid>530</if_sid>
<match>^ossec: output: 'netstat listening ports'</match>
<location>agent1.example.com</location>
<description>This is a TEST custom rule to suppress FP.</description>
I was able to reproduce the case in a local environment, the rule for it to work correctly should be done as follows:
<rule id="101102" level="0">
<if_sid>530</if_sid>
<location>agent1.example.com</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
Since the event is generated by a wazuh command, the location of the tag must be used. On the other hand, ten present that rule 530 covers different monitoring processes:
<!-- Process monitoring rules -->
<rule id="530" level="0">
<if_sid>500</if_sid>
<match>^ossec: output: </match>
<description>OSSEC process monitoring rules.</description>
<group>process_monitor,</group>
</rule>
If you only want to filter by monitoring "netstat listening ports" you must add the following condition to the custom rule:
<rule id="101102" level="0">
<if_sid>530</if_sid>
<match>^ossec: output: 'netstat listening ports'</match>
<location>agent1.example.com</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
Georges Bolton
Aug 31, 2023, 4:38:18 PM8/31/23
to Wazuh | Mailing List
Hello Nicolas, Thanks for your time and effort.
<rule id="123456" level="0">
It doesn't work at all for me I have tried :
<rule id="123456" level="0">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat listening ports</match>
<location>manager</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
<rule id="123456" level="0">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat listening ports</match>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
<rule id="123456" level="0">
<if_sid>533</if_sid>
<location>manager</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
<rule id="123456" level="0">
<if_sid>533</if_sid>
<match>ossec: output: 'netstat listening ports</match>
<location>manager</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
<rule id="123456" level="0">
<if_sid>533</if_sid>
<match>ossec: output: 'netstat listening ports</match>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
I have also tried with "agent1" and "agent1.example.com". It still makes an alert. Do you know if there is a way to display location somewhere ? Maybe I don't have the same issue as you. I'm running under Wazuh 4.5.0.
Best regards,
Nicolas Osvaldo Fernandez
Sep 1, 2023, 9:59:02 AM9/1/23
to Wazuh | Mailing List
Hello,
These events, although they cannot be seen on the dashboard, have the name of the agent where the event was collected in the location tag. In your example it would be something like this: location "(agent1.example.com) any -> netstat listening ports".
Internally, the location ends up being something like "netstat listening ports", as you can see in the event you shared as an example.
<match>^ossec: output: 'netstat listening ports'</match>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
2. Run logtest, forcing the location as if it would be the original event:
╰─# /var/ossec/bin/wazuh-logtest -l "(agent1.example.com) any->netstat listening ports"
3. Enter the event:
ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1063/sshd\ntcp6 :::22 :::* 1063/sshd\nudp 127.0.0.1:323 0.0.0.0:* 1015/chronyd\nudp6 ::1:323 :::* 1015/chronyd\ntcp6 :::9100 :::* 1072/node\ntcp 127.0.0.1:32000 0.0.0.0:* 3607712/java\ntcp6 127.0.0.1 :44599 :::* 3607712/java
4. Review result:
Starting wazuh-logtest v4.4.4
Type one log per line
ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1063/sshd\ntcp6 :::22 :::* 1063/sshd\nudp 127.0.0.1:323 0.0.0.0:* 1015/chronyd\nudp6 ::1:323 :::* 1015/chronyd\ntcp6 :::9100 :::* 1072/node\ntcp 127.0.0.1:32000 0.0.0.0:* 3607712/java\ntcp6 127.0.0.1 :44599 :::* 3607712/java
** Wazuh-Logtest: WARNING: (7617): Signature ID '5000' was not found and will be ignored in the 'if_sid' option of rule '100002'.
** Wazuh-Logtest: WARNING: (7619): Empty 'if_sid' value. Rule '100002' will be ignored.
** Wazuh-Logtest: WARNING: (1103): Could not open file 'etc/rules/local_rules2.xml' due to [(13)-(Permission denied)].
**Phase 1: Completed pre-decoding.
full event: 'ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1063/sshd\ntcp6 :::22 :::* 1063/sshd\nudp 127.0.0.1:323 0.0 .0.0:* 1015/chronyd\nudp6 ::1:323 :::* 1015/chronyd\ntcp6 :::9100 :::* 1072/node\ntcp 127.0.0.1:32000 0.0.0.0:* 3607712/java\ ntcp6 127.0.0.1:44599 :::* 3607712/java'
**Phase 2: Completed decoding.
name: 'ossec'
**Phase 3: Completed filtering (rules).
id: '101102'
level: '0'
description: 'This is a TEST custom rule to suppress FP.'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
These types of events are processed by wazuh monitoring processes (command or full-command type events).
These events, although they cannot be seen on the dashboard, have the name of the agent where the event was collected in the location tag. In your example it would be something like this: location "(agent1.example.com) any -> netstat listening ports".
Internally, the location ends up being something like "netstat listening ports", as you can see in the event you shared as an example.
Perform the following local test:
1. Change local_rules.xml:
<rule id="101102" level="0">
<if_sid>530,533</if_sid>
<match>^ossec: output: 'netstat listening ports'</match>
<location>agent1.example</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
2. Run logtest, forcing the location as if it would be the original event:
╰─# /var/ossec/bin/wazuh-logtest -l "(agent1.example.com) any->netstat listening ports"
3. Enter the event:
ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1063/sshd\ntcp6 :::22 :::* 1063/sshd\nudp 127.0.0.1:323 0.0.0.0:* 1015/chronyd\nudp6 ::1:323 :::* 1015/chronyd\ntcp6 :::9100 :::* 1072/node\ntcp 127.0.0.1:32000 0.0.0.0:* 3607712/java\ntcp6 127.0.0.1 :44599 :::* 3607712/java
4. Review result:
Starting wazuh-logtest v4.4.4
Type one log per line
ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1063/sshd\ntcp6 :::22 :::* 1063/sshd\nudp 127.0.0.1:323 0.0.0.0:* 1015/chronyd\nudp6 ::1:323 :::* 1015/chronyd\ntcp6 :::9100 :::* 1072/node\ntcp 127.0.0.1:32000 0.0.0.0:* 3607712/java\ntcp6 127.0.0.1 :44599 :::* 3607712/java
** Wazuh-Logtest: WARNING: (7617): Signature ID '5000' was not found and will be ignored in the 'if_sid' option of rule '100002'.
** Wazuh-Logtest: WARNING: (7619): Empty 'if_sid' value. Rule '100002' will be ignored.
** Wazuh-Logtest: WARNING: (1103): Could not open file 'etc/rules/local_rules2.xml' due to [(13)-(Permission denied)].
**Phase 1: Completed pre-decoding.
full event: 'ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1063/sshd\ntcp6 :::22 :::* 1063/sshd\nudp 127.0.0.1:323 0.0 .0.0:* 1015/chronyd\nudp6 ::1:323 :::* 1015/chronyd\ntcp6 :::9100 :::* 1072/node\ntcp 127.0.0.1:32000 0.0.0.0:* 3607712/java\ ntcp6 127.0.0.1:44599 :::* 3607712/java'
**Phase 2: Completed decoding.
name: 'ossec'
**Phase 3: Completed filtering (rules).
id: '101102'
level: '0'
description: 'This is a TEST custom rule to suppress FP.'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
As you can see, the rule works.
Anyway, to confirm the scenario, I'm going to set up a local environment with a manager and agent, to apply the rule without the logtest. When the test is over, I'll come back to you for the results.
On the other hand, to confirm, the name of the agent to filter should match the name of the agent that collects the event, which you can check with the following command:
╰─# /var/ossec/bin/agent_control -l
Wazuh agent_control. List of available agents:
ID: 000, Name: 200-u20-dev-manager (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: 217-wserver-2022, IP: any, Disconnected
ID: 002, Name: 202-u20-dev-agent, IP: any, Disconnected
ID: 004, Name: 202-win, IP: any, Disconnected
ID: 005, Name: 203-c8, IP: any, Disconnected
ID: 006, Name: 213-openSuseDev, IP: any, Disconnected
Greetings,
Nicolas
Anyway, to confirm the scenario, I'm going to set up a local environment with a manager and agent, to apply the rule without the logtest. When the test is over, I'll come back to you for the results.
On the other hand, to confirm, the name of the agent to filter should match the name of the agent that collects the event, which you can check with the following command:
╰─# /var/ossec/bin/agent_control -l
Wazuh agent_control. List of available agents:
ID: 000, Name: 200-u20-dev-manager (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: 217-wserver-2022, IP: any, Disconnected
ID: 002, Name: 202-u20-dev-agent, IP: any, Disconnected
ID: 004, Name: 202-win, IP: any, Disconnected
ID: 005, Name: 203-c8, IP: any, Disconnected
ID: 006, Name: 213-openSuseDev, IP: any, Disconnected
Greetings,
Nicolas
Nicolas Osvaldo Fernandez
Sep 1, 2023, 6:54:41 PM9/1/23
to Wazuh | Mailing List
Hello,
I'll tell you the news. I carried out the tests in low environments with a server and an agent, configuring the rules and I was able to reproduce the same scenario as you: the alert does not work.
We are going to be debugging the event to see what is happening, as soon as I have news I am communicating.
Greetings,
Nicolas
Nicolas Osvaldo Fernandez
Sep 4, 2023, 6:20:06 PM9/4/23
to Wazuh | Mailing List
Hello, sorry for the delay.
We were carrying out the necessary tests and the rule is working correctly.This is the rule we apply:
<rule id="101102" level="5">
<if_sid>533</if_sid>
<location>wazuh-agent-1</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
This is the output, seen from /var/ossec/logs/archives/archives.json:
{
"timestamp": "2023-09-04T22:14:56.752+0000",
rule: {
"level": 5,
"description": "This is a TEST custom rule to suppress FP.",
"id": "101102",
"firedtimes": 1,
"mail": false,
"groups": [
"local",
"syslog",
"sshd"
},
agent: {
"id": "001",
"name": "wazuh-agent-1",
"ip": "10.0.2.5"
},
"manager": {
"name": "wazuh-server"
},
"id": "1693865696.121948",
"previous_output": "Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53 :53 0.0.0.0:* 572/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 572/systemd-resolve\nudp 10.0.2.5:68 0.0.0.0:* 570/systemd-network\ntcp 0.0. 0.0:4040 0.0.0.0:* 1700/nc",
"full_log": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0. 0.0:* 572/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 572/systemd-resolve\nudp 10.0.2.5:68 0.0.0.0:* 570/systemd-network",
"decoder": {
"name": "ossec"
},
"previous_log": "ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0. 0.0:* 572/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 572/systemd-resolve\nudp 10.0.2.5:68 0.0.0.0:* 570/systemd-network\ntcp 0.0.0.0:4040 0.0 .0.0:* 1700/nc",
"location": "netstat listening ports"
}
As can be seen, the rule applied to the event to be suppressed is executed.
Any questions are available
Greetings,
Nicolas
Any questions are available
Greetings,
Nicolas
Georges Bolton
Sep 7, 2023, 2:18:32 PM9/7/23
to Wazuh | Mailing List
Hello Nicolas,
Thanks for the feedback.
I have test on my side as well. When I run logtest forcing the location, I still don't have the correct result. Here's the log paste.
ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1063/sshd\ntcp6 :::22 :::* 1063/sshd\nudp 127.0.0.1:323 0.0.0.0:* 1015/chronyd\nudp6 ::1:323 :::* 1015/chronyd\ntcp6 :::9100 :::* 1072/node\ntcp 127.0.0.1:32000 0.0.0.0:* 3607712/java\ntcp6 127.0.0.1 :44599 :::* 3607712/java
Here's the filtering rule :
**Phase 3: Completed filtering (rules).
id: '530'
level: '0'
description: 'Wazuh process monitoring rules.'
groups: '['ossec', 'process_monitor']'
firedtimes: '1'
mail: 'False'
level: '0'
description: 'Wazuh process monitoring rules.'
groups: '['ossec', 'process_monitor']'
firedtimes: '1'
mail: 'False'
As you can see there is not my custom rule id here.
In addition, when I putting the rule :
<rule id="101102" level="0">
<if_sid>533</if_sid>
<location>agent1.example.com</location>
<location>agent1.example.com</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
</rule>
or
<rule id="101102" level="0">
<if_sid>533</if_sid>
<location>agent1</location>
<location>agent1</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
</rule>
It doesn't work and still have the alerts. When I am checking my logs, I also have the "\n" in the full log but still trigger the rule sid 533. I am kind of lost here since it does not work well on my side. Could you please illuminate me ?
Have a wonderful day.
Best regards,
Nicolas Osvaldo Fernandez
Sep 8, 2023, 7:26:27 AM9/8/23
to Wazuh | Mailing List
Hello good morning.
How are you running the wazuh-logtest? Could you share me the command line you use?
On the other hand, if you can provide me with the local_rules.xml file omitting the sensitive information so I can parse it great.
ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1063/sshd\ntcp6 :::22 :::* 1063/sshd\nudp 127.0.0.1:323 0.0.0.0:* 1015/chronyd\nudp6 ::1:323 :::* 1015/chronyd\ntcp6 :::9100 :::* 1072/node\ntcp 127.0.0.1:32000 0.0.0.0:* 3607712/java\ntcp6 127.0.0.1 :44599 :::* 3607712/java
ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1063/sshd\ntcp6 :::22 :::* 1063/sshd\nudp 127.0.0.1:323 0.0.0.0:* 1015/chronyd\nudp6 ::1:323 :::* 1015/chronyd\ntcp6 :::9100 :::* 1072/node\ntcp 127.0.0.1:32000 0.0.0.0:* 3607712/java\ntcp6 127.0.0.1 :44599 :::* 3607712/java
Greetings,
Nicolas
How are you running the wazuh-logtest? Could you share me the command line you use?
I run the command as follows:
wazuh-logtest -l wazuh-agent-1 -dd
To clarify, keep in mind that rule 533 has a <check_diff />, this means that if once the alert is generated, if an event that matches this rule occurs again, if there are no differences in the event, no the rule is going to be executed.
For example:
1st event:
For example:
1st event:
ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1063/sshd\ntcp6 :::22 :::* 1063/sshd\nudp 127.0.0.1:323 0.0.0.0:* 1015/chronyd\nudp6 ::1:323 :::* 1015/chronyd\ntcp6 :::9100 :::* 1072/node\ntcp 127.0.0.1:32000 0.0.0.0:* 3607712/java\ntcp6 127.0.0.1 :44599 :::* 3607712/java
The rule (and the alert we created) are executed
2nd event (same event):
2nd event (same event):
ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1063/sshd\ntcp6 :::22 :::* 1063/sshd\nudp 127.0.0.1:323 0.0.0.0:* 1015/chronyd\nudp6 ::1:323 :::* 1015/chronyd\ntcp6 :::9100 :::* 1072/node\ntcp 127.0.0.1:32000 0.0.0.0:* 3607712/java\ntcp6 127.0.0.1 :44599 :::* 3607712/java
The rule is not executed, nor is the custom alert.
Nicolas
Georges Bolton
Sep 11, 2023, 11:15:46 AM9/11/23
to Wazuh | Mailing List
Hello Nicolas,
Starting wazuh-logtest v4.5.0
Now I am using your command line :
Here's my local_rules.xml :
Do you know what could be wrong ?
Best regards,
Indeed, the rule 530 triggered due to the same log rule to not trigger. After sending another log, here's my conclusion:
I was running the following command line :
/var/ossec/bin/wazuh-logtest -l "manager->netstat listening ports"
ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1063/sshd\ntcp6 :::22 :::* 1063/sshd\nudp 127.0.0.1:323 0.0.0.0:* 1015/chronyd\nudp6 ::1:323 :::* 1015/chronyd\ntcp6 :::9100 :::* 1072/node\ntcp 127.0.0.1:32000 0.0.0.0:* 3607712/java\ntcp6 127.0.0.1 :44599 :::* 3607712/java
Starting wazuh-logtest v4.5.0
Type one log per line
ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1063/sshd\ntcp6 :::22 :::* 1063/sshd\nudp 127.0.0.1:323 0.0.0.0:* 1015/chronyd\nudp6 ::1:323 :::* 1015/chronyd\ntcp6 :::9100 :::* 1072/node\ntcp 127.0.0.1:32000 0.0.0.0:* 3607712/java\ntcp6 127.0.0.1 :44599 :::* 3607712/java
**Phase 1: Completed pre-decoding.
full event: 'ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1063/sshd\ntcp6 :::22 :::* 1063/sshd\nudp 127.0.0.1:323 0.0.0.0:* 1015/chronyd\nudp6 ::1:323 :::* 1015/chronyd\ntcp6 :::9100 :::* 1072/node\ntcp 127.0.0.1:32000 0.0.0.0:* 3607712/java\ntcp6 127.0.0.1 :44599 :::* 3607712/java'
**Phase 2: Completed decoding.
name: 'ossec'
**Phase 3: Completed filtering (rules).
id: '123456'
level: '0'
description: 'This is a TEST custom rule to suppress FP.'
groups: '['custom', 'false_positive']'
firedtimes: '1'
mail: 'False'
/var/ossec/bin/wazuh-logtest -l "manager" -dd
ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1063/sshd\ntcp6 :::22 :::* 1063/sshd\nudp 127.0.0.1:323 0.0.0.0:* 1015/chronyd\nudp6 ::1:323 :::* 1015/chronyd\ntcp6 :::9100 :::* 1072/node\ntcp 127.0.0.1:32000 0.0.0.0:* 3607712/java\ntcp6 127.0.0.1 :44599 :::* 3607712/java
2023-09-11 11:10:04,623 wazuh_logtest[INFO] **Phase 1: Completed pre-decoding.
2023-09-11 11:10:04,623 wazuh_logtest[INFO] full event: 'ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 1063/sshd\ntcp6 :::22 :::* 1063/sshd\nudp 127.0.0.1:323 0.0.0.0:* 1015/chronyd\nudp6 ::1:323 :::* 1015/chronyd\ntcp6 :::9100 :::* 1072/node\ntcp 127.0.0.1:32000 0.0.0.0:* 3607712/java\ntcp6 127.0.0.1 :44599 :::* 3607712/java'
2023-09-11 11:10:04,623 wazuh_logtest[INFO]
2023-09-11 11:10:04,623 wazuh_logtest[INFO] **Phase 2: Completed decoding.
2023-09-11 11:10:04,624 wazuh_logtest[INFO] name: 'ossec'
2023-09-11 11:10:04,624 wazuh_logtest[INFO]
2023-09-11 11:10:04,624 wazuh_logtest[INFO] **Phase 3: Completed filtering (rules).
2023-09-11 11:10:04,624 wazuh_logtest[INFO] id: '123456'
2023-09-11 11:10:04,624 wazuh_logtest[INFO] level: '0'
2023-09-11 11:10:04,624 wazuh_logtest[INFO] description: 'This is a TEST custom rule to suppress FP.'
2023-09-11 11:10:04,624 wazuh_logtest[INFO] groups: '['custom', 'false_positive']'
2023-09-11 11:10:04,624 wazuh_logtest[INFO] firedtimes: '1'
2023-09-11 11:10:04,624 wazuh_logtest[INFO] mail: 'False'
They both seems to work with logtest. But I still got the alerts on my Dashboard.
Here's my local_rules.xml :
<rule id="123456" level="0">
<if_sid>533</if_sid>
<location>manager</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
<rule id="654321" level="0">
<if_sid>533</if_sid>
<location>agent1</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
Best regards,
Nicolas Osvaldo Fernandez
Sep 12, 2023, 8:48:35 PM9/12/23
to Wazuh | Mailing List
Hello, nice to greet you.
I ran the tests with your rules, changing only the location (to adapt it to the name of my agent). <rule id="123456" level="0">
<if_sid>533</if_sid>
<location>manager</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
<rule id="654321" level="0">
<if_sid>533</if_sid>
<if_sid>533</if_sid>
<location>manager</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
<rule id="654321" level="0">
<if_sid>533</if_sid>
<location>agent</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
netcat -l 4421
In this way, I force the execution. With custom rules, the alert is not run, I can check this by looking at the alerts.json file.
To test that the rule actually works, change the name of the location to one that does not exist, and perform the previous steps again and the alert if it is generated:
<rule id="123456" level="0">
<if_sid>533</if_sid>
<location>manager</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
<rule id="654321" level="0">
<if_sid>533</if_sid>
<if_sid>533</if_sid>
<location>manager</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
<rule id="654321" level="0">
<if_sid>533</if_sid>
<location>other</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
Alert generated (location not match):
{"timestamp":"2023-09-13T00:37:02.286+0000","rule":{"level":7,"description":"Listened ports status (netstat) changed (new port opened or closed).","id":"533","firedtimes":2,"mail":false,"groups":["ossec"],"pci_dss":["10.2.7","10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"wazuh-agent-1","ip":"10.0.2.5"},"manager":{"name":"wazuh-server"},"id":"1694565422.12202","previous_output":"Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 533/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 533/systemd-resolve\nudp 10.0.2.5:68 0.0.0.0:* 489/systemd-network\ntcp 0.0.0.0:4433 0.0.0.0:* 2952/netcat","full_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 533/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 533/systemd-resolve\nudp 10.0.2.5:68 0.0.0.0:* 489/systemd-network\ntcp 0.0.0.0:4431 0.0.0.0:* 2964/netcat","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 533/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 533/systemd-resolve\nudp 10.0.2.5:68 0.0.0.0:* 489/systemd-network\ntcp 0.0.0.0:4433 0.0.0.0:* 2952/netcat","location":"netstat listening ports"}
I think the problem comes from the location filter. For agent, you must specify the name of the agent (not the host).
To see the agents you can execute the following command:
/var/ossec/bin/agent_control -l
/var/ossec/bin/agent_control -l
Let me know if the help was helpful to you.
Greetings
Nicolas
Greetings
Nicolas
Wazuh | Mailing List
Sep 19, 2023, 9:50:03 AM9/19/23
to Wazuh | Mailing List
Hello Nicolas,
Yes I have checked the command :
/var/ossec/bin/agent_control -l
Here's the output :
ID: 000, Name: manager.example.com (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: agent1.example.com, IP: any, Active
I want my rule to be working on both assets. That's why I have manager and Agent1 in my custom rules.
I checked with your command line and the command "netcat -l 4421" and it generate logs even if the correct location. I still don't know what is wrong here ! Here's my log generated with netcat.
{"_index":"wazuh-alerts-4.x-2023.09.19","_id":"xxxxxxxxxxxxxx","_version":1,"_score":null,"_source":{"previous_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 927/sshd\ntcp6 :::22 :::* 927/sshd\ntcp6 127.0.0.1:9200 :::* 569371/java\ntcp6 127.0.0.1:9300 :::* 569371/java","input":{"type":"log"},"agent":{"name":"manager.example.com","id":"000"},"previous_output":"Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 927/sshd\ntcp6 :::22 :::* 927/sshd\ntcp6 127.0.0.1:9200 :::* 569371/java\ntcp6 127.0.0.1:9300 :::* 569371/java","manager":{"name":"manager.example.com"},"rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["10.2.7","10.6.1"],"hipaa":["xxx.xxx.xxx"],"tsc":["CC6.8","CC7.2","CC7.3"],"description":"Listened ports status (netstat) changed (new port opened or closed).","groups":["ossec"],"id":"533","nist_800_53":["AU.14","AU.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"]},"location":"netstat listening ports","decoder":{"name":"ossec"},"id":"xxxxxxxxxxxxxxxxxxxxxx","full_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* 927/sshd\ntcp6 :::22 :::* 927/sshd\ntcp 0.0.0.0:4421 0.0.0.0:* 989326/netcat\ntcp6 127.0.0.1:9200 :::* 569371/java\ntcp6 127.0.0.1:9300 :::* 569371/java","timestamp":"2023-09-19T09:28:16.290-0400"},"fields":{"timestamp":["2023-09-19T13:28:16.290Z"]},"highlight":{"manager.name":["@opensearch-dashboar...@manager.example.com@/opensearch-dashboards-highlighted-field@"]},"sort":[1695130096290]}
Best regards,
Nicolas Osvaldo Fernandez
Sep 19, 2023, 7:37:30 PM9/19/23
to Wazuh | Mailing List
Hi, nice to meet you.
To do what you want, you must make the following configuration:
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
<rule id="654321" level="0">
<if_sid>533</if_sid>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
To do what you want, you must make the following configuration:
<rule id="123456" level="0">
<if_sid>533</if_sid>
<if_sid>533</if_sid>
<location>manager.example.com</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
<rule id="654321" level="0">
<if_sid>533</if_sid>
<location>agent1.example.com</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
This is the configuration I created locally, with the difference that my manager is wazuh-manager and my agent is wazuh-agent-1.
The netcat -l 4421 command is to force the output of the full_command "netstat listening ports" event to be different from its previous execution, since rule 533 has the <check_diff /> tag set in its configuration:
<rule id="533" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat listening ports</match>
<check_diff />
<description>The status of the listened ports (netstat) changed (new port open or closed).</description>
<group>pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC 7.3 ,</group >
</rule>
Do I run the command in the manager manager.example.com or in the agent agent1.example.com?
Best regards,
Nicolas
<rule id="533" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat listening ports</match>
<check_diff />
<description>The status of the listened ports (netstat) changed (new port open or closed).</description>
<group>pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC 7.3 ,</group >
</rule>
Do I run the command in the manager manager.example.com or in the agent agent1.example.com?
Best regards,
Nicolas
Georges Bolton
Sep 22, 2023, 9:40:34 AM9/22/23
to Wazuh | Mailing List
Hello Nicolas,
I have forced the output the netcat command and I still have alerts even with the location.
I run the command on manager and agent1. Both have alerts generated.
Best regards,
Nicolas Osvaldo Fernandez
Sep 25, 2023, 9:56:12 AM9/25/23
to Wazuh | Mailing List
Hello, nice to greet you.
Did you restart the manager to apply the rule changes?On the other hand, do you have other rules or decoders that could be altering the rule you want to delete?
If you can send me the local_rules.xml file omitting sensitive information, I could review it.
Greetings,
Nicolas
Georges Bolton
Oct 10, 2023, 9:34:54 AM10/10/23
to Wazuh | Mailing List
Hello Nicolas,
Yes for sur I have restarted the manager.
Here's my local_rules.xml :
<rule id="123456" level="0">
<if_sid>533</if_sid>
<location>manager</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
<rule id="654321" level="0">
<if_sid>533</if_sid>
<location>agent1</location>
<description>This is a TEST custom rule to suppress FP.</description>
</rule>
Best regards,
Georges Bolton
Oct 24, 2023, 10:42:01 AM10/24/23
to Wazuh | Mailing List
Hello Nicolas,
Have you by any chances checked if the rule is working ?
Best regards,
Reply all
Reply to author
Forward
0 new messages