ERROR: Failure to read rule xxxxx. Field 'Action' is static.
1,309 views
Skip to first unread message
Gianluca Busco Arrè
Apr 14, 2023, 10:37:27 PM4/14/23
to Wazuh mailing list
Hi!
I'm having hard time with a rule that must parse a value from a field Action.
<rule id="64207" level="7">
<if_sid>64200</if_sid>
<field name="Action">Allow</action>
<description>The child process is corrupted or defective.</description>
</rule>
<if_sid>64200</if_sid>
<field name="Action">Allow</action>
<description>The child process is corrupted or defective.</description>
</rule>
When I try to restart Wazuh, I always receive this error:
2023/04/15 02:30:06 wazuh-analysisd: ERROR: Failure to read rule xxxxx. Field 'Action' is static.
2023/04/15 02:30:06 wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'ruleset/rules/0675-xxxxxxxxxx.xml'.
2023/04/15 02:30:06 wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'ruleset/rules/0675-xxxxxxxxxx.xml'.
Any ideas?
Thanks
G
Abdullah Al Rafi Fahim
Apr 15, 2023, 3:19:09 AM4/15/23
to Wazuh mailing list
Hello Gianluca,
<action>Allow</action>
<description>The child process is corrupted or defective.</description>
</rule>
Thank you for using Wazuh!
From your previous message, what I understood is that you are trying to change the existing rule 64207 from this:
<rule id="64207" level="7">
<if_sid>64200</if_sid>
<if_sid>64200</if_sid>
<field name="ParentBroken">true</field>
<description>Panda Security: The parent process is corrupted or defective.</description>
</rule>
<description>Panda Security: The parent process is corrupted or defective.</description>
</rule>
to this:
<rule id="64207" level="7">
<if_sid>64200</if_sid>
<field name="Action">Allow</action>
<description>The child process is corrupted or defective.</description>
</rule>
<if_sid>64200</if_sid>
<field name="Action">Allow</action>
<description>The child process is corrupted or defective.</description>
</rule>
However, it is not recommended to change existing rules in default rule files at /var/ossec/ruleset/rules/ directory. Keeping the default rule files as unchanged, you can follow this documentation on changing existing rule to achieve that. Moreover, regarding the " Field 'Action' is static." error, I would like to let you know that action is one of the static fields in Wazuh ruleset which can be used directly as an option in the rules as: <action>Allow</action> rather than this: <field name="Action">Allow</action>. Reference: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#action
Therefore, my overall suggestion would be to restore the default rule file 0675-panda-paps_rules.xml with the upper mentioned default rule and add this rule script in /var/ossec/etc/rules/local_rules.xml to overwrite the default one and apply as you modified:
<group name="paps,">
<rule id="64207" level="7" overwrite="yes">
<if_sid>64200</if_sid><action>Allow</action>
<description>The child process is corrupted or defective.</description>
</rule>
</group>
Restart the wazuh manager to make all these changes effective.
I hope it helps. Please let us know if you need further help regarding this.
Gianluca Busco Arrè
Apr 15, 2023, 7:04:36 PM4/15/23
to Wazuh mailing list
Thanks for your help! Got it. But, I tried already:
<action>Allow</action>
<group name="paps,">
<rule id="64207" level="7" overwrite="yes">
<if_sid>64200</if_sid><action>Allow</action>
and the result, testing the rule, is the following:
**Phase 1: Completed pre-decoding.
full event: 'LEEF:1.0|Panda Security|paps|02.57.00.0000|exec|sev=1 devTime=2023-04-15 01:32:23.716942 devTimeFormat=yyyy-MM-dd HH:mm:ss.SSS usrName=SYSTEMdomain=NT AUTHORITY src=10.0.1.28 identSrc=10.0.1.28 identHostName=WIN11VRT HostName=WIN11VRT MUID=20EAB5EE140A4F51B17A22A8515952F2 LocalDateTime=2023-04-15T01:32:24.716-04:00 PandaTimeStatus=2 Op=Exec ParentHash=8EC922C7A58A8701AB481B7BE9644536 ParentDriveType=Fixed ParentPath=SYSTEM|\svchost.exe ParentPid=1171515097 ParentValidSig=true ParentCompany=Microsoft Corporation ParentBroken=true ParentImageType=EXE 64 ParentExeType=Unknown ParentPrevalence=High ParentPrevLastDay=Low ParentCat=Goodware ParentMWName= ChildHash=3D3F1F36A9C73167579F6920483699A3 ChildDriveType=Fixed ChildPath=SYSTEM|\sdbinst.exe ChildPid=1171518867 ChildValidSig= ChildCompany=Microsoft Corporation ChildBroken=true ChildImageType=EXE 64 ChildExeType=Unknown ChildPrevalence=High ChildPrevLastDay=Low ChildCat=Goodware ChildMWName= OCS_Exec=false OCS_Name= OCS_Version= Params=C:\Windows\System32\sdbinst.exe -m -bg ToastResult= Action=Allow ServiceLevel=Hardening WinningTech=CertifUA DetId=0'
**Phase 2: Completed decoding.
name: 'paps'
Action: 'Allow'
Broken: 'true'
Cat: 'Goodware'
ChildBroken: 'true'
ChildCat: 'Goodware'
ChildCompany: 'Microsoft Corporation'
ChildDriveType: 'Fixed'
ChildExeType: 'Unknown'
ChildHash: '3D3F1F36A9C73167579F6920483699A3'
ChildImageType: 'EXE 64'
ChildPath: 'SYSTEM|\sdbinst.exe'
ChildPrevLastDay: 'Low'
ChildPrevalence: 'High'
Company: 'Microsoft Corporation'
DetId: '0'
DriveType: 'Fixed'
EventID: 'exec'
ExeType: 'Unknown'
Hash: '8EC922C7A58A8701AB481B7BE9644536'
HostName: 'WIN11VRT'
ImageType: 'EXE 64'
LEEFversion: '1.0'
MUID: '20EAB5EE140A4F51B17A22A8515952F2'
OCS_Exec: 'false'
Op: 'Exec'
PID: '1171515097'
Params: 'C:\Windows\System32\sdbinst.exe -m -bg'
ParentBroken: 'true'
ParentCat: 'Goodware'
ParentCompany: 'Microsoft Corporation'
ParentDriveType: 'Fixed'
ParentExeType: 'Unknown'
ParentHash: '8EC922C7A58A8701AB481B7BE9644536'
ParentImageType: 'EXE 64'
ParentPID: '1171515097'
ParentPath: 'SYSTEM|\svchost.exe'
ParentPrevLastDay: 'Low'
ParentPrevalence: 'High'
ParentValidSig: 'true'
Path: 'SYSTEM|\svchost.exe'
PrevLastDay: 'Low'
Prevalence: 'High'
Product: 'paps'
ProductVersion: '02.57.00.0000'
ServiceLevel: 'Hardening'
Severity: '1'
ValidSig: 'true'
Vendor: 'Panda Security'
WinningTech: 'CertifUA'
devTime: '2023-04-15 01:32:23.716942'
devTimeFormat: 'yyyy-MM-dd HH:mm:ss.SSS'
domain: 'NT AUTHORITY'
identHostName: 'WIN11VRT'
identSrc: '10.0.1.28'
src: '10.0.1.28'
usrName: 'SYSTEM'
**Phase 3: Completed filtering (rules).
id: '64200'
level: '0'
description: 'PANDA Antivirus event.'
groups: '['paps']'
firedtimes: '1'
mail: 'False'
full event: 'LEEF:1.0|Panda Security|paps|02.57.00.0000|exec|sev=1 devTime=2023-04-15 01:32:23.716942 devTimeFormat=yyyy-MM-dd HH:mm:ss.SSS usrName=SYSTEMdomain=NT AUTHORITY src=10.0.1.28 identSrc=10.0.1.28 identHostName=WIN11VRT HostName=WIN11VRT MUID=20EAB5EE140A4F51B17A22A8515952F2 LocalDateTime=2023-04-15T01:32:24.716-04:00 PandaTimeStatus=2 Op=Exec ParentHash=8EC922C7A58A8701AB481B7BE9644536 ParentDriveType=Fixed ParentPath=SYSTEM|\svchost.exe ParentPid=1171515097 ParentValidSig=true ParentCompany=Microsoft Corporation ParentBroken=true ParentImageType=EXE 64 ParentExeType=Unknown ParentPrevalence=High ParentPrevLastDay=Low ParentCat=Goodware ParentMWName= ChildHash=3D3F1F36A9C73167579F6920483699A3 ChildDriveType=Fixed ChildPath=SYSTEM|\sdbinst.exe ChildPid=1171518867 ChildValidSig= ChildCompany=Microsoft Corporation ChildBroken=true ChildImageType=EXE 64 ChildExeType=Unknown ChildPrevalence=High ChildPrevLastDay=Low ChildCat=Goodware ChildMWName= OCS_Exec=false OCS_Name= OCS_Version= Params=C:\Windows\System32\sdbinst.exe -m -bg ToastResult= Action=Allow ServiceLevel=Hardening WinningTech=CertifUA DetId=0'
**Phase 2: Completed decoding.
name: 'paps'
Action: 'Allow'
Broken: 'true'
Cat: 'Goodware'
ChildBroken: 'true'
ChildCat: 'Goodware'
ChildCompany: 'Microsoft Corporation'
ChildDriveType: 'Fixed'
ChildExeType: 'Unknown'
ChildHash: '3D3F1F36A9C73167579F6920483699A3'
ChildImageType: 'EXE 64'
ChildPath: 'SYSTEM|\sdbinst.exe'
ChildPrevLastDay: 'Low'
ChildPrevalence: 'High'
Company: 'Microsoft Corporation'
DetId: '0'
DriveType: 'Fixed'
EventID: 'exec'
ExeType: 'Unknown'
Hash: '8EC922C7A58A8701AB481B7BE9644536'
HostName: 'WIN11VRT'
ImageType: 'EXE 64'
LEEFversion: '1.0'
MUID: '20EAB5EE140A4F51B17A22A8515952F2'
OCS_Exec: 'false'
Op: 'Exec'
PID: '1171515097'
Params: 'C:\Windows\System32\sdbinst.exe -m -bg'
ParentBroken: 'true'
ParentCat: 'Goodware'
ParentCompany: 'Microsoft Corporation'
ParentDriveType: 'Fixed'
ParentExeType: 'Unknown'
ParentHash: '8EC922C7A58A8701AB481B7BE9644536'
ParentImageType: 'EXE 64'
ParentPID: '1171515097'
ParentPath: 'SYSTEM|\svchost.exe'
ParentPrevLastDay: 'Low'
ParentPrevalence: 'High'
ParentValidSig: 'true'
Path: 'SYSTEM|\svchost.exe'
PrevLastDay: 'Low'
Prevalence: 'High'
Product: 'paps'
ProductVersion: '02.57.00.0000'
ServiceLevel: 'Hardening'
Severity: '1'
ValidSig: 'true'
Vendor: 'Panda Security'
WinningTech: 'CertifUA'
devTime: '2023-04-15 01:32:23.716942'
devTimeFormat: 'yyyy-MM-dd HH:mm:ss.SSS'
domain: 'NT AUTHORITY'
identHostName: 'WIN11VRT'
identSrc: '10.0.1.28'
src: '10.0.1.28'
usrName: 'SYSTEM'
**Phase 3: Completed filtering (rules).
id: '64200'
level: '0'
description: 'PANDA Antivirus event.'
groups: '['paps']'
firedtimes: '1'
mail: 'False'
Doesn't seems parsing the correct rule, isn't it?
Thanks
G
Abdullah Al Rafi Fahim
Apr 16, 2023, 6:37:38 AM4/16/23
to Wazuh mailing list
Hello Gianluca,
I have replicated your situation in my local lab and investigating the issue with <action> field in this case. I will get back to you with the root cause of this issue and a better solution as soon as possible. However, for now, you can modify the overwritten rule with a <match> condition rather than a field specification as below:
<group name="paps,">
<rule id="64207" level="7" overwrite="yes">
<if_sid>64200</if_sid> <match>Action=Allow</match>
<description>The child process is corrupted or defective.</description>
</rule>
</rule>
</group>
It will trigger this alert for the same situation when it logtest can match the phrase Action=Allow inside the log.
In that case, the logtest match the rule as you expected.
I hope it helps. Regards.
Gianluca Busco Arrè
Apr 16, 2023, 10:30:38 AM4/16/23
to Wazuh mailing list
Thank you very much! It worked!
Gianluca
Reply all
Reply to author
Forward
0 new messages