Detect Bluetooth
119 views
Skip to first unread message
Dai Nguyen
Feb 7, 2023, 2:20:41 AM2/7/23
to Wazuh mailing list
Hi,
I want to detect when my laptop connect or disconnect to Bluetooth. Can someone help me!Thank youu!
David Correa Rodriguez
Feb 7, 2023, 5:10:38 AM2/7/23
to Wazuh mailing list
Hello.
Currently, Wazuh does not have a rule that matches that information. We are working on this adding new rules, so I would invite you to create a new issue in our GitHub repository with your request: https://github.com/wazuh/wazuh/issues/new?assignees=&labels=threatintel&template=rules-decoders_request.md&title=
Meanwhile, we can achieve this by following the steps below:
Currently, Wazuh does not have a rule that matches that information. We are working on this adding new rules, so I would invite you to create a new issue in our GitHub repository with your request: https://github.com/wazuh/wazuh/issues/new?assignees=&labels=threatintel&template=rules-decoders_request.md&title=
Meanwhile, we can achieve this by following the steps below:
- You can use the bluetoothctl command. This command belongs to the bluez-utils package, so you will need to install it (apt-get install bluez on Debian-based systems, yum install bluez on RPM systems). The bluetoothctl paired-devices command displays the paired devices.
- Add a new configuration if the agent.conf (in the manager) file or the ossec.conf file (individual agents) to monitor the command.
<log_format>full_command</log_format>
<command>bluetoothctl paired-devices</command>
<alias>check paired bluetooth devices</alias>
<frequency>360</frequency>
</localfile>
- After adding the new configuration, you can add the following rule to /var/ossec/etc/rules/local_rules.xml. Notice that the check_diff tag is added, which monitors when the output of the command changes. This allows to generate an alert when a Bluetooth device is added or removed.
<match>check paired bluetooth devices</match>
<check_diff />
<description>Bluetooth devices changed</description>
</rule>
Message has been deleted
Dai Nguyen
Feb 7, 2023, 6:18:46 AM2/7/23
to Wazuh mailing list
Hi,
I added this configuration and added new rule to local_rules.xml and then restart wazuh-agent but I don't see the alert when a Bluetooth device is added or removed
Vào lúc 17:10:38 UTC+7 ngày Thứ Ba, 7 tháng 2, 2023, david....@wazuh.com đã viết:
David Correa Rodriguez
Feb 7, 2023, 7:28:14 AM2/7/23
to Wazuh mailing list
Hello again.
I noticed that in the latest releases of this tool, the right command is "bluetoothctl devices" instead of "bluetoothctl paired-devices".
Please could you share the content of the command: bluetoothctl paired-devices, and the command: bluetoothctl devices Connected?
Also I noticed that the command has to be sorted. The complete command would be: bluetoothctl devices Connected | sort
If the paired-devices option doesn't work, please change the indicated configuration and replace the paired-devices option with the devices Connected | sort option, and restart the Wazuh agent and Wazuh manager.
Sorry for the inconvenience.
Regards.
I noticed that in the latest releases of this tool, the right command is "bluetoothctl devices" instead of "bluetoothctl paired-devices".
Please could you share the content of the command: bluetoothctl paired-devices, and the command: bluetoothctl devices Connected?
Also I noticed that the command has to be sorted. The complete command would be: bluetoothctl devices Connected | sort
If the paired-devices option doesn't work, please change the indicated configuration and replace the paired-devices option with the devices Connected | sort option, and restart the Wazuh agent and Wazuh manager.
Sorry for the inconvenience.
Regards.
Message has been deleted
Dai Nguyen
Feb 8, 2023, 2:00:08 AM2/8/23
to Wazuh mailing list
Hi,
Here are my outputs of the command: bluetoothctl paired-devices and bluetoothctl devices Connected
Vào lúc 19:28:14 UTC+7 ngày Thứ Ba, 7 tháng 2, 2023, david....@wazuh.com đã viết:
David Correa Rodriguez
Feb 8, 2023, 6:33:19 AM2/8/23
to Wazuh mailing list
Hi again.
Thanks for the output of the commands. In your case, you should use the bluetoothctl paired-devices.
With this information, and after testing it in my system, you should have the following configurations to solve this issue.
In the /var/ossec/etc/rules/local_rules.xml file of the manager:
<rule id="100002" level="10">
<if_sid>530</if_sid>
<match>ossec: output: 'bluetooth'</match>
<description>Bluetooth devices changed</description>
<check_diff />
</rule>
Thanks for the output of the commands. In your case, you should use the bluetoothctl paired-devices.
With this information, and after testing it in my system, you should have the following configurations to solve this issue.
In the /var/ossec/etc/rules/local_rules.xml file of the manager:
<rule id="100002" level="10">
<if_sid>530</if_sid>
<match>ossec: output: 'bluetooth'</match>
<description>Bluetooth devices changed</description>
</rule>
Please notice that the if_sid tag has been added. This makes the new rule a child rule of the process monitoring rules. Besides, change the ID of the rule if you have an existing rule with that ID.
In the ossec.conf file of the Wazuh agent:
In the ossec.conf file of the Wazuh agent:
<localfile>
<log_format>full_command</log_format>
<command>echo "Bluetooth: " && bluetoothctl paired-devices | sort</command>
<alias>bluetooth</alias>
<frequency>60</frequency>
</localfile>
<log_format>full_command</log_format>
<command>echo "Bluetooth: " && bluetoothctl paired-devices | sort</command>
<alias>bluetooth</alias>
<frequency>60</frequency>
</localfile>
Notice that the value of the frequency tag is an example, it indicates the frequency (in seconds) of the execution of that command. Please, modify it to your preferences.
After these modifications, restart the Wazuh agent and the Wazuh manager, and you should see an alert in your Wazuh dashboard if you modify the connected Bluetooth devices. I have attached an alert generated in my system.
If you need more information about this, please take a look at this documentation: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html.
Regards, David.
Regards, David.
Message has been deleted
Dai Nguyen
Feb 8, 2023, 9:21:53 AM2/8/23
to Wazuh mailing list
Hi David,
Thank you so much!!
Vào lúc 18:33:19 UTC+7 ngày Thứ Tư, 8 tháng 2, 2023, david....@wazuh.com đã viết:
Reply all
Reply to author
Forward
0 new messages