Creating a custom rule for vulnerable agents

[wazuh]

wazuh has rule id - 31168 which is for Shellshock attack detected. Would it be possible to make a rule that would trigger if this rule triggers and the agent vulnerability scanner has detected CVE-2014-6271 (the Shellshock vulnerability),

For example at the moment the Shellshock rule triggered on this full log - 111.111.111.111 - - [21/May/2024:18:36:35 +0000] "GET /cgi-bin/jarrewrite.sh HTTP/1.1" 302 3319 "-" "\"() { :; }; echo ; /bin/bash -c 'cat /etc/passwd'\""

If the server does not have the vulnerability i would like to lower the level of the rule, however if the server has the vulnerability i would like the alert to be level 15.

[Juan Nicolás Asselle (Nico Asselle)]

Hi!

Currently, Wazuh rules do not allow (as it) the correlation of an event with the agent’s vulnerability information.

But there’s still a way to achieve this! here’s the idea

• Create a new custom rule (i.e 100101) on Wazuh Manager with level 15 that will be triggered when an Agent XYZ with CVE-2014-6271 is suffering a Shellshock attack
• Create a custom integration script on Wazuh Manager that:
  • Triggers when 31168 alert happens
  • Get the alert’s agent and query the Wazuh Manager RESTful API and search CVE-2014-6271 on the agent’s CVE information. Here’s the endpoint
  • If the CVE-2014-6271 exists on the agent’s CVE information, create an event and inject it using the Event endpoint. The event must match the rule 100101.
• Create an integrator configuration block on Wazuh Manager ossec.conf using your custom integration

Basically is a loop in the Wazuh Manager that checks 31168 rule, validates it against CVE database, and in case it meets the criteria it will create a new event that will trigger a custom rule with a higher level.
This kind of mechanism is already used in OTTB scripts like Virustotal integration

Hope this helps!
Nico

​