IDS logs triggering in wazuh dashboard

[Chetan Hiremath]

Hello Team,
I have issue with ids logs triggering in wazuh dashboard

sample logs

Feb 10 00:30:37 mlhofw01.medreichin.com 1675989039.047717602 Medreich_HO_Secondary_ security_event ids_alerted signature=1:58125:1 priority=1 timestamp=1675989038.886099 direction=ingress protocol=tcp/ip src=3.24.133.185:34254 dst=192.168.1.65:25 decision=blocked action=allow message: FILE-OFFICE Microsoft MSHTML ActiveX control bypass attempt 

Feb 11 04:57:30 mlhofw01.medreichin.com 1676091452.006310476 Medreich_HO_Secondary_ security_event ids_alerted signature=1:58125:1 priority=1 timestamp=1676091451.828864 direction=ingress protocol=tcp/ip src=3.24.133.241:43778 dst=192.168.1.65:25 decision=blocked action=allow message: FILE-OFFICE Microsoft MSHTML ActiveX control bypass attempt

Feb 8 00:17:38 mlhofw01.medreichin.com 1675815459.165118705 Medreich_HO_Secondary_ security_event ids_alerted signature=1:58125:1 priority=1 timestamp=1675815459.008780 direction=ingress protocol=tcp/ip src=3.24.133.171:55928 dst=192.168.1.65:25 decision=blocked action=allow message: FILE-OFFICE Microsoft MSHTML ActiveX control bypass attempt

Feb 6 18:12:08 mlhofw01.medreichin.com 1675707129.446756304 Medreich_HO_Secondary_ security_event ids_alerted signature=1:58125:1 priority=1 timestamp=1675707129.287176 direction=ingress protocol=tcp/ip src=3.24.133.213:55554 dst=192.168.1.65:25 decision=blocked action=allow message: FILE-OFFICE Microsoft MSHTML ActiveX control bypass attempt

Decoder

<decoder name="ids_alerted">

 <type>ids</type>

 <prematch>\d+\.\d+ \S+ \S+ ids_alerted signature</prematch>

 </decoder>

 <decoder name="ids1">

 <parent>ids_alerted</parent>

 <type>ids</type> 

 <regex type="pcre2">signature=(\S+) priority=(\d+) timestamp=(\S+) direction=(\S+) protocol=(\S+) src=(\S+) dst=(\S+) decision=(\S+) action=(\S+) message: (.+)</regex> <order>signature,priority,timestamp,direction,protocol,src,dst,decision,action,message</order> </decoder>

rule

<rule id="20101" level="6"> 

 <category>ids</category> 

 <check_if_ignored>srcip, id</check_if_ignored>

 <description>IDS event.</description> 

 </rule>

this rule is triggering in log test but their are no events generating

**Messages:    WARNING: (7606): Signature ID '23507' was not found. Invalid 'if_sid'. Rule '100052' will be ignored.    WARNING: (7606): Signature ID '23508' was not found. Invalid 'if_sid'. Rule '100051' will be ignored.    WARNING: (7606): Signature ID '23509' was not found. Invalid 'if_sid'. Rule '100050' will be ignored.    WARNING: (7606): Signature ID '23510' was not found. Invalid 'if_sid'. Rule '100049' will be ignored.    WARNING: (7606): Signature ID '60198' was not found. Invalid 'if_sid'. Rule '101478' will be ignored.    WARNING: (7606): Signature ID '60199' was not found. Invalid 'if_sid'. Rule '101477' will be ignored.    WARNING: (7606): Signature ID '64251' was not found. Invalid 'if_sid'. Rule '102661' will be ignored.    WARNING: (7606): Signature ID '64251' was not found. Invalid 'if_matched_sid'. Rule '102660' will be ignored.    WARNING: (7606): Signature ID '64253' was not found. Invalid 'if_sid'. Rule '102659' will be ignored.    WARNING: (7606): Signature ID '64254' was not found. Invalid 'if_sid'. Rule '102658' will be ignored.    WARNING: (7606): Signature ID '64255' was not found. Invalid 'if_sid'. Rule '102657' will be ignored.    WARNING: (7606): Signature ID '64256' was not found. Invalid 'if_sid'. Rule '102656' will be ignored.    WARNING: (7606): Signature ID '64257' was not found. Invalid 'if_sid'. Rule '102655' will be ignored.    WARNING: (7606): Signature ID '64258' was not found. Invalid 'if_sid'. Rule '102654' will be ignored.    WARNING: (7606): Signature ID '64259' was not found. Invalid 'if_sid'. Rule '102653' will be ignored.    WARNING: (7606): Signature ID '64260' was not found. Invalid 'if_sid'. Rule '102652' will be ignored.    WARNING: (7606): Signature ID '64260' was not found. Invalid 'if_matched_sid'. Rule '102651' will be ignored.    WARNING: (7606): Signature ID '64262' was not found. Invalid 'if_sid'. Rule '102650' will be ignored.    WARNING: (7606): Signature ID '64262' was not found. Invalid 'if_matched_sid'. Rule '102649' will be ignored.    WARNING: (7606): Signature ID '64264' was not found. Invalid 'if_sid'. Rule '102648' will be ignored.    WARNING: (7606): Signature ID '64509' was not found. Invalid 'if_sid'. Rule '102639' will be ignored.    WARNING: (7606): Signature ID '64510' was not found. Invalid 'if_sid'. Rule '102638' will be ignored.    WARNING: (7606): Signature ID '64511' was not found. Invalid 'if_sid'. Rule '102637' will be ignored.    WARNING: (7606): Signature ID '80330' was not found. Invalid 'if_sid'. Rule '102483' will be ignored.    WARNING: (7606): Signature ID '80335' was not found. Invalid 'if_sid'. Rule '102482' will be ignored.    WARNING: (7606): Signature ID '87509' was not found. Invalid 'if_sid'. Rule '102132' will be ignored.    WARNING: (7606): Signature ID '87510' was not found. Invalid 'if_sid'. Rule '102131' will be ignored.    WARNING: (7613): Rule ID '17101' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.    WARNING: (7613): Rule ID '17102' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.    WARNING: (7613): Rule ID '110005' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.    WARNING: (7613): Rule ID '110006' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.    WARNING: (7612): Rule ID '100001' is duplicated. Only the first occurrence will be considered.    INFO: (7202): Session initialized with token 'de0077ef' **Phase 1: Completed pre-decoding.    full event: 'Feb 6 17:37:26 mlhofw01.medreichin.com 1675705047.440102845 Medreich_HO_Secondary_ security_event ids_alerted signature=1:58125:1 priority=1 timestamp=1675705047.281494 direction=ingress protocol=tcp/ip src=3.24.133.171:43352 dst=192.168.1.65:25 decision=blocked action=allow message: FILE-OFFICE Microsoft MSHTML ActiveX control bypass attempt'    timestamp: 'Feb 6 17:37:26'    hostname: 'mlhofw01.medreichin.com' **Phase 2: Completed decoding.    name: 'ids_alerted'    action: 'allow'    decision: 'blocked'    direction: 'ingress'    dst: '192.168.1.65:25'    message: 'FILE-OFFICE Microsoft MSHTML ActiveX control bypass attempt'    priority: '1'    protocol: 'tcp/ip'    signature: '1:58125:1'    src: '3.24.133.171:43352'    timestamp: '1675705047.281494' **Phase 3: Completed filtering (rules).    id: '20101'    level: '6'    description: 'IDS event.'    groups: '["ids"]'    firedtimes: '1'    mail: 'false' **Alert to be generated. **Phase 1: Completed pre-decoding.    full event: 'Feb 6 17:37:26 mlhofw01.medreichin.com 1675705047.440102845 Medreich_HO_Secondary_ security_event ids_alerted signature=1:58125:1 priority=1 timestamp=1675705047.281494 direction=ingress protocol=tcp/ip src=3.24.133.171:43352 dst=192.168.1.65:25 decision=blocked action=allow message: FILE-OFFICE Microsoft MSHTML ActiveX control bypass attempt'    timestamp: 'Feb 6 17:37:26'    hostname: 'mlhofw01.medreichin.com' **Phase 2: Completed decoding.    name: 'ids_alerted'    action: 'allow'    decision: 'blocked'    direction: 'ingress'    dst: '192.168.1.65:25'    message: 'FILE-OFFICE Microsoft MSHTML ActiveX control bypass attempt'    priority: '1'    protocol: 'tcp/ip'    signature: '1:58125:1'    src: '3.24.133.171:43352'    timestamp: '1675705047.281494' **Phase 3: Completed filtering (rules).    id: '20101'    level: '6'    description: 'IDS event.'    groups: '["ids"]'    firedtimes: '2'    mail: 'false' **Alert to be generated.

Kindly help me to understand and solve this issue

[Chema Martinez]

Hi Chetan,

I think I reproduced your issue. When using wazuh-logtest to test the Wazuh ruleset, the generated alerts are not written to the alert files. However, I have performed the same test by monitoring a log file and writing the event in there.

1. Configure Logcollector to monitor test.log as follows:

  <localfile>
    <log_format>syslog</log_format>
    <location>/root/test.log</location>
  </localfile>

2. Restart your manager and wait until the file is monitored:

2023/02/14 10:29:42 wazuh-logcollector: INFO: (1950): Analyzing file: '/root/test.log'.

3. Write the event into test.log:

# echo "Feb  6 17:37:26 mlhofw01.medreichin.com  1675705047.440102845 Medreich_HO_Secondary_ security_event ids_alerted signature=1:58125:1 priority=1 timestamp=1675705047.281494 direction=ingress protocol=tcp/ip src=3.24.133.171:43352 dst=192.168.1.65:25 decision=blocked action=allow message: FILE-OFFICE Microsoft MSHTML ActiveX control bypass attempt" >> /root/test.log

3. The alert appears in both alert files (/var/ossec/logs/alerts.log and /var/ossec/logs/alerts.json):

** Alert 1676367032.866806: - ids,
2023 Feb 14 10:30:32 mlhofw01.medreichin.com->/root/test.log
Rule: 20101 (level 6) -> 'IDS event.'

Feb  6 17:37:26 mlhofw01.medreichin.com  1675705047.440102845 Medreich_HO_Secondary_ security_event ids_alerted signature=1:58125:1 priority=1 timestamp=1675705047.281494 direction=ingress protocol=tcp/ip src=3.24.133.171:43352 dst=192.168.1.65:25 decision=blocked action=allow message: FILE-OFFICE Microsoft MSHTML ActiveX control bypass attempt

signature: 1:58125:1
priority: 1
timestamp: 1675705047.281494
direction: ingress
src: 3.24.133.171:43352
dst: 192.168.1.65:25
decision: blocked

message: FILE-OFFICE Microsoft MSHTML ActiveX control bypass attempt

Please do the same test so we can confirm it works as expected.

In addition, I see several warnings when the analysis engine loads the ruleset. Please, fix them so that the module works as it should in all cases. Here you can see the ruleset documentation so you can know how it works.

I hope it helps! Don't hesitate to ask for further needs.

[Chetan Hiremath]

Hello Chema,
Thank you, for the reply
my doubt was the ids alert we are getting on manger, but not on the wazuh dashboard  

[Chetan Hiremath]

Hello Chema,
Maybe I should create a new rule for the event to display on wazuh

[Chema Martinez]

Hello Chetan,

Thank you for the clarification! Every alert that Wazuh fires should appear in the Discover tab in the Wazuh dashboard with no extra rules or configuration.

Are you missing any other events in the dashboard or just this one? In that case, please check that the other alerts generated in the same manager appear in the dashboard. Could you also tell me in which tab from the dashboard are you looking for the alert?

Thanks!