wazuh rule not filtering

149 views
Skip to first unread message

Bert Hubbs

unread,
Oct 29, 2019, 10:34:25 PM10/29/19
to Wazuh mailing list
 setup a rule to filter yet I'm still getting these ossec events, these and other attempts.
Side note where is the best place to find info on ossec rules. Seems like all I can find is bit's and pieces to this puzzle. Seems like every time I try my hand at this it's an exercise in frustration.

I have setup a filter:

   <!-- STARTTLS Certificate warning -->
    <rule id="119006" level="0">
    <match>The STARTTLS certificate will expire soon:</match>
    <description>STARTTLS Certificate warning</description>
    </rule>

for this event:

{"win":{"system":{"providerName":"MSExchangeTransport","eventID":"12018","level":"2","task":"12","keywords":"0x80000000000000","systemTime":"2019-10-29T15:47:20.615892000Z","eventRecordID":"155059","channel":"Application","computer":"example.example.org","severityValue":"ERROR","message":"The STARTTLS certificate will expire soon: subject: example.example.org, thumbprint: 75F06AD9AEC6CD60EDE9713AE297C5C127E11658, expires: 1/13/2020 3:57:27 PM. Run the New-ExchangeCertificate cmdlet to create a new certificate."},"eventdata":{"data":"example.example.org, 75F06AD9AEC6CD60EDE9713AE297C5C127E11658, 1/13/2020 3:57:27 PM"}}}

and ossec-logtest returns:

**Phase 1: Completed pre-decoding.
       full event: '{"win":{"system":{"providerName":"MSExchangeTransport","eventID":"12018","level":"2","task":"12","keywords":"0x80000000000000","systemTime":"2019-10-29T15:47:20.615892000Z","eventRecordID":"155059","channel":"Application","computer":"example.example.org","severityValue":"ERROR","message":"The STARTTLS certificate will expire soon: subject: example.example.org, thumbprint: 75F06AD9AEC6CD60EDE9713AE297C5C127E11658, expires: 1/13/2020 3:57:27 PM. Run the New-ExchangeCertificate cmdlet to create a new certificate."},"eventdata":{"data":"example.example.org, 75F06AD9AEC6CD60EDE9713AE297C5C127E11658, 1/13/2020 3:57:27 PM"}}}'
       timestamp: '(null)'
       hostname: 'sonion'
       program_name: '(null)'
       log: '{"win":{"system":{"providerName":"MSExchangeTransport","eventID":"12018","level":"2","task":"12","keywords":"0x80000000000000","systemTime":"2019-10-29T15:47:20.615892000Z","eventRecordID":"155059","channel":"Application","computer":"example.example.org","severityValue":"ERROR","message":"The STARTTLS certificate will expire soon: subject: example.example.org, thumbprint: 75F06AD9AEC6CD60EDE9713AE297C5C127E11658, expires: 1/13/2020 3:57:27 PM. Run the New-ExchangeCertificate cmdlet to create a new certificate."},"eventdata":{"data":"example.example.org, 75F06AD9AEC6CD60EDE9713AE297C5C127E11658, 1/13/2020 3:57:27 PM"}}}'

**Phase 2: Completed decoding.
       decoder: 'json'
       win.system.providerName: 'MSExchangeTransport'
       win.system.eventID: '12018'
       win.system.level: '2'
       win.system.task: '12'
       win.system.keywords: '0x80000000000000'
       win.system.systemTime: '2019-10-29T15:47:20.615892000Z'
       win.system.eventRecordID: '155059'
       win.system.channel: 'Application'
       win.system.computer: 'example.example.org'
       win.system.severityValue: 'ERROR'
       win.system.message: 'The STARTTLS certificate will expire soon: subject: example.example.org, thumbprint: 75F06AD9AEC6CD60EDE9713AE297C5C127E11658, expires: 1/13/2020 3:57:27 PM. Run the New-ExchangeCertificate cmdlet to create a new certificate.'
       win.eventdata.data: 'example.example.org, 75F06AD9AEC6CD60EDE9713AE297C5C127E11658, 1/13/2020 3:57:27 PM'

**Phase 3: Completed filtering (rules).
       Rule id: '119006'
       Level: '0'
       Description: 'STARTTLS Certificate warning'


Juan Pablo Saez

unread,
Oct 30, 2019, 4:51:46 AM10/30/19
to Wazuh mailing list
Hello Bert,

Side note where is the best place to find info on ossec rules

You would find useful information in our Rules syntax document and you can also ask us anytime you need guidance.

 setup a rule to filter yet I'm still getting these ossec events, these and other attempts.
  • What kind of filtering are you interested in? 
  • If you just need to silence "The STARTTLS certificate will expire soon:" events your rule is right: Even if ossec-logtest outputs an alert, level 0 rules alerts aren't written into alerts.log/alerts.json
With more information about your use case, I would help you better.  Greetings, 

JP Sáez

Bert Hubbs

unread,
Oct 30, 2019, 2:46:33 PM10/30/19
to Wazuh mailing list
Yes I'm just trying to silence the alarms but even though the custom rule is catching it I'm still getting the alarms.

Juan Pablo Saez

unread,
Oct 31, 2019, 4:36:24 AM10/31/19
to Wazuh mailing list
Hello again Bert,

Yes I'm just trying to silence the alarms but even though the custom rule is catching it I'm still getting the alarms.
  • Where are you placing the custom rule? It should be located on the manager side, on /var/ossec/etc/rules/local_rules.xml
  • Did you modify the <log_alert_level>3</log_alert_level> option in the Wazuh manager ossec.conf file? This option sets the lower limit for alerts to be logged and displayed.
  • Could I see some examples of these alarms you still getting?

Greetings, JP Sáez
Reply all
Reply to author
Forward
0 new messages