Wazuh Rule is not creating alerts
347 views
Skip to first unread message
Mark Rafa
Oct 19, 2020, 7:45:48 AM10/19/20
to Wazuh mailing list
Hi,
In order to have user access objects, user deletes a object etc. I have created rules. However even I see all windows eventchannel logs(access an object etc.) at my archive.log(<logall< features are enabled), I cant see any alerts on Kibana App. Also my alerts.log file is only showing logon/logoff alerts.
Environment: wazuh manager and filebeat in one server
elasticsearch and kibana on an another server
Rule, I have created inside 0575-win-base_rules.xml:
<var name="File_servers">^hostname$</var>
<rule id="60060" level="5">
<if_sid>60001</if_sid>
<field name="win.system.computer">$File_servers</field>
<field name="win.system.eventID">4658</field>
<description>The handle to an object was closed</description>
<group>windows-fileservers</group>
</rule>
Tips:
I have made up the windows-fileservers group name in the last part of the rule. It is not defined anywhere in my configuratioın.
Thanks in advance,
Jonathan Martín Valera
Oct 19, 2020, 11:35:21 AM10/19/20
to Wazuh mailing list
Hi, Mark Rafa
In order to help you better with this, can you share with us the related logs of event 4658 (registered in archives.log) to test your rule?
Best regards.
Starting from the fact that you have checked that the manager receives those events and you can see them in the archives.log file, I would first try to see if your rule matches the event you are receiving.
To do this, we can use /var/ossec/bin/ossec-logtest tool and check if the generated log activates the new rule. We can see the trace that follows this log event, using the -v parameter.
# /var/ossec/bin/ossec-logtest -v
ossec-testrule: Type one log per line.
...
Best regards.
Mark Rafa
Oct 20, 2020, 3:28:21 AM10/20/20
to Wazuh mailing list
Hi Joanthan,
Thanks for your response.
I have test for event 4663, which is all same with 4658.
**Phase 1: Completed pre-decoding.
full event: 2020 Oct 20 10:00:26 (hostname) any->EventChannel xxxxxxx
timestamp: '2020 Oct 20 10:00:26'
hostname: '(hostname)'
program_name: '(null)'
log: 'any->EventChannel xxxxxxx
**Phase 2: Completed decoding.
No decoder matched.
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched.
*Trying child rules.
Trying rule: 600 - Active Response Messages Grouped
Trying rule: 200 - Grouping of wazuh rules.
Trying rule: 2100 - NFS rules grouped.
Trying rule: 2507 - OpenLDAP group.
Trying rule: 2550 - rshd messages grouped.
Trying rule: 2800 - Pre-match rule for smartd.
Trying rule: 5100 - Pre-match rule for kernel messages.
Trying rule: 5200 - Ignoring hpiod for producing useless logs.
Trying rule: 2830 - Crontab rule group.
Trying rule: 5300 - Initial grouping for su messages.
Trying rule: 5905 - useradd failed.
Trying rule: 5400 - Initial group for sudo messages.
.
.
.
.
Trying rule: 1003 - Non standard syslog message (size too large).
*Rule 1003 matched.
Trying rule: 40104 - Possible buffer overflow attempt.
Trying rule: 40105 - "Null" user changed some information.
Trying rule: 40106 - Buffer overflow attempt (probably on yppasswd).
Trying rule: 40109 - Stack overflow attempt or program exiting with SEGV (Solaris).
Trying rule: 2301 - xinetd: Excessive number connections to a service.
Trying rule: 2502 - syslog: User missed the password more than one time
Trying rule: 2504 - syslog: Illegal root login.
Trying rule: 7101 - Problems with the tripwire checking.
Trying rule: 5901 - New group added to the system.
.
.
.
Trying rule: 2960 - User added to group.
In phase 1 the program_name comes null.
Also my rule for event 4663 is not even in the list above, where all the rules are in trying mode.
Hope this helps. I can share more results in demand.
Regards,
19 Ekim 2020 Pazartesi tarihinde saat 18:35:21 UTC+3 itibarıyla Jonathan Martín Valera şunları yazdı:
Jonathan Martín Valera
Oct 20, 2020, 7:39:43 AM10/20/20
to Wazuh mailing list
Hi Mark Rafa,
I think you haven't tested the log correctly.
For example, imagine I have the following log in archives.log:
and I have this custom rule in /var/ossec/etc/rules/local_rules.xml:
To test if the event activates this custom rule, I do the following (note that I only insert the event json string):
I think you haven't tested the log correctly.
For example, imagine I have the following log in archives.log:
2020 Oct 20 08:27:51 (windows_agent) any->EventChannel {"win":{"system":{"providerName":"Service Control Manager","providerGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","eventSourceName":"Service Control Manager","eventID":"7036","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8080000000000000","systemTime":"2020-10-20T08:27:50.600209900Z","eventRecordID":"8878","processID":"604","threadID":"676","channel":"System","computer":"windowsc","severityValue":"INFORMATION","message":"\"The MapsBroker service entered the stopped state.\""},"eventdata":{"param1":"MapsBroker","param2":"stopped","binary":"4D00610070007300420072006F006B00650072002F0031000000"}}}and I have this custom rule in /var/ossec/etc/rules/local_rules.xml:
<rule id="100002" level="5">
<field name="win.system.eventID">7036</field>
<description>My custom event</description>
</rule>To test if the event activates this custom rule, I do the following (note that I only insert the event json string):
[root@manager vagrant]# /var/ossec/bin/ossec-logtest -v
2020/10/20 08:51:03 ossec-testrule: INFO: Started (pid: 5464).
ossec-testrule: Type one log per line.
{"win":{"system":{"providerName":"Service Control Manager","providerGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","eventSourceName":"Service Control Manager","eventID":"7036","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8080000000000000","systemTime":"2020-10-20T08:27:50.600209900Z","eventRecordID":"8878","processID":"604","threadID":"676","channel":"System","computer":"windowsc","severityValue":"INFORMATION","message":"\"The MapsBroker service entered the stopped state.\""},"eventdata":{"param1":"MapsBroker","param2":"stopped","binary":"4D00610070007300420072006F006B00650072002F0031000000"}}}
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Service Control Manager","providerGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","eventSourceName":"Service Control Manager","eventID":"7036","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8080000000000000","systemTime":"2020-10-20T08:27:50.600209900Z","eventRecordID":"8878","processID":"604","threadID":"676","channel":"System","computer":"windowsc","severityValue":"INFORMATION","message":"\"The MapsBroker service entered the stopped state.\""},"eventdata":{"param1":"MapsBroker","param2":"stopped","binary":"4D00610070007300420072006F006B00650072002F0031000000"}}}'
timestamp: '(null)'
hostname: 'manager'
program_name: '(null)'
log: '{"win":{"system":{"providerName":"Service Control Manager","providerGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","eventSourceName":"Service Control Manager","eventID":"7036","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8080000000000000","systemTime":"2020-10-20T08:27:50.600209900Z","eventRecordID":"8878","processID":"604","threadID":"676","channel":"System","computer":"windowsc","severityValue":"INFORMATION","message":"\"The MapsBroker service entered the stopped state.\""},"eventdata":{"param1":"MapsBroker","param2":"stopped","binary":"4D00610070007300420072006F006B00650072002F0031000000"}}}'
**Phase 2: Completed decoding.
decoder: 'json'
win.system.providerName: 'Service Control Manager'
win.system.providerGuid: '{555908d1-a6d7-4695-8e1e-26931d2012f4}'
win.system.eventSourceName: 'Service Control Manager'
win.system.eventID: '7036'
win.system.version: '0'
win.system.level: '4'
win.system.task: '0'
win.system.opcode: '0'
win.system.keywords: '0x8080000000000000'
win.system.systemTime: '2020-10-20T08:27:50.600209900Z'
win.system.eventRecordID: '8878'
win.system.processID: '604'
win.system.threadID: '676'
win.system.channel: 'System'
win.system.computer: 'windowsc'
win.system.severityValue: 'INFORMATION'
win.system.message: '"The MapsBroker service entered the stopped state."'
win.eventdata.param1: 'MapsBroker'
win.eventdata.param2: 'stopped'
win.eventdata.binary: '4D00610070007300420072006F006B00650072002F0031000000'
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched.
*Trying child rules.
Trying rule: 600 - Active Response Messages Grouped
................
Trying rule: 100002 - My custom event
*Rule 100002 matched.
**Phase 3: Completed filtering (rules).
Rule id: '100002'
Level: '5'
Description: 'My custom event'
**Alert to be generated.To test the particular cases of eventchannel (child or related rules) you have to do a little trick which is to replace this rule:
<rule id="60000" level="0">
<category>ossec</category>
<decoded_as>windows_eventchannel</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules</description>
</rule>for this:
<rule id="60000" level="0">
<decoded_as>json</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules</description>
</rule>and then copy the event JSON string in /var/ossec/bin/ossec-logtest tool (As I mentioned above).
Note: Remember that when you make a change in the ruleset, you must restart the manager service for changes to take effect.
In the case of doing this, do not forget to undo the rule change after finishing the tests. Sorry for that, in the next versions we will improve this eventchannel testing process.
If you have any related questions, don't hesitate to ask, and I can even test your own rule if you pass me the event that is recorded in the archives.log file.
Best regards.
Mark Rafa
Oct 20, 2020, 11:05:24 AM10/20/20
to Wazuh mailing list
Hi Jonathan,
I am quiet new in Wazuh, so thanks for the informations:)
I have done the test. The result is:
**Phase 2: Completed decoding.
decoder: 'json'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
.
.
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched.
*Trying child rules.
Trying rule: 600 - Active Response Messages Grouped
Trying rule: 200 - Grouping of wazuh rules.
Trying rule: 2100 - NFS rules grouped.
Trying rule: 2507 - OpenLDAP group.
Trying rule: 2550 - rshd messages grouped.
.
.
.
Trying rule: 60000 - Group of windows rules
*Rule 60000 matched.
*Trying child rules.
Trying rule: 60001 - Group of Windows rules for the Security channel
*Rule 60001 matched.
*Trying child rules.
Trying rule: 60017 - Group of rules for Windows Eventlog from Security channel
Trying rule: 60050 - The handle to an object was closed
Trying rule: 60051 - A handle to an object was requested with intent to delete
Trying rule: 60052 - An object was deleted
Trying rule: 60053 - An attempt was made to access an object
Trying rule: 60102 - Windows Security error event
Trying rule: 60104 - Windows audit failure event
Trying rule: 60103 - Windows audit success event
*Rule 60103 matched.
*Trying child rules.
Trying rule: 60115 - User account locked out (multiple login errors)
Trying rule: 60109 - User account enabled or created
Trying rule: 60110 - User account changed
.
.
.
Trying rule: 60137 - Windows User Logoff
Trying rule: 60199 - MS SQL Server Logon Success
**Phase 3: Completed filtering (rules).
Rule id: '60103'
Level: '3'
Description: 'Windows audit success event'
**Alert to be generated.
I have done the test to trigger the rule 60053- AN attempt was made to access an object.
Also even the rule 60103, it is not seen on Kibana.
Regards,
20 Ekim 2020 Salı tarihinde saat 14:39:43 UTC+3 itibarıyla Jonathan Martín Valera şunları yazdı:
Jonathan Martín Valera
Oct 21, 2020, 2:49:15 AM10/21/20
to Wazuh mailing list
Hi Mark Rafa,
I don't know exactly what event you are testing, but if you realize, that event has matched the rule 60103 which is a child of 60001, and your rule is also child of 60001, so you need to check if you can change the parent rule of your custom rule to 60103.
When creating a custom rule, first you have to see the trace of rules that an event follows, and from there create your own rule. For example, given your event, we can follow the following trace:
- Rule 60000 matched
- Rule 60001 matched.
- Rule 60103 matched
From here, you have to see if your use case fits those rules, in which case, you would have to create a child rule derived from the last one (in this case 60103). Otherwise, you would have to modify the parent rules to get the trace you want.
A tip when creating and editing decoders and rules is not to do them in the same ruleset folder (/var/ossec/ruleset/*) due to changes to any rule file inside the /var/ossec/ruleset folder will be lost in the update process. For that, you can follow this guide https://documentation.wazuh.com/3.13/user-manual/ruleset/custom.html#changing-an-existing-rule or add it to /var/ossec/etc/rules/local_rules.xml file.
If you need more help, send me the event from the archives.log from which you want to generate the alert with your rule (you can replace sensitive information with xxx) .
Best regards.
I don't know exactly what event you are testing, but if you realize, that event has matched the rule 60103 which is a child of 60001, and your rule is also child of 60001, so you need to check if you can change the parent rule of your custom rule to 60103.
When creating a custom rule, first you have to see the trace of rules that an event follows, and from there create your own rule. For example, given your event, we can follow the following trace:
- Rule 60000 matched
- Rule 60001 matched.
- Rule 60103 matched
From here, you have to see if your use case fits those rules, in which case, you would have to create a child rule derived from the last one (in this case 60103). Otherwise, you would have to modify the parent rules to get the trace you want.
A tip when creating and editing decoders and rules is not to do them in the same ruleset folder (/var/ossec/ruleset/*) due to changes to any rule file inside the /var/ossec/ruleset folder will be lost in the update process. For that, you can follow this guide https://documentation.wazuh.com/3.13/user-manual/ruleset/custom.html#changing-an-existing-rule or add it to /var/ossec/etc/rules/local_rules.xml file.
If you need more help, send me the event from the archives.log from which you want to generate the alert with your rule (you can replace sensitive information with xxx) .
Best regards.
Mark Rafa
Oct 21, 2020, 5:42:37 AM10/21/20
to Wazuh mailing list
Hi Jonathan,
Thanks for your support. It will be quicker if you test it for me.
Here is my archives.log
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b032xxxxd}","eventID":"4663","version":"1","level":"0","task":"12800","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-10-21T09:05:32.642336500Z","eventRecordID":"5492119","processID":"4","threadID":"12900","channel":"Security","computer":"computer_name","severityValue":"AUDIT_SUCCESS","message":"\"An attempt was made to access an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-413098747-34xxxxx494-xxxxxxxxxx-1006\r\n\tAccount Name:\t\tuser\r\n\tAccount Domain:\t\tDOMAIN\r\n\tLogon ID:\t\t0x270C73\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tFile\r\n\tObject Name:\t\tC:\\Users\\user\\Documents\\desktop.ini\r\n\tHandle ID:\t\t0x8f4\r\n\tResource Attributes:\tS:AI\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x1818\r\n\tProcess Name:\t\tC:\\Windows\\explorer.exe\r\n\r\nAccess Request Information:\r\n\tAccesses:\t\tReadAttributes\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x80\""},"eventdata":{"subjectUserSid":"S-1-5-21-4130xxx47-xxxxxxxxxx-147xxxxx26-1006","subjectUserName":"user","subjectDomainName":"DOMAIN","subjectLogonId":"0x270c73","objectServer":"Security","objectType":"File","objectName":"C:\\\\Users\\\\user\\\\Documents\\\\desktop.ini","handleId":"0x8f4","accessList":"%%4423","accessMask":"0x80","processId":"0x1818","processName":"C:\\\\Windows\\\\explorer.exe","resourceAttributes":"S:AI"}}}
and this is the rule I want to trigger:
<var name="FILE_SERVERS">^computer_name$</var>
<rule id="60053" level="5">
<if_sid>60001</if_sid>
<field name="win.system.computer">$FILE_SERVERS</field>
<field name="win.system.eventID">4663</field>
<description>An attempt was made to access an object</description>
<group>windows-file-server,</group>
</rule>
Regards,
21 Ekim 2020 Çarşamba tarihinde saat 09:49:15 UTC+3 itibarıyla Jonathan Martín Valera şunları yazdı:
Jonathan Martín Valera
Oct 21, 2020, 7:12:59 AM10/21/20
to Wazuh mailing list
Hi Mark Rafa,
The rule would be as follows (I have added it to /var/ossec/etc/rules/local_rules.xml file):
The rule would be as follows (I have added it to /var/ossec/etc/rules/local_rules.xml file):
<var name="FILE_SERVERS">^computer_name$</var>
<rule id="100050" level="5">
<if_sid>60103</if_sid>
<field name="win.system.computer">$FILE_SERVERS</field>
<field name="win.system.eventID">4663</field>
<description>An attempt was made to access an object</description>
<group>windows-file-server,</group>
</rule>
If we test this custom rule in /var/ossec/bin/ossec-logtest tool:
[root@manager vagrant]# /var/ossec/bin/ossec-logtest
2020/10/21 10:41:29 ossec-testrule: INFO: Started (pid: 5835).
ossec-testrule: Type one log per line.
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b032xxxxd}","eventID":"4663","version":"1","level":"0","task":"12800","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-10-21T09:05:32.642336500Z","eventRecordID":"5492119","processID":"4","threadID":"12900","channel":"Security","computer":"computer_name","severityValue":"AUDIT_SUCCESS","message":"\"An
attempt was made to access an object.\r\n\r\nSubject:\r\n\tSecurity
ID:\t\tS-1-5-21-413098747-34xxxxx494-xxxxxxxxxx-1006\r\n\tAccount
Name:\t\tuser\r\n\tAccount Domain:\t\tDOMAIN\r\n\tLogon
ID:\t\t0x270C73\r\n\r\nObject:\r\n\tObject
Server:\t\tSecurity\r\n\tObject Type:\t\tFile\r\n\tObject
Name:\t\tC:\\Users\\user\\Documents\\desktop.ini\r\n\tHandle
ID:\t\t0x8f4\r\n\tResource Attributes:\tS:AI\r\n\r\nProcess
Information:\r\n\tProcess ID:\t\t0x1818\r\n\tProcess
Name:\t\tC:\\Windows\\explorer.exe\r\n\r\nAccess Request
Information:\r\n\tAccesses:\t\tReadAttributes\r\n\t\t\t\t\r\n\tAccess
Mask:\t\t0x80\""},"eventdata":{"subjectUserSid":"S-1-5-21-4130xxx47-xxxxxxxxxx-147xxxxx26-1006","subjectUserName":"user","subjectDomainName":"DOMAIN","subjectLogonId":"0x270c73","objectServer":"Security","objectType":"File","objectName":"C:\\\\Users\\\\user\\\\Documents\\\\desktop.ini","handleId":"0x8f4","accessList":"%%4423","accessMask":"0x80","processId":"0x1818","processName":"C:\\\\Windows\\\\explorer.exe","resourceAttributes":"S:AI"}}}
.............
**Phase 3: Completed filtering (rules).
Rule id: '100050'
Level: '5'
Description: 'An attempt was made to access an object'
**Alert to be generated.Important note: Remember to return rule
60000 to its original state after testing the eventchannel events in the ossec-logtest tool.
systemctl restart wazuh-managerFrom now on, you should see the corresponding alerts every time the manager receives an event of this type.
Try it and tell me the results :)
Best regards.
Mark Rafa
Oct 21, 2020, 12:34:45 PM10/21/20
to Wazuh mailing list
Hi Jonathan,
The rule is working and I can see the logs in Kibana.
Thanks a lot for your support:)) I appreciate it.
Regards,
21 Ekim 2020 Çarşamba tarihinde saat 14:12:59 UTC+3 itibarıyla Jonathan Martín Valera şunları yazdı:
Reply all
Reply to author
Forward
0 new messages