Create new rule to detect a remote Access APP

[Ayoub MM]

Hello all,

I would like first to thank you all for your help and support.

I need to create a rule in wazuh to detect the use of application of remote access app AnyDesk based on fortigate logs.

i create a rule in local_rules.xml below the what i put in the rule :

<group name="Remote,">

<!-- Modify it at your will. -->
  <rule id="100002" level="10">
    <if_sid>81634</if_sid>
    <match>AnyDesk</match>
    <description>Use of an application of remote access.</description>
  </rule>

 
</group>

the rule id 81634 define decoder as fortigate-v5

when i test the rule by ruletest i see that another rule fired without that specific rule work the other rule fired is app passed by firewall or app blocked by firewall.

Can you please help me to implement this rule ?

Thanks in advance:

[Abdullah Al Noman]

Hello Ayoub,

Thank you for using Wazuh.

I understand that you want to configure Wazuh to detect Anydesk application usage through fortigage v5 logs. Let me guide you to implement your custom rule for this. 

Your custom rule seems structured. Would you let me know what is the another rule Id triggered during your ruletest?
I am going to troubleshoot the issue from my end. This would require a sample log from you that you tested. Please mask any sensitive information before sharing the requested log.

Looking forward to your reply.

Kind regards,

[Ayoub MM]

Hello Abdullah,

Thank you for your help.

there is the the rule id triggered :

**Phase 3: Completed filtering (rules).
id: '81634'
level: '5'
description: 'Fortigate: App blocked by firewall.'
groups: '["fortigate","syslog","firewall_drop"]'
firedtimes: '1'
gdpr: '["IV_35.7.d"]'
hipaa: '["164.312.b"]'
mail: 'false'
nist_800_53: '["AU.6"]'
pci_dss: '["10.6.1"]'
**Alert to be generated.

NB : i copy the wrong id of the decoder  81602 in the first message but i test with the right one.

and there is a log that i test with :

date=2023-03-27 time=12:11:05 devname="FORTII" devid="1" eventtime=111111111111 tz="+01000" logid="1059028" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="root" appid=3910 srcip=1.1.1.1 srccountry="Reserved" dstip=2.2.2.2 dstcountry="USA" srcport=16560 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan3" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=100 poluuid="8c435cf2-5b91-51ed-d72c-e471801feff228" policytype="policy" sessionid=1454453100 applist="block-urgent" action="block" appcat="Remote.Access" app="AnyDesk" hostname="1.1.1.1" incidentserialno=10000 url="/" msg="Remote.Access: AnyDesk" apprisk="high"

Thanks in advance.

[Abdullah Al Noman]

Hi Ayoub,

Thank you for the log. I replicated your issue from my end in a Wazuh server v4.3.10 (latest). I have noticed that the provided log was decoded by fortigate-firewall-v6 decoder and the custom rule you created worked as expected. Find the below output:

**Phase 1: Completed pre-decoding.
full event: 'date=2023-03-27 time=12:11:05 devname="FORTII" devid="1" eventtime=111111111111 tz="+01000" logid="1059028" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="root" appid=3910 srcip=1.1.1.1 srccountry="Reserved" dstip=2.2.2.2 dstcountry="USA" srcport=16560 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan3" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=100 poluuid="8c435cf2-5b91-51ed-d72c-e471801feff228" policytype="policy" sessionid=1454453100 applist="block-urgent" action="block" appcat="Remote.Access" app="AnyDesk" hostname="1.1.1.1" incidentserialno=10000 url="/" msg="Remote.Access: AnyDesk" apprisk="high"'

**Phase 2: Completed decoding.
name: 'fortigate-firewall-v6'
action: 'block'
app: 'AnyDesk'
appcat: 'Remote.Access'
appid: '3910'
applist: 'block-urgent'
apprisk: 'high'
cat: 'Remote.Access'
direction: 'outgoing'
dstcountry: 'USA'
dstintf: 'wan3'
dstintfrole: 'wan'
dstip: '2.2.2.2'
dstport: '443'
eventtime: '111111111111'
eventtype: 'signature'
hostname: '1.1.1.1'
incidentserialno: '10000'
ip: '1.1.1.1'
level: 'warning'
logid: '1059028'
msg: 'Remote.Access: AnyDesk'
policyid: '100'
policytype: 'policy'
poluuid: '8c435cf2-5b91-51ed-d72c-e471801feff228'
proto: '6'
service: 'SSL'
sessionid: '1454453100'
srccountry: 'Reserved'
srcintf: 'LAN'
srcintfrole: 'lan'
srcip: '1.1.1.1'
srcport: '16560'
subtype: 'app-ctrl'
time: '12:11:05'
type: 'utm'
url: '/'
vd: 'root'

**Phase 3: Completed filtering (rules).

id: '100002'
level: '10'
description: 'Use of an application of remote access.'
groups: '["Remote"]'
firedtimes: '1'
mail: 'false'
**Alert to be generated.

I don't see any significant reason for the rule not to work. However, you make sure that after adding the custom rule inside local_rules.xml  file in your Wazuh server, you have restarted the server for the changes to affect. You can restart the server using systemctl restart wazuh-manager.

Hope this helps. Let me know if you require further guidance.

Kind regards,

[Ayoub MM]

hello,

Any Help with this please.

Regards,

Le lun. 27 mars 2023 à 12:28, Ayoub MM <ayoub....@gmail.com> a écrit :

Thanks for your feedback.

I have the version 4.3.9 of wazuh for me. The log is decoded as v5. I try to change the decoder name on V6 by modifying if_sid by id of decoder version 6 .

i try again but the same the rule triggered is the below :

**Phase 3: Completed filtering (rules).
	id: '81634'
	level: '5'
	description: 'Fortigate: App blocked by firewall.'
	groups: '["fortigate","syslog","firewall_drop"]'
	firedtimes: '1'
	gdpr: '["IV_35.7.d"]'
	hipaa: '["164.312.b"]'
	mail: 'false'
	nist_800_53: '["AU.6"]'
	pci_dss: '["10.6.1"]'
**Alert to be generated.

Thanks in advance for your help

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/joRtkqADGN0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3a0e443e-ecd0-4e05-a049-7bc541bb478dn%40googlegroups.com.

[Ayoub MM]

Thanks for your feedback.

I have the version 4.3.9 of wazuh for me. The log is decoded as v5. I try to change the decoder name on V6 by modifying if_sid by id of decoder version 6 .

i try again but the same the rule triggered is the below :

**Phase 3: Completed filtering (rules).
	id: '81634'
	level: '5'
	description: 'Fortigate: App blocked by firewall.'
	groups: '["fortigate","syslog","firewall_drop"]'
	firedtimes: '1'
	gdpr: '["IV_35.7.d"]'
	hipaa: '["164.312.b"]'
	mail: 'false'
	nist_800_53: '["AU.6"]'
	pci_dss: '["10.6.1"]'
**Alert to be generated.

Thanks in advance for your help

Le lun. 27 mars 2023 à 12:12, 'Abdullah Al Noman' via Wazuh mailing list <wa...@googlegroups.com> a écrit :

[Abdullah Al Noman]

Hi Ayoub,

I might have missed your previous reply. Thanks for bringing this to my attention.

Could you please test the same log you shared with me in your environment? Paste the full output here.

Looking forward to your response.

Regards,

--

Abdullah Al Noman

Security Engineer

The Open Source Security Platform

[Ayoub MM]

**Messages: INFO: (7202): Session initialized with token '22dfd5fd' **Phase 1: Completed pre-decoding. full event: 'date=2023-03-27 time=12:11:05 devname="FORTII" devid="1" eventtime=111111111111 tz="+01000" logid="1059028" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="root" appid=3910 srcip=1.1.1.1 srccountry="Reserved" dstip=2.2.2.2 dstcountry="USA" srcport=16560 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan3" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=100 poluuid="8c435cf2-5b91-51ed-d72c-e471801feff228" policytype="policy" sessionid=1454453100 applist="block-urgent" action="block" appcat="Remote.Access" app="AnyDesk" hostname="1.1.1.1" incidentserialno=10000 url="/" msg="Remote.Access: AnyDesk" apprisk="high"' **Phase 2: Completed decoding. name: 'fortigate-firewall-v6' action: 'block' app: 'AnyDesk' appcat: 'Remote.Access' appid: '3910' applist: 'block-urgent' apprisk: 'high' cat: 'Remote.Access' direction: 'outgoing' dstcountry: 'USA' dstintf: 'wan3' dstintfrole: 'wan' dstip: '2.2.2.2' dstport: '443' eventtime: '111111111111' eventtype: 'signature' hostname: '1.1.1.1' incidentserialno: '10000' ip: '1.1.1.1' level: 'warning' logid: '1059028' msg: 'Remote.Access: AnyDesk' policyid: '100' policytype: 'policy' poluuid: '8c435cf2-5b91-51ed-d72c-e471801feff228' proto: '6' service: 'SSL' sessionid: '1454453100' srccountry: 'Reserved' srcintf: 'LAN' srcintfrole: 'lan' srcip: '1.1.1.1' srcport: '16560' subtype: 'app-ctrl' time: '12:11:05' type: 'utm' url: '/' vd: 'root' **Phase 3: Completed filtering (rules). id: '81634' level: '5' description: 'Fortigate: App blocked by firewall.' groups: '["fortigate","syslog","firewall_drop"]' firedtimes: '1' gdpr: '["IV_35.7.d"]' hipaa: '["164.312.b"]' mail: 'false' nist_800_53: '["AU.6"]' pci_dss: '["10.6.1"]' **Alert to be generated. **Messages: INFO: (7202): Session initialized with token '22dfd5fd' **Phase 1: Completed pre-decoding. full event: 'date=2023-03-27 time=12:11:05 devname="FORTII" devid="1" eventtime=111111111111 tz="+01000" logid="1059028" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="root" appid=3910 srcip=1.1.1.1 srccountry="Reserved" dstip=2.2.2.2 dstcountry="USA" srcport=16560 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan3" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=100 poluuid="8c435cf2-5b91-51ed-d72c-e471801feff228" policytype="policy" sessionid=1454453100 applist="block-urgent" action="block" appcat="Remote.Access" app="AnyDesk" hostname="1.1.1.1" incidentserialno=10000 url="/" msg="Remote.Access: AnyDesk" apprisk="high"' **Phase 2: Completed decoding. name: 'fortigate-firewall-v6' action: 'block' app: 'AnyDesk' appcat: 'Remote.Access' appid: '3910' applist: 'block-urgent' apprisk: 'high' cat: 'Remote.Access' direction: 'outgoing' dstcountry: 'USA' dstintf: 'wan3' dstintfrole: 'wan' dstip: '2.2.2.2' dstport: '443' eventtime: '111111111111' eventtype: 'signature' hostname: '1.1.1.1' incidentserialno: '10000' ip: '1.1.1.1' level: 'warning' logid: '1059028' msg: 'Remote.Access: AnyDesk' policyid: '100' policytype: 'policy' poluuid: '8c435cf2-5b91-51ed-d72c-e471801feff228' proto: '6' service: 'SSL' sessionid: '1454453100' srccountry: 'Reserved' srcintf: 'LAN' srcintfrole: 'lan' srcip: '1.1.1.1' srcport: '16560' subtype: 'app-ctrl' time: '12:11:05' type: 'utm' url: '/' vd: 'root' **Phase 3: Completed filtering (rules). id: '81634' level: '5' description: 'Fortigate: App blocked by firewall.' groups: '["fortigate","syslog","firewall_drop"]' firedtimes: '1' gdpr: '["IV_35.7.d"]' hipaa: '["164.312.b"]' mail: 'false' nist_800_53: '["AU.6"]' pci_dss: '["10.6.1"]'

**Alert to be generated.Hello Abdullah,

Thank you for your help

There is the full output of the ruleset:

id: '81634'
level: '5'
description: 'Fortigate: App blocked by firewall.'
groups: '["fortigate","syslog","firewall_drop"]'
firedtimes: '1'
gdpr: '["IV_35.7.d"]'
hipaa: '["164.312.b"]'
mail: 'false'
nist_800_53: '["AU.6"]'
pci_dss: '["10.6.1"]'
**Alert to be generated.

[Abdullah Al Noman]

Hi Ayoub,

I have tested your log and the custom rule with the Wazuh server v4.3.9 and it worked as expected. The following tasks I have performed:

1. Prepared the Wazuh server v4.3.9 environment.
2. Added the following custom rule in the /var/ossec/etc/rules/local_rules.xml file in the Wazuh server.

<group name="Remote,">

<!-- Modify it at your will. -->
  <rule id="100002" level="10">
    <if_sid>81634</if_sid>
    <match>AnyDesk</match>
    <description>Use of an application of remote access.</description>
  </rule>

3. Restarted the server using systemctl restart wazuh-manager.
4. Run /var/ossect/bin/wazuh-logtest tool and inserted the following log:

date=2023-03-27 time=12:11:05 devname="FORTII" devid="1" eventtime=111111111111 tz="+01000" logid="1059028" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="root" appid=3910 srcip=1.1.1.1 srccountry="Reserved" dstip=2.2.2.2 dstcountry="USA" srcport=16560 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan3" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=100 poluuid="8c435cf2-5b91-51ed-d72c-e471801feff228" policytype="policy" sessionid=1454453100 applist="block-urgent" action="block" appcat="Remote.Access" app="AnyDesk" hostname="1.1.1.1" incidentserialno=10000 url="/" msg="Remote.Access: AnyDesk" apprisk="high"

Find the screenshot attached that shows the expected outcome. 

I advise you to make sure the followings from your end:
1. Don't make any changes to the stock rules and decoder.
2. Restart the Wazuh server after any changes such as adding custom rules.

Hope the above steps help you to resolve your problem.

Kind regards,

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/deb2b3b2-88c8-4866-94e5-7eac94fe9460n%40googlegroups.com.

[Ayoub MM]

I flowed the steps in your response but still another rule fired.

below the screen after test of the rule with ruletest.

i confirm that idont make any change of the list of dicoder and rules predifined.

Thanks in advance

[Ayoub MM]

for additional info if i change the value action by "pass" there is the result :

[Abdullah Al Noman]

I am not quite sure why you are getting different output if you have followed the same instructions I mentioned earlier. One possible reason could be if you haven't added the custom rule correctly. Can you please share the contents of the /var/ossec/etc/rules/local_rules.xml file from your Wazuh server with me?
Additionally, share the output of the there phases while you test the log for better understanding your issue. 

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/91e04b7e-d3c4-433d-a809-e5e6f99661d5n%40googlegroups.com.

[Ayoub MM]

yes sure here is the file /var/ossec/etc/rules/local_rules.xml 

 and here is the log test

[Abdullah Al Noman]

Hi Ayoub,

Based on your wazuh-logtest output, rule Id 81634 is triggering. Therefore, you need to use rule id this as sid in your custom rule so that your custom rule can work. 

Your first custom rule contains 81634 as the sid. I am not sure why you changed it later even though I instructed you with the exact contents and steps to follow. However, I can assure you that if you replace the <if_sid>81641<if_sid> with <if_sid>81634<if_sid> in your custom rule, you will get the expected output.

Follow our official documentation on Custom rules and decoders to learn more.

Hope this resolves your query.

Have a nice rest of the day.

Kind regards,

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b7d7f7ad-b093-4482-ad91-aebb0cb6b75bn%40googlegroups.com.

[Ayoub MM]

Hello Abdullah,

It work for me thank you so much for your help and support.

Regards,