WAZUH Aggregation rule not trigerring with in given timeframe
1,020 views
Skip to first unread message
Mohammad Awais Javaid
Oct 6, 2023, 3:34:57 PM10/6/23
to Wazuh | Mailing List
one question i want to highlight, basically i have checked that the aggregation rules tirggers if the events comes quickly one after other, but if there is gap of 1 minute or 2 minute then it wont come. Also the timeframe option, that if we have defined the time frame up to 240 seconds, and we do generate evetns with a gap of 1 minute the agggreagation wont trigger, but if thing is concurrently it triggers, if you have any thing which you think can be shared please share. thanks
Marcos Darío Buslaiman
Oct 6, 2023, 4:18:37 PM10/6/23
to Wazuh | Mailing List
Hi Mohammad,
Thanks for using Wazuh!
Thanks for using Wazuh!
To give you a better analysis of your scenario, I would like to request from you the logs of the test executed (please, remove any sensitive information), the rules that you have configured, and the version of your Wazuh-Manager. (From GUI Wazuh Menu --> Settings --> About ).
Then as you mentioned you are using the options frequency and timeframe on a custom rule, this option allows you to define the number of events on a time frame to trigger a rule.
Here you have de rules options document.
Here you have de rules options document.
By using these options you can use some other options like if_matched_sid, same_id, different_location etc., with some examples.
On the other hand, I'm not sure if your scenario is similar to the one reported on this issue, this issue was on an older version of wazuh, but I would like to figure out if your case is similar to that one.
Looking forward to your comments
Regards,
Mohammad Awais Javaid
Oct 6, 2023, 10:04:00 PM10/6/23
to Wazuh | Mailing List
In the Pic 1 you can see the difference between events are of almost 1 minute and some seconds but the aggregation rule did not trigerred.
In the Pic 2 you can see the difference between events are of almost 20-30 seconds and you can see the aggregation rule is trigerred.
In the Pic 2 you can see the difference between events are of almost 20-30 seconds and you can see the aggregation rule is trigerred.
In the Pic 3 you can see the rule which we have created,so all three things which you requested i have shared, please share your thoughts on this since I have tested it couple of times, when the events are frequent, one after another then the aggregation triggered, but if they are not frequent the aggregation donot trigerred,
Logically according to the wazuh website and stuff i was studying about the things and there i found out if the event occurs in the given time frame the rule should be trigerred and it was the expectation but i dont know why its not trigerring, (See Microsoft Teams) Image.
If any help regarding that do share, that would be much appreciated.
Regards
Awais
Logically according to the wazuh website and stuff i was studying about the things and there i found out if the event occurs in the given time frame the rule should be trigerred and it was the expectation but i dont know why its not trigerring, (See Microsoft Teams) Image.
If any help regarding that do share, that would be much appreciated.
Regards
Awais
Marcos Darío Buslaiman
Oct 9, 2023, 11:16:50 AM10/9/23
to Wazuh | Mailing List
Hi Mohammad,
I've executed the following test but I could not reproduce your behavior, hear are my test:
My rules:
My rules:
Custom rules
<group name="local,syslog,sshd,">
<rule id="100001" level="9">
<if_sid>5503</if_sid>
<description>sshd: authentication failed from IP $(srcip)</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<rule id="100002" frequency="3" timeframe="10" level="10" >
<if_matched_sid>100001</if_matched_sid>
<same_srcip/>
<description>The user $(user) IP: $(srcip) tried to authenticate without success 2 times in 4 min.</description>
</rule>
</group>
Stock rule:
<rule id="5503" level="5">
<if_sid>5500</if_sid>
<match>authentication failure; logname=</match>
<description>PAM: User login failed.</description>
<mitre>
<id>T1110.001</id>
</mitre>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
So on my test, I will sent the following event:
"Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root"
And will trigger the rule "100001", then if I send two more time (frequency="3" timeframe="10"), the same event until the 10 seconds, the rule 100002 would be triggered.
Here is my test using the script /var/ossec/bin/wazuh-logtest also you can use the log test tool on Wazuh Menu --> Tool --> Ruleset Test.
[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.5.2
Type one log per line
Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root
**Phase 1: Completed pre-decoding.
full event: 'Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root'
timestamp: 'Oct 9 14:40:08'
hostname: 'wazuh-server'
program_name: 'sshd'
**Phase 2: Completed decoding.
name: 'pam'
dstuser: 'root'
euid: '0'
srcip: '192.168.1.78'
tty: 'ssh'
uid: '0'
**Phase 3: Completed filtering (rules).
id: '100001'
level: '9'
description: 'sshd: authentication failed from IP 192.168.1.78'
groups: '['local', 'syslog', 'sshd', 'authentication_failed']'
firedtimes: '1'
mail: 'False'
pci_dss: '['10.2.4', '10.2.5']'
**Alert to be generated.
Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root
**Phase 1: Completed pre-decoding.
full event: 'Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root'
timestamp: 'Oct 9 14:40:08'
hostname: 'wazuh-server'
program_name: 'sshd'
**Phase 2: Completed decoding.
name: 'pam'
dstuser: 'root'
euid: '0'
srcip: '192.168.1.78'
tty: 'ssh'
uid: '0'
**Phase 3: Completed filtering (rules).
id: '100001'
level: '9'
description: 'sshd: authentication failed from IP 192.168.1.78'
groups: '['local', 'syslog', 'sshd', 'authentication_failed']'
firedtimes: '2'
mail: 'False'
pci_dss: '['10.2.4', '10.2.5']'
**Alert to be generated.
Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root
**Phase 1: Completed pre-decoding.
full event: 'Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root'
timestamp: 'Oct 9 14:40:08'
hostname: 'wazuh-server'
program_name: 'sshd'
**Phase 2: Completed decoding.
name: 'pam'
dstuser: 'root'
euid: '0'
srcip: '192.168.1.78'
tty: 'ssh'
uid: '0'
**Phase 3: Completed filtering (rules).
id: '100002'
level: '10'
description: 'The user IP: 192.168.1.78 tried to authenticate without success 2 times in 4 min.'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
frequency: '3'
mail: 'False'
**Alert to be generated.
Then if the if I wait more than 10 seconds only execute the first alert " 100001"
[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.5.2
Type one log per line
Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root
**Phase 1: Completed pre-decoding.
full event: 'Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root'
timestamp: 'Oct 9 14:40:08'
hostname: 'wazuh-server'
program_name: 'sshd'
**Phase 2: Completed decoding.
name: 'pam'
dstuser: 'root'
euid: '0'
srcip: '192.168.1.78'
tty: 'ssh'
uid: '0'
**Phase 3: Completed filtering (rules).
id: '100001'
level: '9'
description: 'sshd: authentication failed from IP 192.168.1.78'
groups: '['local', 'syslog', 'sshd', 'authentication_failed']'
firedtimes: '1'
mail: 'False'
pci_dss: '['10.2.4', '10.2.5']'
**Alert to be generated.
Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root
**Phase 1: Completed pre-decoding.
full event: 'Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root'
timestamp: 'Oct 9 14:40:08'
hostname: 'wazuh-server'
program_name: 'sshd'
**Phase 2: Completed decoding.
name: 'pam'
dstuser: 'root'
euid: '0'
srcip: '192.168.1.78'
tty: 'ssh'
uid: '0'
**Phase 3: Completed filtering (rules).
id: '100001'
level: '9'
description: 'sshd: authentication failed from IP 192.168.1.78'
groups: '['local', 'syslog', 'sshd', 'authentication_failed']'
firedtimes: '2'
mail: 'False'
Please let me know If you can execute the test and the events that you send to analyze the behavior.
Regards!
<if_sid>5500</if_sid>
<match>authentication failure; logname=</match>
<description>PAM: User login failed.</description>
<mitre>
<id>T1110.001</id>
</mitre>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
So on my test, I will sent the following event:
"Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root"
And will trigger the rule "100001", then if I send two more time (frequency="3" timeframe="10"), the same event until the 10 seconds, the rule 100002 would be triggered.
Here is my test using the script /var/ossec/bin/wazuh-logtest also you can use the log test tool on Wazuh Menu --> Tool --> Ruleset Test.
[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.5.2
Type one log per line
Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root
**Phase 1: Completed pre-decoding.
full event: 'Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root'
timestamp: 'Oct 9 14:40:08'
hostname: 'wazuh-server'
program_name: 'sshd'
**Phase 2: Completed decoding.
name: 'pam'
dstuser: 'root'
euid: '0'
srcip: '192.168.1.78'
tty: 'ssh'
uid: '0'
**Phase 3: Completed filtering (rules).
id: '100001'
level: '9'
description: 'sshd: authentication failed from IP 192.168.1.78'
groups: '['local', 'syslog', 'sshd', 'authentication_failed']'
firedtimes: '1'
mail: 'False'
pci_dss: '['10.2.4', '10.2.5']'
**Alert to be generated.
Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root
**Phase 1: Completed pre-decoding.
full event: 'Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root'
timestamp: 'Oct 9 14:40:08'
hostname: 'wazuh-server'
program_name: 'sshd'
**Phase 2: Completed decoding.
name: 'pam'
dstuser: 'root'
euid: '0'
srcip: '192.168.1.78'
tty: 'ssh'
uid: '0'
**Phase 3: Completed filtering (rules).
id: '100001'
level: '9'
description: 'sshd: authentication failed from IP 192.168.1.78'
groups: '['local', 'syslog', 'sshd', 'authentication_failed']'
firedtimes: '2'
mail: 'False'
pci_dss: '['10.2.4', '10.2.5']'
**Alert to be generated.
Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root
**Phase 1: Completed pre-decoding.
full event: 'Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root'
timestamp: 'Oct 9 14:40:08'
hostname: 'wazuh-server'
program_name: 'sshd'
**Phase 2: Completed decoding.
name: 'pam'
dstuser: 'root'
euid: '0'
srcip: '192.168.1.78'
tty: 'ssh'
uid: '0'
**Phase 3: Completed filtering (rules).
id: '100002'
level: '10'
description: 'The user IP: 192.168.1.78 tried to authenticate without success 2 times in 4 min.'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
frequency: '3'
mail: 'False'
**Alert to be generated.
Then if the if I wait more than 10 seconds only execute the first alert " 100001"
[root@wazuh-server wazuh-user]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.5.2
Type one log per line
Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root
**Phase 1: Completed pre-decoding.
full event: 'Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root'
timestamp: 'Oct 9 14:40:08'
hostname: 'wazuh-server'
program_name: 'sshd'
**Phase 2: Completed decoding.
name: 'pam'
dstuser: 'root'
euid: '0'
srcip: '192.168.1.78'
tty: 'ssh'
uid: '0'
**Phase 3: Completed filtering (rules).
id: '100001'
level: '9'
description: 'sshd: authentication failed from IP 192.168.1.78'
groups: '['local', 'syslog', 'sshd', 'authentication_failed']'
firedtimes: '1'
mail: 'False'
pci_dss: '['10.2.4', '10.2.5']'
**Alert to be generated.
Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root
**Phase 1: Completed pre-decoding.
full event: 'Oct 9 14:40:08 wazuh-server sshd[14571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=root'
timestamp: 'Oct 9 14:40:08'
hostname: 'wazuh-server'
program_name: 'sshd'
**Phase 2: Completed decoding.
name: 'pam'
dstuser: 'root'
euid: '0'
srcip: '192.168.1.78'
tty: 'ssh'
uid: '0'
**Phase 3: Completed filtering (rules).
id: '100001'
level: '9'
description: 'sshd: authentication failed from IP 192.168.1.78'
groups: '['local', 'syslog', 'sshd', 'authentication_failed']'
firedtimes: '2'
mail: 'False'
Please let me know If you can execute the test and the events that you send to analyze the behavior.
Regards!
Mohammad Awais Javaid
Oct 10, 2023, 6:02:02 AM10/10/23
to Wazuh | Mailing List
Thankyou for the effort on that, Actually what I notice is you have set the timeframe to 10 seconds. It works in our use case as well if the timeframe is 10seconds, problem is when we put a duration of 60s and more than that then even if the condition which we provided is met, it is not trigerring,
Regards!
Regards!
Awais
Marcos Darío Buslaiman
Oct 10, 2023, 12:45:43 PM10/10/23
to Wazuh | Mailing List
Hi Mohammad,
I've executed other tests with the timeframe modified to 60 and others tested with 120 seconds, and always executed as expected, when the 3rd event (According to my rule frequency="3") is sent it triggers the corresponding alert.
Could you please let me know which version of wazuh is running and how are you executing the test?
Regards!
Marcos Buslaiman
Jarek
Oct 11, 2023, 3:02:09 AM10/11/23
to Wazuh | Mailing List
Hello,
I've the same problem.
It's my rule:
It's my rule:
<rule id="100300" level="12" frequency="2" timeframe="28800">
<if_matched_sid>60115</if_matched_sid>
<options>no_full_log</options>
<same_field>win.eventdata.targetUserName</same_field>
<description>Domena: Account locket more than 2 times $(win.eventdata.targetUserName)</description>
</rule>
If rule 60115 are fired two times during about 15 minutes my rule is fired. But when between fired rule 6015 is more than 30 minutes my rule isn't fired.
<if_matched_sid>60115</if_matched_sid>
<options>no_full_log</options>
<same_field>win.eventdata.targetUserName</same_field>
<description>Domena: Account locket more than 2 times $(win.eventdata.targetUserName)</description>
</rule>
If rule 60115 are fired two times during about 15 minutes my rule is fired. But when between fired rule 6015 is more than 30 minutes my rule isn't fired.
Wazuh newest version
root@wazuh1:/home/socadmin# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.5.2
Type one log per line
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4740","version":"0","level":"0","task":"13824","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-10-11T05:09:59.636846000Z","eventRecordID":"1463966592","processID":"692","threadID":"7592","channel":"Security","computer":"WINDOWS.domena.moja.pl","severityValue":"AUDIT_SUCCESS","message":"\"A user account was locked out.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWINDOWS$\r\n\tAccount Domain:\t\tUM\r\n\tLogon ID:\t\t0x3E7\r\n\r\nAccount That Was Locked Out:\r\n\tSecurity ID:\t\tS-1-5-21-1727165165-2185125615-2131216522-11941\r\n\tAccount Name:\t\talama\r\n\r\nAdditional Information:\r\n\tCaller Computer Name:\t\""},"eventdata":{"targetUserName":"alama","targetSid":"S-1-5-21-1727165165-2185125615-2131216522-11941","subjectUserSid":"S-1-5-18","subjectUserName":"WINDOWS$","subjectDomainName":"UM","subjectLogonId":"0x3e7"}}}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.subjectDomainName: WU
win.eventdata.subjectLogonId: '0x3e7'
win.eventdata.subjectUserName: 'WINDOWS$'
win.eventdata.subjectUserSid: 'S-1-5-18'
win.eventdata.targetSid: 'S-1-5-21-1727165165-2185125615-2131216522-11941'
win.eventdata.targetUserName: 'alama'
win.system.channel: 'Security'
win.system.computer: 'WINDOWS.domena.moja.pl'
win.system.eventID: '4740'
win.system.eventRecordID: '1463966592'
win.system.keywords: '0x8020000000000000'
win.system.level: '0'
win.system.message: '"A user account was locked out.
Subject:
Security ID: S-1-5-18
Account Name: WINDOWS$
Account Domain: UM
Logon ID: 0x3E7
Account That Was Locked Out:
Security ID: S-1-5-21-1727165165-2185125615-2131216522-11941
Account Name: alama
Additional Information:
Caller Computer Name: "'
win.system.opcode: '0'
win.system.processID: '692'
win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.systemTime: '2023-10-11T05:09:59.636846000Z'
win.system.task: '13824'
win.system.threadID: '7592'
win.system.version: '0'
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.subjectDomainName: WU
win.eventdata.subjectLogonId: '0x3e7'
win.eventdata.subjectUserName: 'WINDOWS$'
win.eventdata.subjectUserSid: 'S-1-5-18'
win.eventdata.targetSid: 'S-1-5-21-1727165165-2185125615-2131216522-11941'
win.eventdata.targetUserName: 'alama'
win.system.channel: 'Security'
win.system.computer: 'WINDOWS.domena.moja.pl'
win.system.eventID: '4740'
win.system.eventRecordID: '1463966592'
win.system.keywords: '0x8020000000000000'
win.system.level: '0'
win.system.message: '"A user account was locked out.
Subject:
Security ID: S-1-5-18
Account Name: WINDOWS$
Account Domain: UM
Logon ID: 0x3E7
Account That Was Locked Out:
Security ID: S-1-5-21-1727165165-2185125615-2131216522-11941
Account Name: alama
Additional Information:
Caller Computer Name: "'
win.system.opcode: '0'
win.system.processID: '692'
win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.systemTime: '2023-10-11T05:09:59.636846000Z'
win.system.task: '13824'
win.system.threadID: '7592'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '60115'
level: '9'
description: 'User account locked out (multiple login errors).'
groups: '['windows', 'windows_security', 'authentication_failures']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
gpg13: '['7.5']'
hipaa: '['164.312.a.1']'
mail: 'False'
mitre.id: '['T1110', 'T1531']'
mitre.tactic: '['Credential Access', 'Impact']'
mitre.technique: '['Brute Force', 'Account Access Removal']'
nist_800_53: '['AC.7', 'SI.4']'
pci_dss: '['11.4', '8.1.6']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4740","version":"0","level":"0","task":"13824","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-10-11T05:09:59.636846000Z","eventRecordID":"1463966592","processID":"692","threadID":"7592","channel":"Security","computer":"WINDOWS.domena.moja.pl","severityValue":"AUDIT_SUCCESS","message":"\"A user account was locked out.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWINDOWS$\r\n\tAccount Domain:\t\tUM\r\n\tLogon ID:\t\t0x3E7\r\n\r\nAccount That Was Locked Out:\r\n\tSecurity ID:\t\tS-1-5-21-1727165165-2185125615-2131216522-11941\r\n\tAccount Name:\t\talama\r\n\r\nAdditional Information:\r\n\tCaller Computer Name:\t\""},"eventdata":{"targetUserName":"alama","targetSid":"S-1-5-21-1727165165-2185125615-2131216522-11941","subjectUserSid":"S-1-5-18","subjectUserName":"WINDOWS$","subjectDomainName":"UM","subjectLogonId":"0x3e7"}}}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.subjectDomainName: WU
win.eventdata.subjectLogonId: '0x3e7'
win.eventdata.subjectUserName: 'WINDOWS$'
win.eventdata.subjectUserSid: 'S-1-5-18'
win.eventdata.targetSid: 'S-1-5-21-1727165165-2185125615-2131216522-11941'
win.eventdata.targetUserName: 'alama'
win.system.channel: 'Security'
win.system.computer: 'WINDOWS.domena.moja.pl'
win.system.eventID: '4740'
win.system.eventRecordID: '1463966592'
win.system.keywords: '0x8020000000000000'
win.system.level: '0'
win.system.message: '"A user account was locked out.
Subject:
Security ID: S-1-5-18
Account Name: WINDOWS$
Account Domain: UM
Logon ID: 0x3E7
Account That Was Locked Out:
Security ID: S-1-5-21-1727165165-2185125615-2131216522-11941
Account Name: alama
Additional Information:
Caller Computer Name: "'
win.system.opcode: '0'
win.system.processID: '692'
win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.systemTime: '2023-10-11T05:09:59.636846000Z'
win.system.task: '13824'
win.system.threadID: '7592'
win.system.version: '0'
level: '9'
description: 'User account locked out (multiple login errors).'
groups: '['windows', 'windows_security', 'authentication_failures']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
gpg13: '['7.5']'
hipaa: '['164.312.a.1']'
mail: 'False'
mitre.id: '['T1110', 'T1531']'
mitre.tactic: '['Credential Access', 'Impact']'
mitre.technique: '['Brute Force', 'Account Access Removal']'
nist_800_53: '['AC.7', 'SI.4']'
pci_dss: '['11.4', '8.1.6']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4740","version":"0","level":"0","task":"13824","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-10-11T05:09:59.636846000Z","eventRecordID":"1463966592","processID":"692","threadID":"7592","channel":"Security","computer":"WINDOWS.domena.moja.pl","severityValue":"AUDIT_SUCCESS","message":"\"A user account was locked out.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWINDOWS$\r\n\tAccount Domain:\t\tUM\r\n\tLogon ID:\t\t0x3E7\r\n\r\nAccount That Was Locked Out:\r\n\tSecurity ID:\t\tS-1-5-21-1727165165-2185125615-2131216522-11941\r\n\tAccount Name:\t\talama\r\n\r\nAdditional Information:\r\n\tCaller Computer Name:\t\""},"eventdata":{"targetUserName":"alama","targetSid":"S-1-5-21-1727165165-2185125615-2131216522-11941","subjectUserSid":"S-1-5-18","subjectUserName":"WINDOWS$","subjectDomainName":"UM","subjectLogonId":"0x3e7"}}}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.subjectDomainName: WU
win.eventdata.subjectLogonId: '0x3e7'
win.eventdata.subjectUserName: 'WINDOWS$'
win.eventdata.subjectUserSid: 'S-1-5-18'
win.eventdata.targetSid: 'S-1-5-21-1727165165-2185125615-2131216522-11941'
win.eventdata.targetUserName: 'alama'
win.system.channel: 'Security'
win.system.computer: 'WINDOWS.domena.moja.pl'
win.system.eventID: '4740'
win.system.eventRecordID: '1463966592'
win.system.keywords: '0x8020000000000000'
win.system.level: '0'
win.system.message: '"A user account was locked out.
Subject:
Security ID: S-1-5-18
Account Name: WINDOWS$
Account Domain: UM
Logon ID: 0x3E7
Account That Was Locked Out:
Security ID: S-1-5-21-1727165165-2185125615-2131216522-11941
Account Name: alama
Additional Information:
Caller Computer Name: "'
win.system.opcode: '0'
win.system.processID: '692'
win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.systemTime: '2023-10-11T05:09:59.636846000Z'
win.system.task: '13824'
win.system.threadID: '7592'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '100300'
level: '12'
description: 'Domena: konto zablokowane wiecej niz 4 razy alama'
groups: '['windows', 'windows_security']'
firedtimes: '1'
frequency: '2'
mail: 'True'
**Alert to be generated.
root@wazuh1:/home/socadmin# /var/ossec/bin/wazuh-logtest
level: '12'
description: 'Domena: konto zablokowane wiecej niz 4 razy alama'
groups: '['windows', 'windows_security']'
firedtimes: '1'
frequency: '2'
mail: 'True'
**Alert to be generated.
root@wazuh1:/home/socadmin# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.5.2
Type one log per line
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4740","version":"0","level":"0","task":"13824","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-10-11T05:09:59.636846000Z","eventRecordID":"1463966592","processID":"692","threadID":"7592","channel":"Security","computer":"WINDOWS.domena.moja.pl","severityValue":"AUDIT_SUCCESS","message":"\"A user account was locked out.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWINDOWS$\r\n\tAccount Domain:\t\tUM\r\n\tLogon ID:\t\t0x3E7\r\n\r\nAccount That Was Locked Out:\r\n\tSecurity ID:\t\tS-1-5-21-1727165165-2185125615-2131216522-11941\r\n\tAccount Name:\t\talama\r\n\r\nAdditional Information:\r\n\tCaller Computer Name:\t\""},"eventdata":{"targetUserName":"alama","targetSid":"S-1-5-21-1727165165-2185125615-2131216522-11941","subjectUserSid":"S-1-5-18","subjectUserName":"WINDOWS$","subjectDomainName":"UM","subjectLogonId":"0x3e7"}}}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.subjectDomainName: WU
win.eventdata.subjectLogonId: '0x3e7'
win.eventdata.subjectUserName: 'WINDOWS$'
win.eventdata.subjectUserSid: 'S-1-5-18'
win.eventdata.targetSid: 'S-1-5-21-1727165165-2185125615-2131216522-11941'
win.eventdata.targetUserName: 'alama'
win.system.channel: 'Security'
win.system.computer: 'WINDOWS.domena.moja.pl'
win.system.eventID: '4740'
win.system.eventRecordID: '1463966592'
win.system.keywords: '0x8020000000000000'
win.system.level: '0'
win.system.message: '"A user account was locked out.
Subject:
Security ID: S-1-5-18
Account Name: WINDOWS$
Account Domain: UM
Logon ID: 0x3E7
Account That Was Locked Out:
Security ID: S-1-5-21-1727165165-2185125615-2131216522-11941
Account Name: alama
Additional Information:
Caller Computer Name: "'
win.system.opcode: '0'
win.system.processID: '692'
win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.systemTime: '2023-10-11T05:09:59.636846000Z'
win.system.task: '13824'
win.system.threadID: '7592'
win.system.version: '0'
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.subjectDomainName: WU
win.eventdata.subjectLogonId: '0x3e7'
win.eventdata.subjectUserName: 'WINDOWS$'
win.eventdata.subjectUserSid: 'S-1-5-18'
win.eventdata.targetSid: 'S-1-5-21-1727165165-2185125615-2131216522-11941'
win.eventdata.targetUserName: 'alama'
win.system.channel: 'Security'
win.system.computer: 'WINDOWS.domena.moja.pl'
win.system.eventID: '4740'
win.system.eventRecordID: '1463966592'
win.system.keywords: '0x8020000000000000'
win.system.level: '0'
win.system.message: '"A user account was locked out.
Subject:
Security ID: S-1-5-18
Account Name: WINDOWS$
Account Domain: UM
Logon ID: 0x3E7
Account That Was Locked Out:
Security ID: S-1-5-21-1727165165-2185125615-2131216522-11941
Account Name: alama
Additional Information:
Caller Computer Name: "'
win.system.opcode: '0'
win.system.processID: '692'
win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.systemTime: '2023-10-11T05:09:59.636846000Z'
win.system.task: '13824'
win.system.threadID: '7592'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '60115'
level: '9'
description: 'User account locked out (multiple login errors).'
groups: '['windows', 'windows_security', 'authentication_failures']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
gpg13: '['7.5']'
hipaa: '['164.312.a.1']'
mail: 'False'
mitre.id: '['T1110', 'T1531']'
mitre.tactic: '['Credential Access', 'Impact']'
mitre.technique: '['Brute Force', 'Account Access Removal']'
nist_800_53: '['AC.7', 'SI.4']'
pci_dss: '['11.4', '8.1.6']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4740","version":"0","level":"0","task":"13824","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-10-11T05:09:59.636846000Z","eventRecordID":"1463966592","processID":"692","threadID":"7592","channel":"Security","computer":"WINDOWS.domena.moja.pl","severityValue":"AUDIT_SUCCESS","message":"\"A user account was locked out.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWINDOWS$\r\n\tAccount Domain:\t\tUM\r\n\tLogon ID:\t\t0x3E7\r\n\r\nAccount That Was Locked Out:\r\n\tSecurity ID:\t\tS-1-5-21-1727165165-2185125615-2131216522-11941\r\n\tAccount Name:\t\talama\r\n\r\nAdditional Information:\r\n\tCaller Computer Name:\t\""},"eventdata":{"targetUserName":"alama","targetSid":"S-1-5-21-1727165165-2185125615-2131216522-11941","subjectUserSid":"S-1-5-18","subjectUserName":"WINDOWS$","subjectDomainName":"UM","subjectLogonId":"0x3e7"}}}
New session was created with token "5d088770"
** Wazuh-Logtest: WARNING: (7003): 'a863f602' token expires
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.subjectDomainName: WU
win.eventdata.subjectLogonId: '0x3e7'
win.eventdata.subjectUserName: 'WINDOWS$'
win.eventdata.subjectUserSid: 'S-1-5-18'
win.eventdata.targetSid: 'S-1-5-21-1727165165-2185125615-2131216522-11941'
win.eventdata.targetUserName: 'alama'
win.system.channel: 'Security'
win.system.computer: 'WINDOWS.domena.moja.pl'
win.system.eventID: '4740'
win.system.eventRecordID: '1463966592'
win.system.keywords: '0x8020000000000000'
win.system.level: '0'
win.system.message: '"A user account was locked out.
Subject:
Security ID: S-1-5-18
Account Name: WINDOWS$
Account Domain: UM
Logon ID: 0x3E7
Account That Was Locked Out:
Security ID: S-1-5-21-1727165165-2185125615-2131216522-11941
Account Name: alama
Additional Information:
Caller Computer Name: "'
win.system.opcode: '0'
win.system.processID: '692'
win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.systemTime: '2023-10-11T05:09:59.636846000Z'
win.system.task: '13824'
win.system.threadID: '7592'
win.system.version: '0'
level: '9'
description: 'User account locked out (multiple login errors).'
groups: '['windows', 'windows_security', 'authentication_failures']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
gpg13: '['7.5']'
hipaa: '['164.312.a.1']'
mail: 'False'
mitre.id: '['T1110', 'T1531']'
mitre.tactic: '['Credential Access', 'Impact']'
mitre.technique: '['Brute Force', 'Account Access Removal']'
nist_800_53: '['AC.7', 'SI.4']'
pci_dss: '['11.4', '8.1.6']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4740","version":"0","level":"0","task":"13824","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-10-11T05:09:59.636846000Z","eventRecordID":"1463966592","processID":"692","threadID":"7592","channel":"Security","computer":"WINDOWS.domena.moja.pl","severityValue":"AUDIT_SUCCESS","message":"\"A user account was locked out.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWINDOWS$\r\n\tAccount Domain:\t\tUM\r\n\tLogon ID:\t\t0x3E7\r\n\r\nAccount That Was Locked Out:\r\n\tSecurity ID:\t\tS-1-5-21-1727165165-2185125615-2131216522-11941\r\n\tAccount Name:\t\talama\r\n\r\nAdditional Information:\r\n\tCaller Computer Name:\t\""},"eventdata":{"targetUserName":"alama","targetSid":"S-1-5-21-1727165165-2185125615-2131216522-11941","subjectUserSid":"S-1-5-18","subjectUserName":"WINDOWS$","subjectDomainName":"UM","subjectLogonId":"0x3e7"}}}
New session was created with token "5d088770"
** Wazuh-Logtest: WARNING: (7003): 'a863f602' token expires
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.subjectDomainName: WU
win.eventdata.subjectLogonId: '0x3e7'
win.eventdata.subjectUserName: 'WINDOWS$'
win.eventdata.subjectUserSid: 'S-1-5-18'
win.eventdata.targetSid: 'S-1-5-21-1727165165-2185125615-2131216522-11941'
win.eventdata.targetUserName: 'alama'
win.system.channel: 'Security'
win.system.computer: 'WINDOWS.domena.moja.pl'
win.system.eventID: '4740'
win.system.eventRecordID: '1463966592'
win.system.keywords: '0x8020000000000000'
win.system.level: '0'
win.system.message: '"A user account was locked out.
Subject:
Security ID: S-1-5-18
Account Name: WINDOWS$
Account Domain: UM
Logon ID: 0x3E7
Account That Was Locked Out:
Security ID: S-1-5-21-1727165165-2185125615-2131216522-11941
Account Name: alama
Additional Information:
Caller Computer Name: "'
win.system.opcode: '0'
win.system.processID: '692'
win.system.providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.systemTime: '2023-10-11T05:09:59.636846000Z'
win.system.task: '13824'
win.system.threadID: '7592'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '60115'
level: '9'
description: 'User account locked out (multiple login errors).'
groups: '['windows', 'windows_security', 'authentication_failures']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
gpg13: '['7.5']'
hipaa: '['164.312.a.1']'
mail: 'False'
mitre.id: '['T1110', 'T1531']'
mitre.tactic: '['Credential Access', 'Impact']'
mitre.technique: '['Brute Force', 'Account Access Removal']'
nist_800_53: '['AC.7', 'SI.4']'
pci_dss: '['11.4', '8.1.6']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
level: '9'
description: 'User account locked out (multiple login errors).'
groups: '['windows', 'windows_security', 'authentication_failures']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
gpg13: '['7.5']'
hipaa: '['164.312.a.1']'
mail: 'False'
mitre.id: '['T1110', 'T1531']'
mitre.tactic: '['Credential Access', 'Impact']'
mitre.technique: '['Brute Force', 'Account Access Removal']'
nist_800_53: '['AC.7', 'SI.4']'
pci_dss: '['11.4', '8.1.6']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
Marcos Darío Buslaiman
Oct 17, 2023, 11:33:24 AM10/17/23
to Wazuh | Mailing List
I replicated the test by changing the timeframe from 15 to 30 mins
<group name="local,syslog,sshd,">
<rule id="100001" level="9">
<if_sid>5503</if_sid>
<description>sshd: authentication failed from IP $(srcip)</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<!-- 2 times in 30min -->
<rule id="100002" frequency="2" timeframe="1800" level="10" >
<if_matched_sid>100001</if_matched_sid>
<same_srcip/>
<description>The user $(user) IP: $(srcip) tried to authenticate without success 2 times in 4 min.</description>
</rule>
</group>
Is triggering the alerts with both configurations, timeframe 900 (15min) and 1800 (30 min).
According to the timeframe that you have shared is configured in 8 hours (28800 seconds), could you confirm the configuration that you have used on your test ?
According to the timeframe that you have shared is configured in 8 hours (28800 seconds), could you confirm the configuration that you have used on your test ?
<rule id="100300" level="12" frequency="2" timeframe="28800">
<if_matched_sid>60115</if_matched_sid>
<options>no_full_log</options>
<same_field>win.eventdata.targetUserName</same_field>
<description>Domena: Account locket more than 2 times $(win.eventdata.targetUserName)</description>
</rule>
<if_matched_sid>60115</if_matched_sid>
<options>no_full_log</options>
<same_field>win.eventdata.targetUserName</same_field>
<description>Domena: Account locket more than 2 times $(win.eventdata.targetUserName)</description>
</rule>
Marcos
Malcolm Rafter Pinto
Oct 19, 2023, 7:02:31 AM10/19/23
to Wazuh | Mailing List
Hello All,
Replying on behalf of Awais Javaid,
Just want all of us to be on the same page.
When the logs/alerts are instantaneous and occur one after the other, the aggregation rule works as expected. However, when there's a time gap of, for example, 1 minute between logs/alerts, the aggregation rule fails to work.
We have rigorously tested several scenarios, but failed to fix this.
Usecase No. 1: Frequency:2 and Timeframe: 10sec
If the logs are instantaneous, the aggregation rule is working.
Usecase No.2: Frequency:2 and Timeframe: 120sec or 900 sec
If the logs are instantaneous, the aggregation rule is working.
Usecase No.3: Frequency:2 and Timeframe: 120sec or 900 sec
If the logs arrive with time duration of 1 minute, then aggregation rule is not working.
We have rigorously tested several scenarios, but failed to fix this.
Usecase No. 1: Frequency:2 and Timeframe: 10sec
If the logs are instantaneous, the aggregation rule is working.
Usecase No.2: Frequency:2 and Timeframe: 120sec or 900 sec
If the logs are instantaneous, the aggregation rule is working.
Usecase No.3: Frequency:2 and Timeframe: 120sec or 900 sec
If the logs arrive with time duration of 1 minute, then aggregation rule is not working.
To sum everything up. If logs come in quick succession, the aggregation rule gets triggered. In our case if two logs come in instantly , we get an alert. Should there be a time gap between each entry..The rule doesn't get triggered.
Goal: Get aggregated alerts over the defined time window.
Regards,
Malcolm
Marcos Darío Buslaiman
Oct 20, 2023, 3:25:19 PM10/20/23
to Wazuh | Mailing List
Hi Malcolm,
I have been testing this and I get the correct result on each scenario.
Here is the scenario No3 that you mentioned:
My rule is:
<rule id="130333" level="12" frequency="2" timeframe="180">
<if_matched_sid>5710</if_matched_sid>
<options>no_full_log</options>
<description>Login SSH user does not exist or wrong password</description>
</rule>
Rule 5710 is a stock rule that triggers when you try to log in with an invalid user.
{"timestamp":"2023-10-20T19:09:21.301+0000","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user","id":"5710","mitre":{"id":["T1110.001","T1021.004"],"tactic":["Credential Access","Lateral Movement"],"technique":["Password Guessing","SSH"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failed","invalid_login"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"016","name":"debian11X","ip":"192.168.1.78"},"manager":{"name":"wazuh-server"},"id":"1697828961.1234266","full_log":"Oct 20 14:09:20 debian sshd[12652]: Invalid user kkkkk from 192.168.1.82 port 16942","predecoder":{"program_name":"sshd","timestamp":"Oct 20 14:09:20","hostname":"debian"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.1.82","srcport":"16942","srcuser":"kkkkk"},"location":"/var/log/auth.log"}
{"timestamp":"2023-10-20T19:11:37.503+0000","rule":{"level":12,"description":"Login SSH user do not exist or wrong password","id":"130333","frequency":2,"firedtimes":1,"mail":true,"groups":["local","syslog","sshd"]},"agent":{"id":"016","name":"debian11X","ip":"192.168.1.78"},"manager":{"name":"wazuh-server"},"id":"1697829097.1242167","predecoder":{"program_name":"sshd","timestamp":"Oct 20 14:11:36","hostname":"debian"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.1.82","srcport":"16948","srcuser":"uuuuuu"},"location":"/var/log/auth.log"}
I have been testing this and I get the correct result on each scenario.
Here is the scenario No3 that you mentioned:
My rule is:
<rule id="130333" level="12" frequency="2" timeframe="180">
<if_matched_sid>5710</if_matched_sid>
<options>no_full_log</options>
<description>Login SSH user does not exist or wrong password</description>
</rule>
Rule 5710 is a stock rule that triggers when you try to log in with an invalid user.
/var/ossec/ruleset/rules/0095-sshd_rules.xml
<rule id="5710" level="5">
<if_sid>5700</if_sid>
<match>illegal user|invalid user</match>
<description>sshd: Attempt to login using a non-existent user</description>
<mitre>
<id>T1110.001</id>
<id>T1021.004</id>
</mitre>
<group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
Then I tested by waiting more than a minute after the first occurrence.
<rule id="5710" level="5">
<if_sid>5700</if_sid>
<match>illegal user|invalid user</match>
<description>sshd: Attempt to login using a non-existent user</description>
<mitre>
<id>T1110.001</id>
<id>T1021.004</id>
</mitre>
<group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
Then I tested by waiting more than a minute after the first occurrence.
At 19:09:21 1st failure login
triggered rule 5710
{"timestamp":"2023-10-20T19:09:21.301+0000","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user","id":"5710","mitre":{"id":["T1110.001","T1021.004"],"tactic":["Credential Access","Lateral Movement"],"technique":["Password Guessing","SSH"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failed","invalid_login"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"016","name":"debian11X","ip":"192.168.1.78"},"manager":{"name":"wazuh-server"},"id":"1697828961.1234266","full_log":"Oct 20 14:09:20 debian sshd[12652]: Invalid user kkkkk from 192.168.1.82 port 16942","predecoder":{"program_name":"sshd","timestamp":"Oct 20 14:09:20","hostname":"debian"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.1.82","srcport":"16942","srcuser":"kkkkk"},"location":"/var/log/auth.log"}
At
19:11:37 I executed the 2nd try of login and triggered the rule 130333
{"timestamp":"2023-10-20T19:11:37.503+0000","rule":{"level":12,"description":"Login SSH user do not exist or wrong password","id":"130333","frequency":2,"firedtimes":1,"mail":true,"groups":["local","syslog","sshd"]},"agent":{"id":"016","name":"debian11X","ip":"192.168.1.78"},"manager":{"name":"wazuh-server"},"id":"1697829097.1242167","predecoder":{"program_name":"sshd","timestamp":"Oct 20 14:11:36","hostname":"debian"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.1.82","srcport":"16948","srcuser":"uuuuuu"},"location":"/var/log/auth.log"}
So, more than 2 minutes after the 1st occurrence it is triggering the rule 130333
Please let me know if I misunderstood something or if you are referring to another test case.
Regards!
Jarek
Oct 27, 2023, 7:27:32 AM10/27/23
to Wazuh | Mailing List
Hi Marcos,
Yes, timeframe is 8 hours (28800 seconds)Jarek
Reply all
Reply to author
Forward
0 new messages