Problem with negative lookbehind in wazuh rule

[Vincenzo Capasso]

Good Morning,

I need to change this rule:

<rule id="31103" level="7">
    <if_sid>31100,31108</if_sid>
    <url>=select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url>
    <url>union+|where+|null,null|xp_cmdshell</url>
    <description>SQL injection attempt.</description>
    <mitre>
      <id>T1190</id>
    </mitre>
    <group>attack,sql_injection,pci_dss_6.5,pci_dss_11.4,pci_dss_6.5.1,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>

And add this negative lookbehind " (?<!transferred)%20from%20 " , but i have problem with sintax, how can i do?

[Sandra Ocando]

Hello,If I understand correctly, you want the "SQL injection attempt" alert to trigger when any of the conditions of rule 31103 are met, except if the only triggering condition is %20from%20 and it is preceded by "transferred": transferred%20from%20.There isn't a straightforward way to achieve this, but here's a possible approach:Modify the original rule 31103 to remove the %20from%20 condition. This way, if any of the other conditions are met, the rule will trigger as usual.
Next, check if %20from%20 is present in the log by creating a child rule of the parent rules of 31103 (31100 and 31108). If %20from%20 is present in the log, another child rule will check if it is preceded by "transferred". If it is, it will trigger a level 0 rule that doesn't generate an alert. On the contrary, if %20from%20 is present but not preceded by "transferred," a rule with the same level as rule 31103 is triggered.Check the Custom rules and decoders section of the documentation to learn more.For example, you can copy these rules into /var/ossec/etc/local_rules.xml:

<group name="web,accesslog,">
  <rule id="31103" level="7" overwrite="yes">
    <if_sid>31100,31108</if_sid>
    <url>=select%20|select+|insert%20|%20where%20|union%20|</url>
    <url>union+|where+|null,null|xp_cmdshell</url>
    <description>SQL injection attempt.</description>
    <mitre>
      <id>T1190</id>
    </mitre>
    <group>attack,sql_injection,pci_dss_6.5,pci_dss_11.4,pci_dss_6.5.1,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>

  <rule id="100103" level="7">
    <if_sid>31100,31108</if_sid>
    <url>%20from%20</url>
    <description>SQL injection attempt.</description>
    <mitre>
      <id>T1190</id>
    </mitre>
    <group>attack,sql_injection,pci_dss_6.5,pci_dss_11.4,pci_dss_6.5.1,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>

  <rule id="100104" level="0">
    <if_sid>100103</if_sid>
    <url>transferred%20from%20</url>
    <description>Ignore transferred%20from%20</description>
    <mitre>
      <id>T1190</id>
    </mitre>
    <group>attack,sql_injection,pci_dss_6.5,pci_dss_11.4,pci_dss_6.5.1,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>

</group>

To test the rules, you can use /var/ossec/bin/wazuh-logtest . To see the rule matching process, use option -v.Here's an example of a log that contains transferred%20from%20 and none of the other triggering conditions.

# echo '10.11.12.13 - - - [27/Mar/2017:13:40:40 -0700] "GET /modules.php?name=Search&type=stories&query=qualys&category=-1%20&categ=%20and%201=2%200,0,aid,pwd,0,0,0,0,0,0transferred%20from%20nuke_authors/* HTTP/1.0" 404 982 "-" "-"' | /var/ossec/bin/wazuh-logtest -v 
Starting wazuh-logtest v4.5.2
Type one log per line


**Phase 1: Completed pre-decoding.
	full event: '10.11.12.13 - - - [27/Mar/2017:13:40:40 -0700] "GET /modules.php?name=Search&type=stories&query=qualys&category=-1%20&categ=%20and%201=2%200,0,aid,pwd,0,0,0,0,0,0transferred%20from%20nuke_authors/* HTTP/1.0" 404 982 "-" "-"'

**Phase 2: Completed decoding.
	name: 'web-accesslog'
	id: '404'
	protocol: 'GET'
	srcip: '10.11.12.13'
	url: '/modules.php?name=Search&type=stories&query=qualys&category=-1%20&categ=%20and%201=2%200,0,aid,pwd,0,0,0,0,0,0transferred%20from%20nuke_authors/*'

**Rule debugging:
	Trying rule: 4 - Generic template for all web rules.
		*Rule 4 matched
		*Trying child rules
	Trying rule: 31100 - Access log messages grouped.
		*Rule 31100 matched
		*Trying child rules
	Trying rule: 31108 - Ignored URLs (simple queries).
	Trying rule: 31511 - Blacklisted user agent (wget).
	Trying rule: 31115 - URL too long. Higher than allowed on most browsers. Possible attack.
	Trying rule: 31103 - SQL injection attempt.
	Trying rule: 100103 - SQL injection attempt.
		*Rule 100103 matched
		*Trying child rules
	Trying rule: 100104 -  Ignore transferred%20from%20
		*Rule 100104 matched

**Phase 3: Completed filtering (rules).
	id: '100104'
	level: '0'
	description: ' Ignore transferred%20from%20'
	groups: '['web', 'accesslog', 'attack', 'sql_injection']'
	firedtimes: '1'
	gdpr: '['IV_35.7.d']'
	mail: 'False'
	mitre.id: '['T1190']'
	mitre.tactic: '['Initial Access']'
	mitre.technique: '['Exploit Public-Facing Application']'
	nist_800_53: '['SA.11', 'SI.4']'
	pci_dss: '['6.5', '11.4', '6.5.1']'
	tsc: '['CC6.6', 'CC7.1', 'CC8.1', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'

Remember to restart your manager so changes can take effect.

Let us know if you have any questions.

Best regards,

Sandra.

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ab0b62b8-284e-498d-9f3d-5157ba9bc785n%40googlegroups.com.

[Vincenzo Capasso]

Thank you, it solved the problem.