Trouble with excluding authorized scanners in web rule
337 views
Skip to first unread message
Ben Virgilio
Apr 14, 2022, 12:08:42 PM4/14/22
to Wazuh mailing list
Hello,
We're having a lot of trouble getting a rule level downgraded based on IP address.
We have the following log:
192.168.1.10 - - [14/Apr/2022:06:09:42 -0400] "GET /cgi-bin/clwarn.cgi HTTP/1.1" 404 216 "${jndi:ldap://log4shell-generic-aioTzmIZTGsZWgnr2mGv${lower:ten}.w.nessus.org/nessus}" "${jndi:ldap://log4shell-generic-aioTzmIZTGsZWgnr2mGv${lower:ten}.w.nessus.org/nessus}"
Which matches rule ID 31101 (Web server 400 error code.).
We are trying to downgrade any alerts from this IP (its one of our vulnerability scanners) so we put in the following in our local_rules.xml:
<group name="exceptions,">
<rule id="100047" level="3">
<srcip>192.168.1.10</srcip>
<description>Ignore alerts from 192.168.1.10.</description>
</rule>
</group>
<rule id="100047" level="3">
<srcip>192.168.1.10</srcip>
<description>Ignore alerts from 192.168.1.10.</description>
</rule>
</group>
However in the rule tester we still see it hit the original rule.
**Phase 1: Completed pre-decoding.
full event: 192.168.1.10 - - [14/Apr/2022:06:09:42 -0400] "GET /cgi-bin/clwarn.cgi HTTP/1.1" 404 216 "${jndi:ldap://log4shell-generic-aioTzmIZTGsZWgnr2mGv${lower:ten}.w.nessus.org/nessus}" "${jndi:ldap://log4shell-generic-aioTzmIZTGsZWgnr2mGv${lower:ten}.w.nessus.org/nessus}"
timestamp: -
hostname: -
program_name: -
**Phase 2: Completed decoding.
name: web-accesslog
data: {
"protocol": "GET",
"srcip": "192.168.1.10",
"id": "404",
"url": "/cgi-bin/clwarn.cgi"
}
**Phase 3: Completed filtering (rules).
id: 31101
level: 5
description: Web server 400 error code.
groups: ["web","accesslog","attack"]
firedtimes: 1
gdpr: ["IV_35.7.d"]
gpg13: "-"
hipaa: "-"
mail: "-"
mitre.id: "-"
mitre.technique: "-"
nist_800_53: ["SA.11","SI.4"]
pci_dss: ["6.5","11.4"]
tsc: ["CC6.6","CC7.1","CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"]
**Alert to be generated.
full event: 192.168.1.10 - - [14/Apr/2022:06:09:42 -0400] "GET /cgi-bin/clwarn.cgi HTTP/1.1" 404 216 "${jndi:ldap://log4shell-generic-aioTzmIZTGsZWgnr2mGv${lower:ten}.w.nessus.org/nessus}" "${jndi:ldap://log4shell-generic-aioTzmIZTGsZWgnr2mGv${lower:ten}.w.nessus.org/nessus}"
timestamp: -
hostname: -
program_name: -
**Phase 2: Completed decoding.
name: web-accesslog
data: {
"protocol": "GET",
"srcip": "192.168.1.10",
"id": "404",
"url": "/cgi-bin/clwarn.cgi"
}
**Phase 3: Completed filtering (rules).
id: 31101
level: 5
description: Web server 400 error code.
groups: ["web","accesslog","attack"]
firedtimes: 1
gdpr: ["IV_35.7.d"]
gpg13: "-"
hipaa: "-"
mail: "-"
mitre.id: "-"
mitre.technique: "-"
nist_800_53: ["SA.11","SI.4"]
pci_dss: ["6.5","11.4"]
tsc: ["CC6.6","CC7.1","CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"]
**Alert to be generated.
We also tried using Match instead of srcip with the same results. We have also tried using CDB lists containing this IP and other scanners to downgrade all alerts for the IPs. It does work on certain events being triggered for example:
Log:
Apr 14 06:35:08 mendel-nas-001 sshd[8337]: Starting session: shell on pts/0 for qscanner from 192.168.1.10 port 43330 id 1
Rule test:
**Phase 1: Completed pre-decoding.
full event: Apr 14 06:35:08 hostname-nas-001 sshd[8337]: Starting session: shell on pts/0 for qscanner from 192.168.1.10 port 43330 id 1
timestamp: Apr 14 06:35:08
hostname: hostname-nas-001
program_name: sshd
**Phase 2: Completed decoding.
name: sshd
data: "-"
**Phase 3: Completed filtering (rules).
id: 100047
level: 3
description: Ignore alerts from 192.168.1.10.
groups: ["exceptions"]
firedtimes: 1
gdpr: "-"
gpg13: "-"
hipaa: "-"
mail: "-"
mitre.id: "-"
mitre.technique: "-"
nist_800_53: "-"
pci_dss: "-"
tsc: "-"
**Alert to be generated.
full event: Apr 14 06:35:08 hostname-nas-001 sshd[8337]: Starting session: shell on pts/0 for qscanner from 192.168.1.10 port 43330 id 1
timestamp: Apr 14 06:35:08
hostname: hostname-nas-001
program_name: sshd
**Phase 2: Completed decoding.
name: sshd
data: "-"
**Phase 3: Completed filtering (rules).
id: 100047
level: 3
description: Ignore alerts from 192.168.1.10.
groups: ["exceptions"]
firedtimes: 1
gdpr: "-"
gpg13: "-"
hipaa: "-"
mail: "-"
mitre.id: "-"
mitre.technique: "-"
nist_800_53: "-"
pci_dss: "-"
tsc: "-"
**Alert to be generated.
Our custom rules for CDB lists:
<group name="exceptions,">
<rule id="100003" level="3">
<list field="srcip" lookup="address_match_key">etc/lists/security-scanners</list>
<description>Ignored (downgraded to level 3 to retain logging) alerts from Security Scanners (by src ip)</description>
</rule>
</group>
<group name="exceptions,">
<rule id="100048" level="3">
<list field="data.srcip" lookup="address_match_key">etc/lists/security-scanners</list>
<description>Ignored (downgraded to level 3 to retain logging) alerts from Security Scanners (by src ip)</description>
</rule>
</group>
<rule id="100003" level="3">
<list field="srcip" lookup="address_match_key">etc/lists/security-scanners</list>
<description>Ignored (downgraded to level 3 to retain logging) alerts from Security Scanners (by src ip)</description>
</rule>
</group>
<group name="exceptions,">
<rule id="100048" level="3">
<list field="data.srcip" lookup="address_match_key">etc/lists/security-scanners</list>
<description>Ignored (downgraded to level 3 to retain logging) alerts from Security Scanners (by src ip)</description>
</rule>
</group>
Its almost as if the http rules are being loaded after ours or the srcip isn't parsed? What are we doing wrong?
- Patiently closing all of our false positive alerts :)
Julio Gasco
Apr 18, 2022, 8:12:54 AM4/18/22
to Wazuh mailing list
Hi Virgilio,
Thanks for using our community!
The issue you are facing is due to a missing tag on the rules. In order to reference a parent rule you need to add the tag on the new rule pointing to the parent rule you want to extend.
For example in rule 100047 you need to call 31101 in order for Wazuh to test the new rule when 31101 is called.
Once was added the rules work as expected, Rule 100047 will look like this:
<group name="exceptions,">
<rule id="100047" level="3">
<if_sid>31101<if_sid>
<srcip>192.168.1.10</srcip>
<description>Ignore alerts from 192.168.1.10.</description>
</rule>
</group>
Test
Log:
192.168.1.10 - - [14/Apr/2022:06:09:42 -0400] "GET /cgi-bin/clwarn.cgi HTTP/1.1" 404 216 "${jndi:ldap://log4shell-generic-aioTzmIZTGsZWgnr2mGv${lower:ten}.w.nessus.org/nessus}" "${jndi:ldap://log4shell-generic-aioTzmIZTGsZWgnr2mGv${lower:ten}.w.nessus.org/nessus}"
Result
**Phase 1: Completed pre-decoding.
full event: '192.168.1.10 - - [14/Apr/2022:06:09:42 -0400] "GET /cgi-bin/clwarn.cgi HTTP/1.1" 404 216 "${jndi:ldap://log4shell-generic-aioTzmIZTGsZWgnr2mGv${lower:ten}.w.nessus.org/nessus}" "${jndi:ldap://log4shell-generic-aioTzmIZTGsZWgnr2mGv${lower:ten}.w.nessus.org/nessus}"'
timestamp: '(null)'
hostname: 'welastic'
program_name: '(null)'
log: '192.168.1.10 - - [14/Apr/2022:06:09:42 -0400] "GET /cgi-bin/clwarn.cgi HTTP/1.1" 404 216 "${jndi:ldap://log4shell-generic-aioTzmIZTGsZWgnr2mGv${lower:ten}.w.nessus.org/nessus}" "${jndi:ldap://log4shell-generic-aioTzmIZTGsZWgnr2mGv${lower:ten}.w.nessus.org/nessus}"'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '192.168.1.10'
protocol: 'GET'
url: '/cgi-bin/clwarn.cgi'
id: '404'
**Phase 3: Completed filtering (rules).
Rule id: '100047'
Level: '3'
Description: 'Ignore alerts from 192.168.1.10.'
**Alert to be generated.
The rule for the cdb list had the same issue after adding 31101 it will work as expected, by the way the correct rule to implement would be 100003 is the correct syntax for matching cdb list with the source IPs.
<group name="exceptions,">
<rule id="100003" level="3">
<if_sid>31101<if_sid>
<list field="srcip" lookup="address_match_key">etc/lists/security-scanners</list>
<description>Ignored (downgraded to level 3 to retain logging) alerts from Security Scanners (by src ip)</description>
</rule>
</group>
Bellow is some reference documentation on rules syntax:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.htmlRegards
Ben Virgilio
Apr 18, 2022, 11:30:27 AM4/18/22
to Wazuh mailing list
Ahhh thank you so much Julio! Is there anyway to globally exclude IPs for all rules then? We were hoping to make a generic match to cut down on the noise.
Thanks!
Julio Gasco
Apr 18, 2022, 3:46:34 PM4/18/22
to Wazuh mailing list
Hi Virgilio,
You can create a CDB as you did with all the IPs you require, but you will have to apply it to every rule as in the example below:
<group name="exceptions,">
<rule id="100003" level="3">
<if_sid>31101<if_sid>
<list field="srcip" lookup="address_match_key">etc/lists/security-scanners</list>
<description>Ignored (downgraded to level 3 to retain logging) alerts from Security Scanners (by src ip)</description>
</rule>
</group>
There is no way to apply such a filter to every rule other than silencing each one as shown.
Regards!
Reply all
Reply to author
Forward
0 new messages