New to WAZUH - Would like some help with windows_decoders
426 views
Skip to first unread message
Boris Kiss
Dec 12, 2022, 10:39:36 PM12/12/22
to Wazuh mailing list
Hello Everyone,
I'm very new to WAZUH and I was wondering if someone could shine some light on my issue. Currently the windows_decoders.xml has the following configuration:
<decoder name="windows_fields">
<type>windows</type>
<parent>windows</parent>
<regex>Source Network Address:\t*\s*(\S+.\S+.\S+.\S+)|Source Network Address:\t*\s*(\S*:\S*:\S*:\S*:\S*:\S*:\S*:\S*)|[CLIENT: (\S+\d)]</regex>
<order>srcip</order>
</decoder>
<type>windows</type>
<parent>windows</parent>
<regex>Source Network Address:\t*\s*(\S+.\S+.\S+.\S+)|Source Network Address:\t*\s*(\S*:\S*:\S*:\S*:\S*:\S*:\S*:\S*)|[CLIENT: (\S+\d)]</regex>
<order>srcip</order>
</decoder>
I would like to replace Source Network Address with IPString data that is pulled from Microsoft-Windows-RemoteDesktopServices-RdpCoreTS and map it to srcip.
The reason being is because the events that are in the Security Event Viewer do not provide the source IP. It's blank, and therefore the script to block the IP doesn't work.
I tried modifying windows_decoders.xml as below, but it is not working.
<decoder name="windows_fields">
<type>windows</type>
<parent>windows</parent>
<regex>"iPString":"(\S+.\S+.\S+.\S+)"</regex>
<order>srcip</order>
</decoder>
<type>windows</type>
<parent>windows</parent>
<regex>"iPString":"(\S+.\S+.\S+.\S+)"</regex>
<order>srcip</order>
</decoder>
Any help would be greatly appreciated.
Damian Nicastro
Dec 13, 2022, 12:57:15 AM12/13/22
to Wazuh mailing list
Hello Boris:
This decoder might be dependent of other decoders or rules will look for it in the ruleset. For this reason, you might need to copy these rules or decoders in the corresponding "/var/ossec/etc/decoders/" or "/var/ossec/etc/rules/" and exclude then in the mentioned configuration to maintain the functionalities.
I hope you are fine.
Please, first let me know you Wazuh version because I don't see the same.
Please, also consider that you should make a copy of the default "/var/ossec/ruleset/decoders/0380-windows_decoders.xml" in the "/var/ossec/etc/decoders/" with a different and then make the modifications there in order to avoid the overwriting when you make a Wazuh upgrade. Additionally, you have to exclude the default decoder in the Wazuh config file:
# vi /var/ossec/etc/ossec.conf
...
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<decoder_exclude>0380-windows_decoders.xml</decoder_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
...
This decoder might be dependent of other decoders or rules will look for it in the ruleset. For this reason, you might need to copy these rules or decoders in the corresponding "/var/ossec/etc/decoders/" or "/var/ossec/etc/rules/" and exclude then in the mentioned configuration to maintain the functionalities.
Please, also tell me which script you are trying to use to block the Source IP.
Finally, please share the "localfile" configuration you are using in the agent to monitor this EventChannel
I hope this helps.
Thanks
bo...@alliedens.com
Dec 13, 2022, 11:03:44 AM12/13/22
to Wazuh mailing list
Hello Damian,
// Get srcip
const char *srcip = get_srcip_from_json(input_json);
if (!srcip) {
write_debug_file(argv[0], "Cannot read 'srcip' from data");
cJSON_Delete(input_json);
return OS_INVALID;
Thank you for the reply and I hope all is fine with you as well. I will try to answer all your questions...
I am running WAZUH 4.3.10, the decoder that I was referencing was the 0380-windows_decoders.xml located in "/var/ossec/ruleset/decoders/" and I did make a copy of the xml file (working on the original to make sure things work as I want them to before making final configurations).
I wondered if the decoders get overwritten when a new update / upgrade gets applied (I will make the final exclusions changes once I know things are working as I want them to).
The script that I'm trying to run is the default netsh.exe which is defined in my Manager ossec.conf as below:
<active-response>
<disabled>no</disabled>
<command>netsh</command>
<location>local</location>
<rules_id>60010</rules_id>
<timeout>1000</timeout>
</active-response>
<disabled>no</disabled>
<command>netsh</command>
<location>local</location>
<rules_id>60010</rules_id>
<timeout>1000</timeout>
</active-response>
And the command is defined as below:
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
rule_id>60010 is defined in my 0575-win-base_rules.xml as below (I changed the level to 5 so wazuh would show notifications in my dashboard, original was set to 0 and wazuh is configured to log anything abouve level 3):
<rule id="60010" level="5">
<if_sid>60000</if_sid>
<field name="win.system.eventID">^140$</field>
<field name="win.system.severityValue">^WARNING$</field>
<options>no_full_log</options>
<description>RdpCoreTS RemoteIP warning event.</description>
<group>gpg13_4.12,</group>
</rule>
<if_sid>60000</if_sid>
<field name="win.system.eventID">^140$</field>
<field name="win.system.severityValue">^WARNING$</field>
<options>no_full_log</options>
<description>RdpCoreTS RemoteIP warning event.</description>
<group>gpg13_4.12,</group>
</rule>
So all these configurations are working until the part where wazuh should execute the command to block the offending IP address. Also, in my wazuh dashboard, agents, agent in question, security events, events - I do see the event with rule>id 60010 with all the information pulled from the event log (the table is below):
agent.id 011
data.win.eventdata.iPString x.x.x.x (I removed the IP info)
data.win.system.channel Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
data.win.system.eventID 140
data.win.system.eventRecordID 50737427
data.win.system.keywords 0x4000000000000000
data.win.system.level 3
data.win.system.message "A connection from the client computer with an IP address of x.x.x.x (I removed the IP) failed because the user name or password is not correct."
data.win.system.opcode 14
data.win.system.processID 5276
data.win.system.providerGuid {1139C61B-B549-4251-8ED3-27250A1EDEC8}
data.win.system.providerName Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
data.win.system.severityValue WARNING
data.win.system.systemTime 2022-12-13T15:16:26.398243900Z
data.win.system.task 4
data.win.system.threadID 5368
data.win.system.version 0
decoder.name windows_eventchannel
id 1670944586.314633764
input.type log
location EventChannel
manager.name name.domain.com (I removed the info)
rule.description RdpCoreTS RemoteIP warning event.
rule.firedtimes 1
rule.gpg13 4.12
rule.groups windows
rule.id 60010
rule.level 5
rule.mail false
timestamp Dec 13, 2022 @ 09:16:26.923
data.win.eventdata.iPString x.x.x.x (I removed the IP info)
data.win.system.channel Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
data.win.system.eventID 140
data.win.system.eventRecordID 50737427
data.win.system.keywords 0x4000000000000000
data.win.system.level 3
data.win.system.message "A connection from the client computer with an IP address of x.x.x.x (I removed the IP) failed because the user name or password is not correct."
data.win.system.opcode 14
data.win.system.processID 5276
data.win.system.providerGuid {1139C61B-B549-4251-8ED3-27250A1EDEC8}
data.win.system.providerName Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
data.win.system.severityValue WARNING
data.win.system.systemTime 2022-12-13T15:16:26.398243900Z
data.win.system.task 4
data.win.system.threadID 5368
data.win.system.version 0
decoder.name windows_eventchannel
id 1670944586.314633764
input.type log
location EventChannel
manager.name name.domain.com (I removed the info)
rule.description RdpCoreTS RemoteIP warning event.
rule.firedtimes 1
rule.gpg13 4.12
rule.groups windows
rule.id 60010
rule.level 5
rule.mail false
timestamp Dec 13, 2022 @ 09:16:26.923
The reason I'm using this event channel is because if I use rule_id 60122 which monitors windows security event log for failed attempts with eventID 4625 (windows doesn't provide the Source Network Address as shown below and has to be retrieved from Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational - event logs).
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: workstation
Source Network Address: - (this is where the problem is as windows doesn't record the IP address and that is why I want to extract / map the data.win.eventdata.iPString x.x.x.x to "srcip")
Source Port: -
In the agent log, I see the it tries to fire the script, however there is an error as below:
2022/12/13 09:36:37 active-response/bin/netsh.exe: Cannot read 'srcip' from data
When looking at the documentation of the netsh.exe command it references "srcip" as below:
// Get srcip
const char *srcip = get_srcip_from_json(input_json);
if (!srcip) {
write_debug_file(argv[0], "Cannot read 'srcip' from data");
cJSON_Delete(input_json);
return OS_INVALID;
So I'm thinking, if I can get the <regex>Source Network Address:\t*\s*(\S+.\S+.\S+.\S+)|Source Network Address:\t*\s*(\S*:\S*:\S*:\S*:\S*:\S*:\S*:\S*)|[CLIENT: (\S+\d)]</regex> changed to pull the IP info from win.eventdata.iPString x.x.x.x and map it to <order>srcip</order> then the script should execute and add the IP address into the Windows Firewall block list.
Also, my global agent.conf configuration has the following config:
<agent_config>
<!-- Shared agent configuration here -->
<localfile>
<location>Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
</agent_config>
<!-- Shared agent configuration here -->
<localfile>
<location>Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
</agent_config>
Damian Nicastro
Dec 14, 2022, 3:52:51 AM12/14/22
to Wazuh mailing list
Hi Boris:
I think I got your point.
Most probably, you will need to create a custom script to block the IP in this field. Please, send me 60010 alert event in the /var/ossec/alerts/alerts.json file to see how the mentioned field is coming.
Thanks
Message has been deleted
Message has been deleted
bo...@alliedens.com
Dec 14, 2022, 2:25:10 PM12/14/22
to Wazuh mailing list
Damian,
Every time I post the requested info it gets deleted. Can I email you directly?
Message has been deleted
Message has been deleted
bo...@alliedens.com
Dec 14, 2022, 3:02:30 PM12/14/22
to Wazuh mailing list
Damian,
Please find below the requested info.
Thank you.
On Wednesday, December 14, 2022 at 2:52:51 AM UTC-6 damian....@wazuh.com wrote:
Damian Nicastro
Dec 15, 2022, 3:30:01 AM12/15/22
to Wazuh mailing list
Hi Boris:
I hope you are fine.
I have analyzed the alert event and I could see that the IP is coming in the field "
win.eventdata.IPString"
You will need to modify the default "netsh.exe" script to read this filed instead of the "srcip" field. Below, you have a guide to create Active Response custom scripts:
Please, remember that in Windows the script must be converted to .exe format and have to be located in the "C:\Program Files (x86)\ossec-agent\active-response\bin" folder of the Windows machine.
I hope this helps.
Thanks
bo...@alliedens.com
Dec 15, 2022, 11:22:12 AM12/15/22
to Wazuh mailing list
Damian,
Thank you for the information. I still have few questions.
1.) Do I still have to make modifications to the 0380-windows_decoders.xml file where the following is referenced;
<regex>Source Network Address:\t*\s*(\S+.\S+.\S+.\S+)|Source Network Address:\t*\s*(\S*:\S*:\S*:\S*:\S*:\S*:\S*:\S*)|[CLIENT: (\S+\d)]</regex>
<order>srcip</order>
<order>srcip</order>
to something like this (or should I leave it alone);
<regex>IPString:\t*\s*(\S+.\S+.\S+.\S+)|IPString:\t*\s*(\S*:\S*:\S*:\S*:\S*:\S*:\S*:\S*)|[CLIENT: (\S+\d)]</regex>
<order>srcip</order>
<order>srcip</order>
2.) Based on the github active-response script documentation (the way I understand it), the script calls for "srcip" from json as shown below, but does't the "srcip" get defined by the 0380-windows_decoders.xml configuration?
const char *srcip = get_srcip_from_json(input_json);
Unless I'm not understanding the workflow correctly.
Thanks.
Damian Nicastro
Dec 16, 2022, 1:28:52 AM12/16/22
to Wazuh mailing list
Hello Boris:
I hope you are fine.
1) You don't have to change any default rule or decoder as a general rule. You might need to create a new custom rule to trigger your custom script but it is recommended to avoid changing default ruleset.
2) Once the event triggers a rule and this rule is sent to AR module in JSON format, the windows decoders are not playing any role here. The decoders are only used to extract fields from the event and, eventually, being analyzed to trigger certain rules. After a rule is triggered, the AR module will receive the complete JSON event in the STDIN and will parse it to look for the necessary fields to execute the script.
I hope this help.
Thanks
Reply all
Reply to author
Forward
0 new messages