Folder monitoring error
193 views
Skip to first unread message
Facu Basgall
Mar 1, 2023, 9:03:22 AM3/1/23
to Wazuh mailing list
Hello!
I'm having a problem monitoring folders in Wazuh on an agent.
As you can see in the image I have a folder called 'BackupAD' and another one called 'BackupAD.Compressed'.
My intention is to monitor only the BackupAD folder, but when these start with the same name and I perform an action on BackupAD.Compressed also informs me the alert.
Attached is a screenshot of the rules created.
I'm having a problem monitoring folders in Wazuh on an agent.
As you can see in the image I have a folder called 'BackupAD' and another one called 'BackupAD.Compressed'.
My intention is to monitor only the BackupAD folder, but when these start with the same name and I perform an action on BackupAD.Compressed also informs me the alert.
Attached is a screenshot of the rules created.
As you can see I have been trying several ways to get it to interpret 'C:\Backup.AD' where there are more folders and files in there, but I was unsuccessful.
Jose Luis Carreras Marin
Mar 2, 2023, 9:18:45 AM3/2/23
to Wazuh mailing list
Hello Facu Basgall,
First of all, the match tag uses a special Wazuh regular expression. In our documentation you can see the 3 possible regex to choose:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html
- OS_Match (default)
- OS_Regex
- PCRE2
Documentation about the match tag and how to define the regex type:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#match
For example:
<match type="osregex">c:\\backupad\\\.</match>
This way you can change the regex type to suit what you are looking for.
However, if the syscheck configuration you are using contains all those directories, any action taken on them will generate the existing default alert in the Wazuh ruleset:
- Rule ID 554: File added to the system.
- Rule ID 550: Integrity checksum changed.
- Rule ID 553: File deleted.
To avoid those alerts, the best you can do is to create a syscheck configuration (in the agent) more specific with the directories you want to monitor. Using the directories tag (or even ignoring them with the ignore tag), you can read more about syscheck configuration (FIM) here:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#syscheck
If you want, tell me more in depth your goal and send me the agent configuration you are using, and we can see more in detail the possibilities.
Regards
Christian Ariel Toledo
Mar 3, 2023, 3:31:16 PM3/3/23
to Wazuh mailing list
Hello José Luis.
My name is Christian, and I am doing the tests together with Facu Basgall.
I confirm that the tests you indicate did not work.
I send the different tests that I perform, to see if it can help us with this issue. (none of them worked)
My name is Christian, and I am doing the tests together with Facu Basgall.
I confirm that the tests you indicate did not work.
I send the different tests that I perform, to see if it can help us with this issue. (none of them worked)
<rule id="101701" level="11">
<if_sid>553</if_sid>
<match>c:\\backupad\\\.</match>
<description>File deleted.</description>
</rule>
<rule id="101702" level="11">
<if_sid>553</if_sid>
<match type="osregex">c:\\backupad\\\.</match>
<description>File deleted.</description>
</rule>
<rule id="101700" level="11" frequency="2" timeframe="60">
<if_matched_sid>553</if_matched_sid>
<regex>c:\\backupad\\\.</regex>
<description>Multiple - File deleted.</description>
</rule>
Toledo Christian
Jose Luis Carreras Marin
Mar 6, 2023, 4:34:25 AM3/6/23
to Wazuh mailing list
Hi Christian
Could you show me what kind of test you are performing, and the alerts you are receiving in the alert.logs file?
Could you show me what kind of test you are performing, and the alerts you are receiving in the alert.logs file?
It would also be good to analyze the syscheck configuration you are using in the ossec.conf file of the Wazuh agent.
Regards, Jose
Christian Ariel Toledo
Mar 6, 2023, 10:01:35 AM3/6/23
to Wazuh mailing list
Jose.
Group configuration: agent.conf
<agent_config>
<!-- Shared agent configuration here -->
<!-- File integrity monitoring -->
<syscheck>
<!-- Directorios Windows -->
<directories check_all="yes" whodata="yes">C:\backupAD</directories>
<directories check_all="yes" whodata="yes">C:\backupAD.Comprimido</directories>
<directories check_all="yes" whodata="yes">C:\backupAD.GPOs</directories>
<directories check_all="yes" whodata="yes">C:\backupAD.GPOs.Comprimido</directories>
</syscheck>
</agent_config>
<rule id="101700" level="11" frequency="2" timeframe="60">
<if_matched_sid>553</if_matched_sid>
<regex>c:\\backupad\\\.</regex>
<description>Multiple - File deleted.</description>
</rule>
<rule id="101701" level="11">
<if_sid>553</if_sid>
<match>c:\\backupad\\\.</match>
<description>File deleted.</description>
</rule>
<rule id="101702" level="11">
<if_sid>553</if_sid>
<match type="osregex">c:\\backupad\\\.</match>
<description>File deleted.</description>
</rule>
I send you what you requested.
In the attachment is the log, and below the configuration.
In the attachment is the log, and below the configuration.
I have a group created, with the folder configuration.
In the tests I add, modify and delete .txt files, and in all cases events 550, 553 and 554 are generated correctly. But not the events that I indicate in the rules.
Config: osse.conf
Config: osse.conf
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
Group configuration: agent.conf
<agent_config>
<!-- Shared agent configuration here -->
<!-- File integrity monitoring -->
<syscheck>
<!-- Directorios Windows -->
<directories check_all="yes" whodata="yes">C:\backupAD</directories>
<directories check_all="yes" whodata="yes">C:\backupAD.Comprimido</directories>
<directories check_all="yes" whodata="yes">C:\backupAD.GPOs</directories>
<directories check_all="yes" whodata="yes">C:\backupAD.GPOs.Comprimido</directories>
</syscheck>
</agent_config>
Rules:
<!-- Monitoreo de archivos -->
<group name="alertas">
<!-- Reglas Monitoreo Archivos "C:\backupAD" -->
<!-- Modificacion de archivos -->
<group name="alertas">
<!-- Reglas Monitoreo Archivos "C:\backupAD" -->
<!-- Modificacion de archivos -->
<rule id="101700" level="11" frequency="2" timeframe="60">
<if_matched_sid>553</if_matched_sid>
<regex>c:\\backupad\\\.</regex>
<description>Multiple - File deleted.</description>
</rule>
<rule id="101701" level="11">
<if_sid>553</if_sid>
<match>c:\\backupad\\\.</match>
<description>File deleted.</description>
</rule>
<rule id="101702" level="11">
<if_sid>553</if_sid>
<match type="osregex">c:\\backupad\\\.</match>
<description>File deleted.</description>
</rule>
</group>
Regards.
Toledo Christian
Jose Luis Carreras Marin
Mar 7, 2023, 8:52:10 AM3/7/23
to Wazuh mailing list
Hello Toledo,
Could you try this other rule?
<rule id="101702" level="11">
<if_sid>553</if_sid>
Could you try this other rule?
<rule id="101702" level="11">
<if_sid>553</if_sid>
<field name="file" type="osregex">c:\\backupad\\\.</field>
<description>File deleted.</description>
</rule>
</rule>
The field field allows to choose specific fields of the alert, in this case, the path of the files comes in the file field. Docu link:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#field
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#field
Regards, Jose
Christian Ariel Toledo
Mar 8, 2023, 9:53:12 AM3/8/23
to Wazuh mailing list
Good morning Jose.
I tried the rule you indicate, and it didn't work either.
I also tried the following, but it still doesn't work.
<rule id="101702" level="11">
<if_sid>553</if_sid>
Regards.
Toledo Christian
I tried the rule you indicate, and it didn't work either.
I also tried the following, but it still doesn't work.
<rule id="101702" level="11">
<if_sid>553</if_sid>
<field name="file" type="osregex">c:\\backupad\\\.</field>
<description>File deleted.</description>
</rule>
</rule>
<rule id="101702" level="11">
<if_sid>553</if_sid>
<if_sid>553</if_sid>
<field name="syscheck.path" type="osregex">c:\\backupad\\\.</field>
<description>File deleted.</description>
</rule>
</rule>
Regards.
Toledo Christian
Jose Luis Carreras Marin
Mar 9, 2023, 7:12:45 AM3/9/23
to Wazuh mailing list
Hi Christian
I have raised a local environment and tested the rule.
Configuration in the agent:
<directories check_all="yes" whodata="yes">C:\backupAD</directories>
<directories check_all="yes" whodata="yes">C:\backupAD.Comprimido</directories>
<rule id="101702" level="11">
<if_sid>553</if_sid>
<field name="file" type="osregex">c:\\backupad\\\.</field>
<description>File deleted.</description>
</rule>
I have raised a local environment and tested the rule.
Configuration in the agent:
<directories check_all="yes" whodata="yes">C:\backupAD</directories>
<directories check_all="yes" whodata="yes">C:\backupAD.Comprimido</directories>
Local custom rules file in the manager:
<group name="alertas">
<group name="alertas">
<rule id="101702" level="11">
<if_sid>553</if_sid>
<field name="file" type="osregex">c:\\backupad\\\.</field>
<description>File deleted.</description>
</rule>
</group>
Testing directory C:\backupAD.Comprimido
2023 Mar 09 12:05:04 (windows10) any->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
File 'c:\backupad.comprimido\new text document.txt' added
Mode: whodata
Attributes:
- Size: 0
- Permissions: Administrators (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, SYSTEM (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, Users (allowed): READ_CONTROL|SYNCHRONIZE|READ_DATA|READ_EA|EXECUTE|READ_ATTRIBUTES, Authenticated Users (allowed): DELETE|READ_CONTROL|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES
- Date: Thu Mar 9 12:05:03 2023
- Inode: 0
- User: Administrators (0)
- MD5: d41d8cd98f00b204e9800998ecf8427e
- SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
- SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
- File attributes: ARCHIVE
- (Audit) User name: vagrant
- (Audit) Process id: 2384
- (Audit) Process name: C:\Windows\explorer.exe
** Alert 1678362753.682588: - ossec,syscheck,syscheck_entry_added,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2023 Mar 09 11:52:33 (windows10) any->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
File 'c:\backupad\new text document.txt' added
Mode: whodata
Attributes:
- Size: 0
- Permissions: Administrators (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, SYSTEM (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, Users (allowed): READ_CONTROL|SYNCHRONIZE|READ_DATA|READ_EA|EXECUTE|READ_ATTRIBUTES, Authenticated Users (allowed): DELETE|READ_CONTROL|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES
- Date: Thu Mar 9 11:52:32 2023
- Inode: 0
- User: Administrators (0)
- MD5: d41d8cd98f00b204e9800998ecf8427e
- SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
- SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
- File attributes: ARCHIVE
- (Audit) User name: vagrant
- (Audit) Process id: 2384
- (Audit) Process name: C:\Windows\explorer.exe
As you can see, the custom rule that I have created, has triggered exclusively in the c:\backupad directory (check alert level 11 and group alertas). Is this the performance you are looking for? How are you testing or what is your goal?
Testing directory C:\backupAD.Comprimido
- File added:
2023 Mar 09 12:05:04 (windows10) any->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
File 'c:\backupad.comprimido\new text document.txt' added
Mode: whodata
Attributes:
- Size: 0
- Permissions: Administrators (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, SYSTEM (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, Users (allowed): READ_CONTROL|SYNCHRONIZE|READ_DATA|READ_EA|EXECUTE|READ_ATTRIBUTES, Authenticated Users (allowed): DELETE|READ_CONTROL|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES
- Date: Thu Mar 9 12:05:03 2023
- Inode: 0
- User: Administrators (0)
- MD5: d41d8cd98f00b204e9800998ecf8427e
- SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
- SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
- File attributes: ARCHIVE
- (Audit) User name: vagrant
- (Audit) Process id: 2384
- (Audit) Process name: C:\Windows\explorer.exe
- File deleted:
** Alert 1678363510.686548: - ossec,syscheck,syscheck_entry_deleted,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2023 Mar 09 12:05:10 (windows10) any->syscheck
Rule: 553 (level 7) -> 'File deleted.'
File 'c:\backupad.comprimido\new text document.txt' deleted
Mode: whodata
Attributes:
- Size: 0
- Permissions: Administrators (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, SYSTEM (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, Users (allowed): READ_CONTROL|SYNCHRONIZE|READ_DATA|READ_EA|EXECUTE|READ_ATTRIBUTES, Authenticated Users (allowed): DELETE|READ_CONTROL|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES
- Date: Thu Mar 9 12:05:03 2023
- Inode: 0
- User: Administrators (0)
- MD5: d41d8cd98f00b204e9800998ecf8427e
- SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
- SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
- File attributes: ARCHIVE
- (Audit) User name: vagrant
- (Audit) Process id: 2384
- (Audit) Process name: C:\Windows\explorer.exe
2023 Mar 09 12:05:10 (windows10) any->syscheck
Rule: 553 (level 7) -> 'File deleted.'
File 'c:\backupad.comprimido\new text document.txt' deleted
Mode: whodata
Attributes:
- Size: 0
- Permissions: Administrators (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, SYSTEM (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, Users (allowed): READ_CONTROL|SYNCHRONIZE|READ_DATA|READ_EA|EXECUTE|READ_ATTRIBUTES, Authenticated Users (allowed): DELETE|READ_CONTROL|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES
- Date: Thu Mar 9 12:05:03 2023
- Inode: 0
- User: Administrators (0)
- MD5: d41d8cd98f00b204e9800998ecf8427e
- SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
- SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
- File attributes: ARCHIVE
- (Audit) User name: vagrant
- (Audit) Process id: 2384
- (Audit) Process name: C:\Windows\explorer.exe
Testing directory C:\backupAD
- File added
2023 Mar 09 11:52:33 (windows10) any->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
File 'c:\backupad\new text document.txt' added
Mode: whodata
Attributes:
- Size: 0
- Permissions: Administrators (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, SYSTEM (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, Users (allowed): READ_CONTROL|SYNCHRONIZE|READ_DATA|READ_EA|EXECUTE|READ_ATTRIBUTES, Authenticated Users (allowed): DELETE|READ_CONTROL|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES
- Date: Thu Mar 9 11:52:32 2023
- Inode: 0
- User: Administrators (0)
- MD5: d41d8cd98f00b204e9800998ecf8427e
- SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
- SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
- File attributes: ARCHIVE
- (Audit) User name: vagrant
- (Audit) Process id: 2384
- (Audit) Process name: C:\Windows\explorer.exe
- File deleted
** Alert 1678362821.683971: - alertas
2023 Mar 09 11:53:41 (windows10) any->syscheck
Rule: 101702 (level 11) -> 'File deleted.'
File 'c:\backupad\new text document.txt' deleted
Mode: whodata
Attributes:
- Size: 0
- Permissions: Administrators (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, SYSTEM (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, Users (allowed): READ_CONTROL|SYNCHRONIZE|READ_DATA|READ_EA|EXECUTE|READ_ATTRIBUTES, Authenticated Users (allowed): DELETE|READ_CONTROL|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES
- Date: Thu Mar 9 11:52:32 2023
- Inode: 0
- User: Administrators (0)
- MD5: d41d8cd98f00b204e9800998ecf8427e
- SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
- SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
- File attributes: ARCHIVE
- (Audit) User name: vagrant
- (Audit) Process id: 2384
- (Audit) Process name: C:\Windows\explorer.exe
2023 Mar 09 11:53:41 (windows10) any->syscheck
Rule: 101702 (level 11) -> 'File deleted.'
File 'c:\backupad\new text document.txt' deleted
Mode: whodata
Attributes:
- Size: 0
- Permissions: Administrators (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, SYSTEM (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, Users (allowed): READ_CONTROL|SYNCHRONIZE|READ_DATA|READ_EA|EXECUTE|READ_ATTRIBUTES, Authenticated Users (allowed): DELETE|READ_CONTROL|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES
- Date: Thu Mar 9 11:52:32 2023
- Inode: 0
- User: Administrators (0)
- MD5: d41d8cd98f00b204e9800998ecf8427e
- SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
- SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
- File attributes: ARCHIVE
- (Audit) User name: vagrant
- (Audit) Process id: 2384
- (Audit) Process name: C:\Windows\explorer.exe
As you can see, the custom rule that I have created, has triggered exclusively in the c:\backupad directory (check alert level 11 and group alertas). Is this the performance you are looking for? How are you testing or what is your goal?
Tell me more in depth and we can analyze the problem.
I hope I can help as much as possible.
I hope I can help as much as possible.
Best regards, Jose
Christian Ariel Toledo
Mar 22, 2023, 9:09:48 PM3/22/23
to Wazuh mailing list
Dear Jose.
Sorry for the delay.
The test you have done is exactly what I need.
I deleted all the rules that I had, and configured exactly the same as you have done, and it worked perfect. (Surely I had something wrong configured).
Sorry for the delay.
The test you have done is exactly what I need.
I deleted all the rules that I had, and configured exactly the same as you have done, and it worked perfect. (Surely I had something wrong configured).
Thank you very much for the help.
Regards.
Toledo Christian
Regards.
Toledo Christian
Reply all
Reply to author
Forward
0 new messages