Wazuh notification rule overwrite
192 views
Skip to first unread message
Miroslav M
Sep 13, 2022, 1:45:53 PM9/13/22
to Wazuh mailing list
I receive an alert even I lowered its level.
I lowered
<email_alert_level>7</email_alert_level>
so instead of increasing particular event rules, I lower those I do not want. E.g. rule 533, in the
/var/ossec/etc/rules/local_rules.xml
</group>
there is:
....
<group name="modified">
<!-- Modified default rules -->
<rule id="533" level="5" overwrite="yes">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat listening ports</match>
<check_diff />
<description>Listened ports status (netstat) changed (new port opened or closed).</description>
<group>pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="533" level="5" overwrite="yes">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat listening ports</match>
<check_diff />
<description>Listened ports status (netstat) changed (new port opened or closed).</description>
<group>pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
...
</group>
But I still receive this 533.
Version:
/var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.3.7"
WAZUH_REVISION="40320"
WAZUH_TYPE="server"
WAZUH_VERSION="v4.3.7"
WAZUH_REVISION="40320"
WAZUH_TYPE="server"
Thanks
Sebastian Falcone
Sep 13, 2022, 1:58:07 PM9/13/22
to Wazuh mailing list
Hello Rudolf, thanks for joining wazuh!
Let me take a look in my local environment
Sebastian Falcone
Sep 13, 2022, 1:59:05 PM9/13/22
to Wazuh mailing list
Do you have a log that must trigger this rule? Would be great for testing
Miroslav Rudolf
Sep 13, 2022, 4:24:54 PM9/13/22
to wa...@googlegroups.com
Of course: https://pastebin.com/rDKt5eMR
The netstat is at 15:54:59, I left surrounding events and
anonymized domain and some IP addresses.
Thanks
Dne 13. 09. 22 v 19:59 Sebastian
Falcone napsal(a):
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/rfw97DltTLU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/443b23e0-cda2-43e1-8a9a-33d35dfc0da8n%40googlegroups.com.
Sebastian Falcone
Sep 13, 2022, 5:32:38 PM9/13/22
to Wazuh mailing list
Sorry for the delay
I was trying out the rule you sent me and seems to be working
Little disclaimer, you need to restart the manager service for the new rules to take effect. So please run:
#/var/ossec/bin/wazuh-control restart
or
#systemctl restart wazuh-manager.service
I was trying out the rule you sent me and seems to be working
Little disclaimer, you need to restart the manager service for the new rules to take effect. So please run:
#/var/ossec/bin/wazuh-control restart
or
#systemctl restart wazuh-manager.service
Miroslav Rudolf
Sep 21, 2022, 10:47:01 AM9/21/22
to wa...@googlegroups.com
I restarted, the same. I simplified file
/var/ossec/etc/rules/local_rules.xml
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015-2020, Wazuh Inc. -->
<!-- Example -->
<group name="local,syslog,sshd,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
</group>
<group name="netstatmodified">
<!-- Modified default rules -->
<rule id="533" level="5" overwrite="yes">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat listening ports</match>
<check_diff />
<description>Listened ports status (netstat) changed (new port opened or closed).</description>
<group>pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
restarted, but still receive Alert level 7 netstat notification. Can it be due to 2 email recipients (two lines email_to in ossec.conf)?
Thank you
Dne 13. 09. 22 v 23:32 Sebastian
Falcone napsal(a):
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b0002edf-24ec-4a67-8985-3ea202822e85n%40googlegroups.com.
swapnils
Sep 22, 2022, 9:20:19 AM9/22/22
to Wazuh mailing list
try adding this below "overwrite" line.
<options>alert_by_email</options>
<options>alert_by_email</options>
Miroslav Rudolf
Sep 23, 2022, 3:15:38 PM9/23/22
to wa...@googlegroups.com
Thanks, it is still sending, but not it looks like this:
Wazuh Notification. 2022 Sep 23 19:52:44 Received From: (mail.akspolek.cz) any->netstat listening ports Rule: 533 fired (level 5) -> "Listened ports status (netstat) changed (new port opened or closed)." Portion of the log(s): Before it looked like this: Wazuh Notification. 2022 Sep 21 06:20:05 Received From: (mail.akspolek.cz) any->netstat listening ports Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new port opened or closed)." Portion of the log(s): So it helped to change the level, but not to stop sending of the lower level.
Dne 22. 09. 22 v 15:20 'swapnils' via
Wazuh mailing list napsal(a):
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4211e23a-1c6a-4e1c-922d-ed7fa650dc74n%40googlegroups.com.
Miroslav Rudolf
Oct 3, 2022, 4:25:26 PM10/3/22
to wa...@googlegroups.com
I probably fixed the issue.
Wazuh was installed to /var/ossec/, which is mount of separate
disk. It was created by the root user and some files were owned by
the root. I changed ownership to wazuh:wazuh and since then
notifications work correctly.
Dne 23. 09. 22 v 21:15 Miroslav Rudolf
napsal(a):
Reply all
Reply to author
Forward
0 new messages