a problem with my Kaspersky alerts

[Nassim Dhaher]

Hi guys. I have a problem with my Kaspersky. 

When I turn logall on, the archive.log get lots of traffic so the My Kaspersky server is sending log

On the Wazuh part I have this entry for the syslog

  <!-- Log Kaspersky -->
  <remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>172.XX.XX.XXX/32</allowed-ips>
   <local_ip>192.XXX.XX.XX</local_ip>
  </remote>

The problems is that nothing is going to the alerts. I know there is a decoder for kaspersky. I read somewhere that  must make my own rules.

Don't know where to start. If someone has something ready to get me started or if the rules exist and I can't see them.

Any help is appreciated.

Nassim

[Mariano Koremblum]

Hi Nassim!

Let us get this clear, in order to do it I will ask you some questions:

• Are you seeing the Kaspersky events on the archives files?
• Do you receive the events on the archives.json file as well? In case it is not being filled, please try enabling the logall_json option on your manager’s ossec.conf file.
• If you do have events on the archives.json, could you please share one of the JSON events, logged to such a file, that you would expect to see in the alerts?

I will be waiting for your reply,

Koremblum Mariano

​

[Нестеров Руслан Олегович]

Good evening all.

I also thinkins how to send kaspersky logs to wazuh server.

What steps should i take?

Regards, 

Ruslan O. Nesterov

---

От: wa...@googlegroups.com <wa...@googlegroups.com> от имени Mariano Koremblum <mariano....@wazuh.com>
Отправлено: 30 июля 2022 г. 18:54:13
Кому: Wazuh mailing list
Тема: Re: a problem with my Kaspersky alerts

 

Hi Nassim!

Let us get this clear, in order to do it I will ask you some questions:

- Are you seeing the Kaspersky events on the archives files?
- Do you receive the events on the `archives.json` file as well? In case it is not being filled, please try enabling the `logall_json` option on your manager's `ossec.conf` file.
- If you do have events on the `archives.json`, could you please share one of the JSON events, logged to such a file, that you would expect to see in the alerts?

I will be waiting for your reply,

Koremblum Mariano

On Friday, July 29, 2022 at 12:38:54 PM UTC-3 nass...@gmail.com wrote:

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3c216d05-60b1-4c94-8fba-ba397741ee5bn%40googlegroups.com.

[Mariano Koremblum]

Hi Ruslan,

Please, open a new thread so we do not mess this one talking about two different topics. Thanks for understanding!

Best Regards,

Mariano Koremblum

[Nassim Dhaher]

Hi Mariano

Ok , I've just reactivated logall for both txt and json

1- when I enable the logall I see several events, here is a screenshot

2- I see several events here as well in the json archives, although I activated only critical events,  

[Mariano Koremblum]

Hi again Nassim!

So, we have to consider that the alerts are just regular logs with an alert level equal to or higher than the log_alert_level value set in the manager’s ossec.conf file, which by default is 3. So, if you haven’t modified such a value, it is okay not to see the events on the dashboard, as from what I can see, the alerts have a level 2, you can find this value in rule->level.

Are you sure that you want to visualize these alerts on the dashboard? You may achieve it by creating a custom rule that inherits from rule 1002, which is the one that is being matched. I would strongly recommend you reading the following links to have a better understanding of the rules/decoders creation:

• https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
• https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
• https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
• https://documentation.wazuh.com/current/learning-wazuh/replace-stock-rule.html
• https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/

Note: to test the rules/decoders with wazuh-logtest, you should use the full_log string that is located on every log entry of the archives.json file.

Please, let us know if you still need further guidance with this.

Best Regards,

Mariano Koremblum

​

[Nassim Dhaher]

Hi Mariano

 I changed my alert level from 3 to 2 just to see how the alerts will be and found it very strange that the Critical events in Kaspersky where only level2 alerts in Wazuh. I also started seeing things from my BigIP that I couldn't see before. 

I'm going to read those custom rules and try to make my own.

Just in case you know, where people share rules they have already made, some forum, discord or github repository, I looked but didn't find any.

Thank you.

[Mariano Koremblum]

Hi Nassim,

Unfortunately, there is no specific place to search for users’ custom rules and decoders, at least that I know. Your best chance is to google what you are looking for and most of the results will, probably, be on one of our official community channels.

In any case, if you need help with creating your rules or decoders, you can always open a new thread to ask for our assistance.

Best Regards,

Mariano Koremblum

​