Wazuh Agent Default Rules
287 views
Skip to first unread message
John Carry
May 12, 2023, 8:06:12 AM5/12/23
to Wazuh mailing list
Dear Wazuh Team,
Please provide details against below mentioned rules for below queries..
1) When will this rule trigger? please provide use-case and possible conditions.
2) Where to find the logs that will trigger these rules?
Rules:
<rule id="501" level="3">
<if_sid>500</if_sid>
<if_fts />
<match>Agent started</match>
<description>New ossec agent connected.</description>
<group>pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="502" level="3">
<if_sid>500</if_sid>
<match>Ossec started</match>
<description>Ossec server started.</description>
<group>pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="503" level="3">
<if_sid>500</if_sid>
<match>Agent started</match>
<description>Ossec agent started.</description>
<group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,</group>
</rule>
<rule id="504" level="3">
<if_sid>500</if_sid>
<match>Agent disconnected</match>
<description>Ossec agent disconnected.</description>
<mitre>
<id>T1562.001</id>
</mitre>
<group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,</group>
</rule>
<rule id="505" level="3">
<if_sid>500</if_sid>
<match>Agent removed</match>
<description>Ossec agent removed.</description>
<mitre>
<id>T1562.001</id>
</mitre>
<group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,</group>
</rule>
<rule id="506" level="3">
<if_sid>500</if_sid>
<match>Agent stopped</match>
<description>Ossec agent stopped.</description>
<mitre>
<id>T1562.001</id>
</mitre>
<group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,</group>
</rule>
<if_sid>500</if_sid>
<if_fts />
<match>Agent started</match>
<description>New ossec agent connected.</description>
<group>pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="502" level="3">
<if_sid>500</if_sid>
<match>Ossec started</match>
<description>Ossec server started.</description>
<group>pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="503" level="3">
<if_sid>500</if_sid>
<match>Agent started</match>
<description>Ossec agent started.</description>
<group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,</group>
</rule>
<rule id="504" level="3">
<if_sid>500</if_sid>
<match>Agent disconnected</match>
<description>Ossec agent disconnected.</description>
<mitre>
<id>T1562.001</id>
</mitre>
<group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,</group>
</rule>
<rule id="505" level="3">
<if_sid>500</if_sid>
<match>Agent removed</match>
<description>Ossec agent removed.</description>
<mitre>
<id>T1562.001</id>
</mitre>
<group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,</group>
</rule>
<rule id="506" level="3">
<if_sid>500</if_sid>
<match>Agent stopped</match>
<description>Ossec agent stopped.</description>
<mitre>
<id>T1562.001</id>
</mitre>
<group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,</group>
</rule>
Nicolas Alejandro Bertoldo
May 12, 2023, 1:57:54 PM5/12/23
to Wazuh mailing list
Hi John,
In the decoding phase the event is processed by the ossec decoder.
In the next phase, the extracted log information is compared to the ruleset and matches with the rule 502:
<description>Ossec server started.</description>
<group>pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
Thanks for using Wazuh!
These rules are triggered when an agent or manager status change event occurs. For example, when the manager is started the following message is logged to /var/ossec/etc/logs/ossec.log:
These rules are triggered when an agent or manager status change event occurs. For example, when the manager is started the following message is logged to /var/ossec/etc/logs/ossec.log:
"ossec: Manager started."
As you can see in the wazuh-logtest output:
# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.4.1
Type one log per line
ossec: Manager started.
**Phase 1: Completed pre-decoding.
full event: 'ossec: Manager started.'
**Phase 2: Completed decoding.
name: 'ossec'
**Phase 3: Completed filtering (rules).
id: '502'
level: '3'
description: 'Ossec server started.'
groups: '['ossec']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
gpg13: '['10.1']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.6']'
pci_dss: '['10.6.1']'
tsc: '['CC7.2', 'CC7.3']'
**Alert to be generated.
As you can see in the wazuh-logtest output:
# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.4.1
Type one log per line
ossec: Manager started.
**Phase 1: Completed pre-decoding.
full event: 'ossec: Manager started.'
**Phase 2: Completed decoding.
name: 'ossec'
**Phase 3: Completed filtering (rules).
id: '502'
level: '3'
description: 'Ossec server started.'
groups: '['ossec']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
gpg13: '['10.1']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.6']'
pci_dss: '['10.6.1']'
tsc: '['CC7.2', 'CC7.3']'
**Alert to be generated.
In the decoding phase the event is processed by the ossec decoder.
In the next phase, the extracted log information is compared to the ruleset and matches with the rule 502:
<rule id="502" level="3">
<if_sid>500</if_sid>
<if_sid>500</if_sid>
<match>Manager started</match>
<description>Ossec server started.</description>
<group>pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
Alerts generated are stored at /var/ossec/logs/alerts/alerts.(json|log):
root@wazuh-server wazuh-user]# cat /var/ossec/logs/alerts/alerts.json | grep ossec
{"timestamp":"2023-05-12T14:35:58.803+0000","rule":{"level":3,"description":"Ossec server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1683902158.2233","full_log":"ossec: Manager started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}
For more detailed information about the Analysis process, see: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html?highlight=logall#analysis
{"timestamp":"2023-05-12T14:35:58.803+0000","rule":{"level":3,"description":"Ossec server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1683902158.2233","full_log":"ossec: Manager started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}
For more detailed information about the Analysis process, see: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html?highlight=logall#analysis
I hope this helps. Let me know if you have any further question.
Regards
Reply all
Reply to author
Forward
0 new messages