MISP ruleset issue
344 views
Skip to first unread message
Pradeep
Jan 9, 2023, 2:44:37 AM1/9/23
to Wazuh mailing list
Hi Team,
I have installed all the advanced ruleset provided in this repo.
And using your blog (https://opensecure.medium.com/wazuh-and-misp-integration-242dfa2f2e19) I have successfully integrated the MISP with wazuh but all my logs are kept on forwarding to archive.json
For eg. Wazuh unable to decode the below
{"timestamp":"2023-01-06T07:53:15.420+0000","agent":{"id":"267","name":"test-1","ip":"165.0.14.167"},"manager":{"name":"wazuh-server-2"},"id":"1672991595.8000478","cluster":{"name":"wazuh","node":"wazuh-2"},"full_log":"{"misp": {"source": {"description": "Sysmon - Event 22: DNS Request by C:\\\\Windows\\\\System32\\\\PING.EXE"}, "event_id": "5", "category": "External analysis", "value": "https://docs.google.com/spreadsheets/d/jhabsjbdjh2jbsjfbifjd-sfasjkbfiaugiIUGiduiu/\", "type": "link"}}","decoder":{"name":"json"},"data":{"misp":{"source":{"description":"Sysmon - Event 22: DNS Request by C:\\Windows\\System32\\PING.EXE"},"event_id":"5","category":"External analysis","value":"https://docs.google.com/spreadsheets/d/jhabsjbdjh2jbsjfbifjd-sfasjkbfiaugiIUGiduiu/","type":"link"}},"location":"misp"}
Federico Gustavo Galland
Jan 9, 2023, 5:25:23 AM1/9/23
to Wazuh mailing list
Hi Pradeep,
Thanks for joining our community Google Groups channel.
One word of caution, though: The linked blog is not an official Wazuh information outlet.
That being said, I've gone through your json log and I found it cannot be parsed properly by none of the tools I've tried. I've managed to correct the formatting, but I'm wondering what could have mangled with it in the first place.
Here is a corrected version (I had to remove some unneeded double quotes):
{"timestamp":"2023-01-06T07:53:15.420+0000","agent":{"id":"267","name":"test-1","ip":"165.0.14.167"},"manager":{"name":"wazuh-server-2"},"id":"1672991595.8000478","cluster":{"name":"wazuh","node":"wazuh-2"},"full_log":{"misp": {"source": {"description": "Sysmon - Event 22: DNS Request by C:\\\\Windows\\\\System32\\\\PING.EXE"}, "event_id": "5", "category": "External analysis", "value": "https://docs.google.com/spreadsheets/d/jhabsjbdjh2jbsjfbifjd-sfasjkbfiaugiIUGiduiu/", "type": "link"}},"decoder":{"name":"json"},"data":{"misp":{"source":{"description":"Sysmon - Event 22: DNS Request by C:\\Windows\\System32\\PING.EXE"},"event_id":"5","category":"External analysis","value":"https://docs.google.com/spreadsheets/d/jhabsjbdjh2jbsjfbifjd-sfasjkbfiaugiIUGiduiu/","type":"link"}},"location":"misp"}
Now, this event, while being properly decoded by the json decoder, it's not matching any rules. Wazuh does have a default set of rules for sysmon's eventID 5, but this event is not directly captured by the Wazuh Agent from the Windows EventChannel, but seems to be coming off MISP.
We cannot provide support for MISP content, but you can try searching your Wazuh Dashboard for:
data.win.system.eventID: 5
This will actually search for the event as retrieved by the Wazuh Agent off the EventChannel.
Let me know if this makes sense to you.
Regards,
Federico
Pradeep
Jan 16, 2023, 2:06:09 AM1/16/23
to Wazuh mailing list
Hi Team,
Can you help me to create a decoder to extract misp fields from this below log?
2023 Jan 13 12:50:41 (lbnr71y0) 166.0.148.176->misp {"misp": {"source": {"description": "Sysmon - Event 22: DNS Request by C:\\\\Windows\\\\System32\\\\PING.EXE"}, "event_id": "5", "category": "External analysis", "value": "https://docs.google.com/spreadsheets/d/1TLJXtAfcFVFOxbndK0W5VmE/", "type": "link"}}
2023 Jan 13 12:50:41 (lbnr71y0) 166.0.148.176->misp {"misp": {"source": {"description": "Sysmon - Event 22: DNS Request by C:\\\\Windows\\\\System32\\\\PING.EXE"}, "event_id": "5", "category": "External analysis", "value": "https://docs.google.com/spreadsheets/d/1TLJXtAfcFVFOxbndK0W5VmE/", "type": "link"}}
Fields needed
misp.source, misp.event_id, misp.category, misp.value, misp.type
Thanks
Pradeep
Thanks
Pradeep
Federico Gustavo Galland
Jan 16, 2023, 5:10:13 AM1/16/23
to Pradeep, Wazuh mailing list
Hi Pradeep,
I've created a very simple rule to for illustration purposes. Bear in mind that for more involved custom developments, we have a Professional Hours option available as well.
Now on to our topic, let's take a look at our new sample rule:
<group name="json,sysmon,">
<rule id="100300" level="3">
<decoded_as>json</decoded_as>
<field name="misp.source.description">^Sysmon\.*PING.EXE</field>
<description>$(misp.source.description)</description>
</rule>
</group>
<rule id="100300" level="3">
<decoded_as>json</decoded_as>
<field name="misp.source.description">^Sysmon\.*PING.EXE</field>
<description>$(misp.source.description)</description>
</rule>
</group>
The <group> tag is mandatory, so I just assigned it to the json and sysmon groups, though you could use any criteria as dictated by your policies.
Within the <rule> field, we need an id and a level attribute as well. Level 3 will ensure that this is visible on the Dashboard (this is the default threshold for visibility on the Dashboard) and the id above 100000 marks this as a custom rule.
Now, the field tag is where we are setting our criteria on what needs to be matched. We are using simple OSREGEX here to match things within the misp.source.description field on your jSON log that start with the word "Sysmon" and contain the string "PING.EXE" somewhere after.
The description field is mandatory, and in this case, we are just using the contents of the original log's misp.source.description field as the value to be shown in the interface.
I dumped this rule to an xml file within /var/ossec/etc/rules and then restarted the wazuh-manager service.
With that done, you can check whether your log is being decoded/alerted upon successfully by running:
echo '{"misp": {"source": {"description": "Sysmon - Event 22: DNS Request by C:\\\\Windows\\\\System32\\\\PING.EXE"}, "event_id": "5", "category": "External analysis", "value": "https://docs.google.com/spreadsheets/d/1TLJXtAfcFVFOxbndK0W5VmE/", "type": "link"}}' | /var/ossec/bin/wazuh-logtest
This produces the following output in my environment:
root@manager:~# echo '{"misp": {"source": {"description": "Sysmon - Event 22: DNS Request by C:\\\\Windows\\\\System32\\\\PING.EXE"}, "event_id": "5", "category": "External analysis", "value": "https://docs.google.com/spreadsheets/d/1TLJXtAfcFVFOxbndK0W5VmE/", "type": "link"}}' | /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.10
Type one log per line
**Phase 1: Completed pre-decoding.
full event: '{"misp": {"source": {"description": "Sysmon - Event 22: DNS Request by C:\\\\Windows\\\\System32\\\\PING.EXE"}, "event_id": "5", "category": "External analysis", "value": "https://docs.google.com/spreadsheets/d/1TLJXtAfcFVFOxbndK0W5VmE/", "type": "link"}}'
**Phase 2: Completed decoding.
name: 'json'
misp.category: 'External analysis'
misp.event_id: '5'
misp.source.description: 'Sysmon - Event 22: DNS Request by C:\\Windows\\System32\\PING.EXE'
misp.type: 'link'
misp.value: 'https://docs.google.com/spreadsheets/d/1TLJXtAfcFVFOxbndK0W5VmE/'
**Phase 3: Completed filtering (rules).
id: '100300'
level: '3'
description: 'Sysmon - Event 22: DNS Request by C:\\Windows\\System32\\PING.EXE'
groups: '['json', 'sysmon']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Starting wazuh-logtest v4.3.10
Type one log per line
**Phase 1: Completed pre-decoding.
full event: '{"misp": {"source": {"description": "Sysmon - Event 22: DNS Request by C:\\\\Windows\\\\System32\\\\PING.EXE"}, "event_id": "5", "category": "External analysis", "value": "https://docs.google.com/spreadsheets/d/1TLJXtAfcFVFOxbndK0W5VmE/", "type": "link"}}'
**Phase 2: Completed decoding.
name: 'json'
misp.category: 'External analysis'
misp.event_id: '5'
misp.source.description: 'Sysmon - Event 22: DNS Request by C:\\Windows\\System32\\PING.EXE'
misp.type: 'link'
misp.value: 'https://docs.google.com/spreadsheets/d/1TLJXtAfcFVFOxbndK0W5VmE/'
**Phase 3: Completed filtering (rules).
id: '100300'
level: '3'
description: 'Sysmon - Event 22: DNS Request by C:\\Windows\\System32\\PING.EXE'
groups: '['json', 'sysmon']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
So, we can see the alert is actually going to be generated, with the proper description as set up in the rule file.
Check out our documentation for reference on all the mentioned topics:
I advise going through that page orderly, since it's an all-encompassing resource which will teach you all that's needed to create your own decoders and rules.
We also have a simpler tutorial available on our blog:
I hope this was of help, let me know how it goes.
Regards,
Federico Galland
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/wmjOWFbechI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5a13a803-8685-48c1-8077-ca05ce4d2d94n%40googlegroups.com.
 |
|
+1 (844) 349 2984
wazuh.com
federico...@wazuh.com
f-gallandunknown
Jan 16, 2023, 12:06:48 PM1/16/23
to Federico Gustavo Galland, Wazuh mailing list
Thanks for the quick response.
Reply all
Reply to author
Forward
0 new messages