The new permissions could not be added to the JSON alert
779 views
Skip to first unread message
Christopher Xedis
Dec 10, 2022, 2:53:58 AM12/10/22
to Wazuh mailing list
Hi all,
Since I can only find instances of people asking about the error without them providing the log i figured I'd skip the initial response from the wazuh team. Hopefully this helps identify that there is a comman in some of the windows user groups that needs to either be santized by the log collector or escaped properly please see below:
2022/12/10 07:26:31 wazuh-analysisd[6168] syscheck_op.c:1615 at win_perm_to_json(): DEBUG: Uncontrolled condition when parsing a Windows permission from 'Users (allowed): READ_CONTROL|READ_DATA|READ_EA|WRITE_EA, Administrators (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE, SYSTEM (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE, NETWORK SERVICE (allowed): DELETE|READ_CONTROL|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE, LOCAL SERVICE (allowed): READ_CONTROL|READ_DATA|READ_EA|WRITE_EA, Network Configuration Operators (allowed): DELETE|READ_CONTROL|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA, Dhcp (allowed): DELETE|READ_CONTROL|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA, OWNER RIGHTS (allowed): READ_CONTROL, WwanSvc (allowed): READ_CONTROL|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA, ALL APPLICATION PACKAGES (allowed): READ_CONTROL|READ_DATA|READ_EA|WRITE_EA, Your Internet connection (allowed): READ_CONTROL|READ_DATA|READ_EA|WRITE_EA, Your Internet connection, including incoming connections from the Internet (allowed): READ_CONTROL|READ_DATA|READ_EA|WRITE_EA, Your home or work networks (allowed): READ_CONTROL|READ_DATA|READ_EA|WRITE_EA, S-1-15-3-4214768333-1334025770-122408079-3919188833 (allowed): READ_CONTROL|READ_DATA|READ_EA|WRITE_EA'.
2022/12/10 07:26:31 wazuh-analysisd[6168] to_json.c:361 at Eventinfo_to_jsonstr(): ERROR: The new permissions could not be added to the JSON alert.
2022/12/10 07:26:31 wazuh-analysisd[6168] syscheck_op.c:1615 at win_perm_to_json(): DEBUG: Uncontrolled condition when parsing a Windows permission from 'Users (allowed): READ_CONTROL|READ_DATA|READ_EA|WRITE_EA, Administrators (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE, SYSTEM (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE, NETWORK SERVICE (allowed): DELETE|READ_CONTROL|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE, LOCAL SERVICE (allowed): READ_CONTROL|READ_DATA|READ_EA|WRITE_EA, Network Configuration Operators (allowed): DELETE|READ_CONTROL|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA, Dhcp (allowed): DELETE|READ_CONTROL|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA, OWNER RIGHTS (allowed): READ_CONTROL, WwanSvc (allowed): READ_CONTROL|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA, ALL APPLICATION PACKAGES (allowed): READ_CONTROL|READ_DATA|READ_EA|WRITE_EA, Your Internet connection (allowed): READ_CONTROL|READ_DATA|READ_EA|WRITE_EA, Your Internet connection, including incoming connections from the Internet (allowed): READ_CONTROL|READ_DATA|READ_EA|WRITE_EA, Your home or work networks (allowed): READ_CONTROL|READ_DATA|READ_EA|WRITE_EA, S-1-15-3-4214768333-1334025770-122408079-3919188833 (allowed): READ_CONTROL|READ_DATA|READ_EA|WRITE_EA'.
2022/12/10 07:26:31 wazuh-analysisd[6168] to_json.c:361 at Eventinfo_to_jsonstr(): ERROR: The new permissions could not be added to the JSON alert.
Any guidance you can provide on how to resolve the issue or mute the error would be appreciated. If necessary I can generate an issue in github.
Thanks,
Chris Xedis
Christopher Xedis
Dec 13, 2022, 3:21:02 AM12/13/22
to Wazuh mailing list
:(
No one else encountering this?
No one else encountering this?
Thanks
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/711d30bd-6f21-4274-bb22-1f9cc25c6a69n%40googlegroups.com.
Julia Magán Rodríguez
Dec 13, 2022, 4:10:01 AM12/13/22
to Wazuh mailing list
Hello,
This issue has been reported here and fixed here. It will be available in Wazuh version 4.5.0. This error is generated in the Windows system when Wazuh has a lot of stress applied to it and the events have a bad format in their permission.
Reply all
Reply to author
Forward
0 new messages