Solved Wazuh - operational and can add agents - now what
-
@IRJ How are rulesets installed?
-
None of those rules displayed are a true correlations like you are looking to do.
So you need to go to
/var/ossec/etc/rules
and create a new file calledsmb_security_correlations.xml
Note: I like to specify rule ranges and makes notes in my custom rule files
<!-- ################################### --> <!-- # SMB Security Correlations # --> <!-- ################################### --> <!-- ################################### --> <!-- # Rule numbers 100100 - 100150 # --> <!-- ################################### --> <group name="smb_security_correlations,"> <rule id="100100" level="8" frequency="6" timeframe="360"> <if_sid>13102</if_sid> <description>Multiple Failed Attempts on SMB Share</description> <group>smb_security_correlations,</group> </rule> </group>
This will create a level 8 alert if there are 5 failed attempts within a 90 second time frame.
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
@IRJ How are rulesets installed?
They are in your
/var/ossec/rules
directory. You should not change those rules ever.Any new rules, you will need to put in
/var/ossec/etc/rules
like I explained in previous post. -
Okay, so I've added that file to
/var/ossec/etc/rules
and entered what you provided (probably should verify that for my own sanity). Do I need to "enable" it or refresh the rules? -
@DustinB3403 said in Wazuh - operational and can add agents - now what:
Okay, so I've added that file to
/var/ossec/etc/rules
and entered what you provided (probably should verify that for my own sanity). Do I need to "enable" it or refresh the rules?You need to restart the wazuh manager and agents
You can restart agents from the manager by using this command
/var/ossec/bin/agent_control -R -a
You can restart wazuh-manager by using
systemctl restart wazuh-manager
-
@IRJ so I can't start the wazuh-manager because
ossec-analysisd: ERROR: Invalid option 'frequency' for rule '100100'.
I'll have to look into that in a bit, have a meeting to run too.
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
@IRJ so I can't start the wazuh-manager because
ossec-analysisd: ERROR: Invalid option 'frequency' for rule '100100'.
I'll have to look into that in a bit, have a meeting to run too.
2-9999 are allowed values
https://documentation.wazuh.com/3.10/user-manual/ruleset/ruleset-xml-syntax/rules.html
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
@IRJ so I can't start the wazuh-manager because
ossec-analysisd: ERROR: Invalid option 'frequency' for rule '100100'.
I'll have to look into that in a bit, have a meeting to run too.
I made an error writing the rule.
frequency
andtimeframe
go up next torule_id
andlevel
. I edited my previous post and fixed itJust like rule
5703
here https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0095-sshd_rules.xml -
Starting Wazuh manager... env[11414]: 2019/12/11 13:57:27 ossec-analysisd: CRITICAL: rules_list: Signature ID '13202' not found. Invalid 'if_sid'. env[11414]: ossec-analysisd: Configuration error. Exiting systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'. systemd[1]: Failed to start Wazuh manager.
-
13202 > 9999,
@IRJ said in Wazuh - operational and can add agents - now what:
2-9999 are allowed values
https://documentation.wazuh.com/3.10/user-manual/ruleset/ruleset-xml-syntax/rules.html
-
@Dashrender said in Wazuh - operational and can add agents - now what:
13202 > 9999,
@IRJ said in Wazuh - operational and can add agents - now what:
2-9999 are allowed values
https://documentation.wazuh.com/3.10/user-manual/ruleset/ruleset-xml-syntax/rules.html
13202 is the rule number not frequency or timeframe
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
Starting Wazuh manager...
env[11414]: 2019/12/11 13:57:27 ossec-analysisd: CRITICAL: rules_list: Signature ID '13202' not found. Invalid 'if_sid'.
env[11414]: ossec-analysisd: Configuration error. Exiting
systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1
systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Wazuh manager.Does rule
13202
not exist? you should be able to find it in your rules folder under0200-smbd_rules.xml
file -
Starting Wazuh manager... env[11593]: 2019/12/11 15:11:32 ossec-analysisd: CRITICAL: rules_list: Signature ID '9999' not found. Invalid 'if_sid'. env[11593]: ossec-analysisd: Configuration error. Exiting systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'. systemd[1]: Failed to start Wazuh manager.
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
Starting Wazuh manager... env[11593]: 2019/12/11 15:11:32 ossec-analysisd: CRITICAL: rules_list: Signature ID '9999' not found. Invalid 'if_sid'. env[11593]: ossec-analysisd: Configuration error. Exiting systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'. systemd[1]: Failed to start Wazuh manager.
Oh I made a typo! Its supposed to be
13102
-
-
@IRJ so a lot of this works out of the box, one question I have is how the heck do I get the details of specific events.
In the below I specifically failed a login attempt a few times, How can I find out what client was attempting to login to this server and failed?
-
Or I guess an even better question is there some free training on wazuh? I did a very brief search and found a few things, but it's all over the place as to what may be useful.
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
@IRJ so a lot of this works out of the box, one question I have is how the heck do I get the details of specific events.
In the below I specifically failed a login attempt a few times, How can I find out what client was attempting to login to this server and failed?
So you already filtered it. Just click discover on top right
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
Or I guess an even better question is there some free training on wazuh? I did a very brief search and found a few things, but it's all over the place as to what may be useful.
Nope, I should make a course on Udemy, though
-
@IRJ said in Wazuh - operational and can add agents - now what:
So you already filtered it. Just click discover on top right
Doh that is so easy that I didn't even think that was it.