ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Wazuh - Configuring Custom Rules Based on Hostname

    IT Discussion
    wazuh siem
    1
    2
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      IRJ
      last edited by scottalanmiller

      We want to edit /var/ossec/etc/rules/local_rules.xml

      sudo nano /var/ossec/etc/rules/local_rules.xml
      

      Our file should look like this:

      GNU nano 2.9.3   /var/ossec/etc/rules/local_rules.xml            
       
      <!-- Local rules -->
       
      <!-- Modify it at your will. -->
      <!-- Copyright (C) 2015-2019, Wazuh Inc. -->
       
      <!-- Example -->
      <group name="local,syslog,sshd,">
       
        <!--
        Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.$
        -->
        <rule id="100001" level="5">
          <if_sid>5716</if_sid>
          <srcip>1.1.1.1</srcip>
          <description>sshd: authentication failed from IP 1.1.1.1.</desc$
          <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</gr$
        </rule>
       
      </group>
      

      Let’s take a look at the current rule 5402 for privilege escalation so we can create the child rule

      ** Alert 1555331931.323394: - syslog,sudo,pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,
      2019 Apr 15 12:38:51 (jupiter) 192.168.122.252->/var/log/auth.log
      Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
      User: root
      Apr 15 12:38:51 jupiter sudo:     joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu
      tty: pts/1
      pwd: /home/joel
      command: /usr/bin/docker run -it ubuntu
      

      This is the information we want, but the severity level is only 3. That is fine on most servers, but privilege escalation is more severe on docker containers so we actually want to make it a 12 without affecting other servers.

      Add the Child Rule

      sudo nano /var/ossec/etc/rules/local_rules.xml
      

      Add this to the bottom of the file. Replace jupiter|saturn
      with your hostnames for you docker hosts.

      
      <group name="local,syslog,sshd,">
       
        <rule id="100023" level="12">
         <if_sid>5402</if_sid>
         <hostname>jupiter|saturn</hostname>
         <description>Privelege Escalation on Docker Host!!!</description>
       </rule>
       
      </group>
      

      Save and exit nano.

      Verify Rule is processing properly

      Go to your docker host and run a command using sudo. This should generate our typical 5402 alert.

      Now pull the alert from the .json file

      cat /var/ossec/logs/alerts/alerts.json | grep "\"5402\"" | head -n1 | python -m json.tool | grep full_log | cut -d "\"" -f4
      

      You should get output similar to this:

      Apr 15 12:38:51 jupiter sudo: joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu
      

      Now copy that output and past it in the log test tool:

      /var/ossec/bin/ossec-logtest
      

      If executed properly, you should get this:

      **Phase 1: Completed pre-decoding.
             full event: 'Apr 15 12:38:51 jupiter sudo:     joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu'
             timestamp: 'Apr 15 12:38:51'
             hostname: 'jupiter'
             program_name: 'sudo'
             log: '    joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu'
       
      **Phase 2: Completed decoding.
             decoder: 'sudo'
             srcuser: 'joel'
             tty: 'pts/1'
             pwd: '/home/joel'
             dstuser: 'root'
             command: '/usr/bin/docker run -it ubuntu'
       
      **Phase 3: Completed filtering (rules).
             Rule id: '100023'
             Level: '12'
             Description: 'Privelege Escalation on Docker Host!!!'
      **Alert to be generated.
      

      Restart Wazuh Manager

      sudo systemctl restart wazuh-manager
      

      Test generating the alert using any sudo command
      Enjoy your new alert πŸ™‚

      ** Alert 1555351056.962538: mail  - local,syslog,sshd,
      2019 Apr 15 17:57:36 (jupiter) 192.168.122.252->/var/log/auth.log
      Rule: 100023 (level 12) -> 'Privelege Escalation on Docker Host!!!'
      User: root
      Apr 15 17:57:35 jupiter sudo:     joel : TTY=pts/0 ; PWD=/home ; USER=root ; COMMAND=/bin/nano text
      tty: pts/0
      pwd: /home
      command: /bin/nano text
      

      c476fc93-17be-4cc4-b124-2a754d2e0d0a-image.png

      Testing on server not listed on the rule

      I ssh into my lab server mercury and run a sudo command from there. Since it is not jupiter or saturn like we set it in our rule, it did not generate a wazuh custom rule

      ** Alert 1555354943.969236: - syslog,sudo,pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,
      2019 Apr 15 19:02:23 (mercury) 192.168.122.86->/var/log/auth.log
      Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
      User: root
      Apr 15 15:02:21 mercury sudo:     joel : TTY=pts/0 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/apt install glances
      tty: pts/0
      pwd: /home/joel
      command: /usr/bin/apt install glances
      
      1 Reply Last reply Reply Quote 3
      • I
        IRJ
        last edited by

        It sucks that you cant create rules by group yet. The devs have submitted a feature request for it on my behalf so hopefully soon πŸ™‚

        1 Reply Last reply Reply Quote 2
        • 1 / 1
        • First post
          Last post