Solved Wazuh - operational and can add agents - now what
-
So I got Wazuh setup and is operational with a few sample agents that I've setup, logs are going to Wazuh and I can see different events from each of my agents.
Now what should I setup with this, I'm looking to filter out more specifically failed attempts to access resources provided from these systems, specifically SMB shares, but expect to need to filter more.
I'm open to pointers.
-
First place I would start is wazuh rules. You can see what rules are setup by default.
https://github.com/wazuh/wazuh-ruleset/tree/master/rules
Then I would like for SMB rules
https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0200-smbd_rules.xml
And I would look and see what alerts interest me
<rule id="13102" level="5"> <if_sid>13100</if_sid> <match>Denied connection from|Connection denied from</match> <description>Samba connection denied.</description> <group>access_denied,pci_dss_10.2.4,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group> </rule>
<rule id="13104" level="5"> <if_sid>13100</if_sid> <match>Permission denied--</match> <description>Samba: User action denied by configuration.</description> <group>access_denied,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group> </rule>
<rule id="13110" level="3"> <if_sid>13100</if_sid> <match>Connection denied from</match> <description>Samba: Connection was denied.</description> <group>pci_dss_10.2.4,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group> </rule>
-
@IRJ How are rulesets installed?
-
None of those rules displayed are a true correlations like you are looking to do.
So you need to go to
/var/ossec/etc/rules
and create a new file calledsmb_security_correlations.xml
Note: I like to specify rule ranges and makes notes in my custom rule files
<!-- ################################### --> <!-- # SMB Security Correlations # --> <!-- ################################### --> <!-- ################################### --> <!-- # Rule numbers 100100 - 100150 # --> <!-- ################################### --> <group name="smb_security_correlations,"> <rule id="100100" level="8" frequency="6" timeframe="360"> <if_sid>13102</if_sid> <description>Multiple Failed Attempts on SMB Share</description> <group>smb_security_correlations,</group> </rule> </group>
This will create a level 8 alert if there are 5 failed attempts within a 90 second time frame.
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
@IRJ How are rulesets installed?
They are in your
/var/ossec/rules
directory. You should not change those rules ever.Any new rules, you will need to put in
/var/ossec/etc/rules
like I explained in previous post. -
Okay, so I've added that file to
/var/ossec/etc/rules
and entered what you provided (probably should verify that for my own sanity). Do I need to "enable" it or refresh the rules? -
@DustinB3403 said in Wazuh - operational and can add agents - now what:
Okay, so I've added that file to
/var/ossec/etc/rules
and entered what you provided (probably should verify that for my own sanity). Do I need to "enable" it or refresh the rules?You need to restart the wazuh manager and agents
You can restart agents from the manager by using this command
/var/ossec/bin/agent_control -R -a
You can restart wazuh-manager by using
systemctl restart wazuh-manager
-
@IRJ so I can't start the wazuh-manager because
ossec-analysisd: ERROR: Invalid option 'frequency' for rule '100100'.
I'll have to look into that in a bit, have a meeting to run too.
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
@IRJ so I can't start the wazuh-manager because
ossec-analysisd: ERROR: Invalid option 'frequency' for rule '100100'.
I'll have to look into that in a bit, have a meeting to run too.
2-9999 are allowed values
https://documentation.wazuh.com/3.10/user-manual/ruleset/ruleset-xml-syntax/rules.html
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
@IRJ so I can't start the wazuh-manager because
ossec-analysisd: ERROR: Invalid option 'frequency' for rule '100100'.
I'll have to look into that in a bit, have a meeting to run too.
I made an error writing the rule.
frequency
andtimeframe
go up next torule_id
andlevel
. I edited my previous post and fixed itJust like rule
5703
here https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0095-sshd_rules.xml -
Starting Wazuh manager... env[11414]: 2019/12/11 13:57:27 ossec-analysisd: CRITICAL: rules_list: Signature ID '13202' not found. Invalid 'if_sid'. env[11414]: ossec-analysisd: Configuration error. Exiting systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'. systemd[1]: Failed to start Wazuh manager.
-
13202 > 9999,
@IRJ said in Wazuh - operational and can add agents - now what:
2-9999 are allowed values
https://documentation.wazuh.com/3.10/user-manual/ruleset/ruleset-xml-syntax/rules.html
-
@Dashrender said in Wazuh - operational and can add agents - now what:
13202 > 9999,
@IRJ said in Wazuh - operational and can add agents - now what:
2-9999 are allowed values
https://documentation.wazuh.com/3.10/user-manual/ruleset/ruleset-xml-syntax/rules.html
13202 is the rule number not frequency or timeframe
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
Starting Wazuh manager...
env[11414]: 2019/12/11 13:57:27 ossec-analysisd: CRITICAL: rules_list: Signature ID '13202' not found. Invalid 'if_sid'.
env[11414]: ossec-analysisd: Configuration error. Exiting
systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1
systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Wazuh manager.Does rule
13202
not exist? you should be able to find it in your rules folder under0200-smbd_rules.xml
file -
Starting Wazuh manager... env[11593]: 2019/12/11 15:11:32 ossec-analysisd: CRITICAL: rules_list: Signature ID '9999' not found. Invalid 'if_sid'. env[11593]: ossec-analysisd: Configuration error. Exiting systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'. systemd[1]: Failed to start Wazuh manager.
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
Starting Wazuh manager... env[11593]: 2019/12/11 15:11:32 ossec-analysisd: CRITICAL: rules_list: Signature ID '9999' not found. Invalid 'if_sid'. env[11593]: ossec-analysisd: Configuration error. Exiting systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'. systemd[1]: Failed to start Wazuh manager.
Oh I made a typo! Its supposed to be
13102
-
-
@IRJ so a lot of this works out of the box, one question I have is how the heck do I get the details of specific events.
In the below I specifically failed a login attempt a few times, How can I find out what client was attempting to login to this server and failed?
-
Or I guess an even better question is there some free training on wazuh? I did a very brief search and found a few things, but it's all over the place as to what may be useful.
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
@IRJ so a lot of this works out of the box, one question I have is how the heck do I get the details of specific events.
In the below I specifically failed a login attempt a few times, How can I find out what client was attempting to login to this server and failed?
So you already filtered it. Just click discover on top right