Solved Wazuh - operational and can add agents - now what
-
First place I would start is wazuh rules. You can see what rules are setup by default.
https://github.com/wazuh/wazuh-ruleset/tree/master/rules
Then I would like for SMB rules
https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0200-smbd_rules.xml
And I would look and see what alerts interest me
<rule id="13102" level="5"> <if_sid>13100</if_sid> <match>Denied connection from|Connection denied from</match> <description>Samba connection denied.</description> <group>access_denied,pci_dss_10.2.4,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group> </rule><rule id="13104" level="5"> <if_sid>13100</if_sid> <match>Permission denied--</match> <description>Samba: User action denied by configuration.</description> <group>access_denied,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group> </rule><rule id="13110" level="3"> <if_sid>13100</if_sid> <match>Connection denied from</match> <description>Samba: Connection was denied.</description> <group>pci_dss_10.2.4,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group> </rule> -
@IRJ How are rulesets installed?
-
None of those rules displayed are a true correlations like you are looking to do.
So you need to go to
/var/ossec/etc/rulesand create a new file calledsmb_security_correlations.xmlNote: I like to specify rule ranges and makes notes in my custom rule files
<!-- ################################### --> <!-- # SMB Security Correlations # --> <!-- ################################### --> <!-- ################################### --> <!-- # Rule numbers 100100 - 100150 # --> <!-- ################################### --> <group name="smb_security_correlations,"> <rule id="100100" level="8" frequency="6" timeframe="360"> <if_sid>13102</if_sid> <description>Multiple Failed Attempts on SMB Share</description> <group>smb_security_correlations,</group> </rule> </group>This will create a level 8 alert if there are 5 failed attempts within a 90 second time frame.
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
@IRJ How are rulesets installed?
They are in your
/var/ossec/rulesdirectory. You should not change those rules ever.Any new rules, you will need to put in
/var/ossec/etc/ruleslike I explained in previous post. -
Okay, so I've added that file to
/var/ossec/etc/rulesand entered what you provided (probably should verify that for my own sanity). Do I need to "enable" it or refresh the rules? -
@DustinB3403 said in Wazuh - operational and can add agents - now what:
Okay, so I've added that file to
/var/ossec/etc/rulesand entered what you provided (probably should verify that for my own sanity). Do I need to "enable" it or refresh the rules?You need to restart the wazuh manager and agents
You can restart agents from the manager by using this command
/var/ossec/bin/agent_control -R -aYou can restart wazuh-manager by using
systemctl restart wazuh-manager -
@IRJ so I can't start the wazuh-manager because
ossec-analysisd: ERROR: Invalid option 'frequency' for rule '100100'.I'll have to look into that in a bit, have a meeting to run too.
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
@IRJ so I can't start the wazuh-manager because
ossec-analysisd: ERROR: Invalid option 'frequency' for rule '100100'.I'll have to look into that in a bit, have a meeting to run too.
2-9999 are allowed values
https://documentation.wazuh.com/3.10/user-manual/ruleset/ruleset-xml-syntax/rules.html
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
@IRJ so I can't start the wazuh-manager because
ossec-analysisd: ERROR: Invalid option 'frequency' for rule '100100'.I'll have to look into that in a bit, have a meeting to run too.
I made an error writing the rule.
frequencyandtimeframego up next torule_idandlevel. I edited my previous post and fixed itJust like rule
5703here https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0095-sshd_rules.xml -
Starting Wazuh manager... env[11414]: 2019/12/11 13:57:27 ossec-analysisd: CRITICAL: rules_list: Signature ID '13202' not found. Invalid 'if_sid'. env[11414]: ossec-analysisd: Configuration error. Exiting systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'. systemd[1]: Failed to start Wazuh manager. -
13202 > 9999,
@IRJ said in Wazuh - operational and can add agents - now what:
2-9999 are allowed values
https://documentation.wazuh.com/3.10/user-manual/ruleset/ruleset-xml-syntax/rules.html
-
@Dashrender said in Wazuh - operational and can add agents - now what:
13202 > 9999,
@IRJ said in Wazuh - operational and can add agents - now what:
2-9999 are allowed values
https://documentation.wazuh.com/3.10/user-manual/ruleset/ruleset-xml-syntax/rules.html
13202 is the rule number not frequency or timeframe
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
Starting Wazuh manager...
env[11414]: 2019/12/11 13:57:27 ossec-analysisd: CRITICAL: rules_list: Signature ID '13202' not found. Invalid 'if_sid'.
env[11414]: ossec-analysisd: Configuration error. Exiting
systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1
systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Wazuh manager.Does rule
13202not exist? you should be able to find it in your rules folder under0200-smbd_rules.xmlfile -
Starting Wazuh manager... env[11593]: 2019/12/11 15:11:32 ossec-analysisd: CRITICAL: rules_list: Signature ID '9999' not found. Invalid 'if_sid'. env[11593]: ossec-analysisd: Configuration error. Exiting systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'. systemd[1]: Failed to start Wazuh manager. -
@DustinB3403 said in Wazuh - operational and can add agents - now what:
Starting Wazuh manager... env[11593]: 2019/12/11 15:11:32 ossec-analysisd: CRITICAL: rules_list: Signature ID '9999' not found. Invalid 'if_sid'. env[11593]: ossec-analysisd: Configuration error. Exiting systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'. systemd[1]: Failed to start Wazuh manager.Oh I made a typo! Its supposed to be
13102 -
-
@IRJ so a lot of this works out of the box, one question I have is how the heck do I get the details of specific events.
In the below I specifically failed a login attempt a few times, How can I find out what client was attempting to login to this server and failed?
-
Or I guess an even better question is there some free training on wazuh? I did a very brief search and found a few things, but it's all over the place as to what may be useful.
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
@IRJ so a lot of this works out of the box, one question I have is how the heck do I get the details of specific events.
In the below I specifically failed a login attempt a few times, How can I find out what client was attempting to login to this server and failed?
So you already filtered it. Just click discover on top right
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
Or I guess an even better question is there some free training on wazuh? I did a very brief search and found a few things, but it's all over the place as to what may be useful.
Nope, I should make a course on Udemy, though
