search

crow1011 / wazuh2thehive

Wazuh integration TheHive
30 stars 15 forks source link

TheHive and suricata alerts #2

Open AakashR2208 opened 4 years ago

AakashR2208 commented 4 years ago

Hi Vadim,

Thanks for your python script. I am using it with wazuh to forward all alerts to theHive. I also have integrated suricata with wazuh so as all the suricata alerts are seen on wazuh. I tried adding suricata alerts to be forwarded to theHive but it doesn't seem to be working.

Here's what I did: In the custom-w2thehive.py file I added the the following condition: if w_alert['rule']['groups']==["ids","suricata"] with the already exisitng condition of lvl_threshold.

But here's the catch, suricata has alerts from 1-3, 1 being the highest severity which works against the lvl_threshold and the python script. I cannot just change the threshold to 1 which will flood my theHive. Is my conditional statement correct or do I need to do something else?

Thank you Aakash

crow1011 commented 4 years ago

Hi @AakashR2208 Could you send an example of an event for testing? I'll add a separate level of threshold for suricata

crow1011 commented 4 years ago

I added the suricata_lvl_threshold parameter to custom-w2thive.py. If you set the value to 3, events with level 3, 2 and 1 will be sent. Thanks for pointing out the flaw. Does this solve your problem? The severity value is taken from [data.alert.severity]. If you have a different path, you can set it in the line (75) if int (w_alert ['data'] ['alert'] ['severity']) <= suricata_lvl_threshold I did not specify this parameter separately because I think that it matches yours.

AakashR2208 commented 4 years ago

Hi Thanks for updating the script. This is an example log that is fired up for suricata tls. 

{
  "_index": "wazuh-alerts-3.x-2020.06.29",
  "_type": "_doc",
  "_id": "",
  "_version": 1,
  "_score": null,
  "_source": {
    "cluster": {
      "node": "",
      "name": "wazuh"
    },
    "input": {
      "type": "log"
    },
    "agent": {
      "ip": "",
      "name": "",
      "id": "",
      "labels": {
        "operating": {
          "system": ""
        },
        "group": ""
      }
    },
    "manager": {
      "name": ""
    },
    "data": {
      "in_iface": "enp3s0",
      "src_ip": "",
      "src_port": "",
      "event_type": "tls",
      "flow_id": "",
      "dest_ip": "",
      "proto": "TCP",
      "tls": {
        "session_resumed": "true",
        "version": "TLS 1.2",
        "sni": ""
      },
      "dest_port": "",
      "timestamp": "2020-06-29T21:40:31.724337+0000"
    },
    "rule": {
      "firedtimes": 8065,
      "mail": false,
      "level": 3,
      "description": "Suricata: TLS.",
      "groups": [
        "ids",
        "suricata"
      ],
      "id": "86604"
    },
    "location": "/var/log/suricata/eve.json",
    "decoder": {
      "name": "json"
    },
    "id": "",
    "timestamp": "2020-06-29T21:40:32.504+0000"
  },
  "fields": {
    "data.timestamp": [
      "2020-06-29T21:40:31.724Z"
    ],
    "timestamp": [
      "2020-06-29T21:40:32.504Z"
    ]
  }

As you can see I do not have a data.alert.severity field in my alert. What if I only use the rule.groups field. Would that not do it though?

Thanks Aakash

crow1011 commented 4 years ago

can you try to change this (75) if int (w_alert ['data'] ['alert'] ['severity']) <= suricata_lvl_threshold to this (75) if int (w_alert ['rule'] ['level']) <= suricata_lvl_threshold and check the correct execution? Indeed, only rule.groups can be checked, but even in a small network, suricata creates many events. By setting the level you can reduce this number. I chose the data.alert.severity field because the rule level in the same event did not match for me "rule": { "level": 3,

"alert": { "severity": "2", I decided that using data.alert.severity would be more correct. I have doubts that I understood you correctly, so I will write this: suricata rules create events with rule.level from 3 to 0. The most important level is 0. The most unimportant level is 3. If everything is correct, then you just need to change w_alert ['data'] [ 'alert'] ['severity'] on w_alert ['rule'] ['level'] and set suricata_lvl_threshold = 3. Integration will send events with groups ['suricata', 'ids'] and level 3 or lower (all). If I misunderstood you and you need a different solution, please tell me

AakashR2208 commented 4 years ago

Hi Vadim,

I changed the code on lin 75 to just 

if w_alert['rule']['groups']==["ids","suricata"] or int (w_alert ['rule'] ['level']) <= lvl_threshold: 
    send_alert. 
    ...

And the alerts seems to coming on the Hive. For some reason some alerts do not have the data.alert.severity field and in others its not consistent so I decided not to use that field for filtering. I'll now fix this filed issue with my alerts.

Thank you so much for helping me with this! Aakash

AakashR2208 commented 4 years ago

Hi Vadim,

The suricata alerts were coming in fine but there was just a lot that suricata was giving to wazuh. So, I analyzed the alerts on wazuh a little more and found the data.alert.severity field in my suricata wazuh alerts. Then, I tried using your suggestion to use that field to further filter out the suricata alerts . On line 75, I changed the script to 

    if int(w_alert['data']['alert']['severity'])<=suricata_lvl_threshold:
        send_alert(alert, thive_api)
    if int(w_alert['rule']['level'])>=lvl_threshold:
        send_alert(alert, thive_api)

After restarting the cluster I'm getting the error: 

2020-07-07 15:27:44,582 - __main__ - ERROR - EGOR
Traceback (most recent call last):
  File "/var/ossec/integrations/custom-w2thive.py", line 166, in <module>
    main(sys.argv)
  File "/var/ossec/integrations/custom-w2thive.py", line 75, in main
    if int(w_alert['data']['alert']['severity'])<=suricata_lvl_threshold:
KeyError: 'alert'

I checked the wazuh alert and it has the data.alert.severity field but the hive api does not seem to parse it properly. Could you please suggest how to remove this error?

I can also give an example log for you to test.

Thanks Aakash

crow1011 commented 4 years ago

Hi @AakashR2208 Thanks for your message (: The problem is that data.alert.severity is only in event-type "alert" (https://suricata.readthedocs.io/en/suricata-5.0.2/output/eve/eve-json-format.html#event- type-alert). I will add a check for the presence of this field today or tomorrow. You will receive only event-type alert from suricata. If you need other event-type (http, dns, ftp, etc.) please tell about it. I will try to come up with another solution.

P. S. I find that most of the "noise" make events with a other type than "alert"

AakashR2208 commented 4 years ago

Hey,

Thanks for replying. I just want the alert type 'Suricata: alert'. The way I had it before with only rule.groups filter, theHive was flooded with suricata: dns,http and tls. I wanted a way to remove those and just have alerts go to theHive.

It would be great if you could fix that.

crow1011 commented 4 years ago

I updated the repository. Now you will receive alerts from suricata only event.type: alert. To limit the level of suricata events sent, you can set suricata_lvl_threshold. I hope this solves your problem. But if not, we will find a better solution (:

AakashR2208 commented 4 years ago

Hi Vadim,

Thanks for updating the script. Its working fine now. I am only getting the actual suricata alerts and not all the noise.

Cheers Aakash