search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.34k stars 1.02k forks source link

v3.7.0 - local_rules.xml - hostname filter - difference between ossec-logtest and real life #2045

Open dhenry123 opened 2 years ago

dhenry123 commented 2 years ago

Problem with hostname filter in personalized rules My set is server/agent

My rule

<group name="promisc,">
  <rule id="100020" level="6">
  <if_sid>5104</if_sid>
  <hostname>k8smaster</hostname>
  <description>Rule ignored for k8s servers - </description>
  <description>Interface entered in promiscuous(sniffing) mode</description>
  </rule>
</group>

Test with ossec-logtest for "Apr 2 18:03:29 k8smaster kernel: device veth39f40958 entered promiscuous mode" : 

**Phase 1: Completed pre-decoding.
       full event: 'Apr  2 18:03:29 k8smaster kernel: device veth39f40958 entered promiscuous mode'
       hostname: 'k8smaster'
       program_name: 'kernel'
       log: 'device veth39f40958 entered promiscuous mode'

**Phase 2: Completed decoding.
       decoder: 'iptables'

**Phase 3: Completed filtering (rules).
       Rule id: '100020'
       Level: '6'
       Description: 'Rule ignored for k8s servers - Interface entered in promiscuous(sniffing) mode'
**Alert to be generated.

result expected is OK

Restart ossec on server and agent set error on agent logger -t "kernel" "device veth39f40958 entered promiscuous mode" and check in server/ossec.log

** Alert 1648916514.3606193: mail  - syslog,linuxkernel,promisc,
2022 Apr 02 18:21:54 (xxxxxx) xxxxxxxx->/var/log/messages
Rule: 5104 (level 8) -> 'Interface entered in promiscuous(sniffing) mode.'
Apr  2 18:21:52 k8smaster kernel: device veth39f40958 entered promiscuous mode

Rule is fired with level8 as expected with the original rule (5104) but rule 100020 has not been applied !!!! Reality : KO

Now Test with rule : 

<group name="promisc,">
  <rule id="100020" level="6">
  <if_sid>5104</if_sid>
  <description>Rule ignored for k8s servers - </description>
  <description>Interface entered in promiscuous(sniffing) mode</description>
  </rule>
</group>

I ve just removed the hostname attribut

Test with logtest : 

[...]
**Phase 3: Completed filtering (rules).
       Rule id: '100020'
       Level: '6'
       Description: 'Rule ignored for k8s servers - Interface entered in promiscuous(sniffing) mode'

Expected : OK Restart ossec on server and agent set error on agent logger -t "kernel" "device veth39f40958 entered promiscuous mode" and check in server/ossec.log

** Alert 1648916768.3610028: - promisc,
2022 Apr 02 18:26:08 (xxxxx) xxxxxx->/var/log/messages
Rule: 100020 (level 6) -> 'Rule ignored for k8s servers - Interface entered in promiscuous(sniffing) mode'
Apr  2 18:26:06 k8smaster kernel: device veth39f40958 entered promiscuous mode

Result expected is OK

So there is a filter problem, I would like to filter on "hostname".

Thank you so much for your job.