socfortress / Wazuh-Rules

Advanced Wazuh Rules for more accurate threat detection. Feel free to implement within your own Wazuh environment, contribute, or fork!
https://www.socfortress.co
590 stars 169 forks source link

Invalid decoder name: 'auditd-execve' #6

Closed iamenderst closed 1 year ago

iamenderst commented 1 year ago

Fresh install and get the following when the script is run:

Starting Wazuh manager...
2023/01/01 20:37:11 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-powershell' could not be loaded. Rule '100543' will be ignored.
2023/01/01 20:37:11 wazuh-analysisd: ERROR: Invalid decoder name: 'auditd-execve'.
2023/01/01 20:37:11 wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'etc/rules/200110-auditd.xml'.
wazuh-analysisd: Configuration error. Exiting
wazuh-manager.service: Control process exited, code=exited, status=1/FAILURE
wazuh-manager.service: Failed with result 'exit-code'.
Failed to start Wazuh manager.
wazuh-manager.service: Consumed 1.235s CPU time.
taylorwalton commented 1 year ago

I updated the [wazuh_socfortress_rules.sh](https://github.com/socfortress/Wazuh-Rules/blob/main/wazuh_socfortress_rules.sh) to move the newly created auditd_decoders to the /var/ossec/etc/decoders directory. Initial test looked good

iamenderst commented 1 year ago

Now getting:

2023/01/03 15:05:01 wazuh-analysisd: WARNING: (7612): Rule ID '109109' is duplicated. Only the first occurrence will be considered.
2023/01/03 15:05:01 wazuh-analysisd: WARNING: (7612): Rule ID '109110' is duplicated. Only the first occurrence will be considered.
2023/01/03 15:05:01 wazuh-analysisd: WARNING: (7612): Rule ID '109111' is duplicated. Only the first occurrence will be considered.
2023/01/03 15:05:01 wazuh-analysisd: ERROR: rules_op: Invalid root element "decoder".Only "group" is allowed
2023/01/03 15:05:01 wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'etc/rules/auditd-config_change.xml'.
wazuh-analysisd: Configuration error. Exiting
wazuh-manager.service: Control process exited, code=exited, status=1/FAILURE
wazuh-manager.service: Failed with result 'exit-code'.
Failed to start Wazuh manager.
wazuh-manager.service: Consumed 1.456s CPU time.
taylorwalton commented 1 year ago

what is within your auditd-config_change.xml ... that is not a file that we are providing within this repo so not sure what your contents of that maybe

iamenderst commented 1 year ago

Fresh install, haven't touched the rules:

<decoder name="auditd-config_change">
  <prematch>^type=CONFIG_CHANGE</prematch>
</decoder>

<!--
type=CONFIG_CHANGE msg=audit(1672265894.539:138315): auid=4294967295 ses=4294967295 subj=unconfined op=add_rule key="T1497_Virtualization_Sandbox_Evasion_System_Checks" list=4 res=1AUID="unset"
-->

<decoder name="auditd-config_change">
  <parent>auditd-config_change</parent>
  <!--<prematch offset="after_parent">^SYSCALL </prematch>-->
  <regex offset="after_parent">msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): </regex>
  <order>audit.id</order>
</decoder>

<decoder name="auditd-config_change">
  <parent>auditd-config_change</parent>
  <regex>auid=(\S+) ses=(\S+) subj=(\S+) op=(\S+) </regex>
  <order>audit.auid,audit.session,audit.subj,audit.op</order>
</decoder>

<decoder name="auditd-config_change">
  <parent>auditd-config_change</parent>
  <regex>key=\((\S+)\)|key="(\S+)"|key=(\S+) </regex>
  <order>audit.key</order>
</decoder>

<decoder name="auditd-config_change">
  <parent>auditd-config_change</parent>
  <regex>list=(\S+)</regex>
  <order>audit.list</order>
</decoder>

<decoder name="auditd-config_change">
  <parent>auditd-config_change</parent>
  <regex>res=(\S+)</regex>
  <order>audit.res</order>
</decoder>
iamenderst commented 1 year ago

Deleted 200110-auditd.xml as suggested to someone else on Discord with the same issue, now I get this:

ERROR: rules_op: Invalid root element "decoder".Only "group" is allowed
CRITICAL: (1220): Error loading the rules: 'etc/rules/auditd-config_change.xml'.

Grepped out the warnings, too many.