search

theflakes / sigma_to_wazuh

Convert Sigma rules to Wazuh rules
MIT License
58 stars 14 forks source link

Wazuh Manager crashes when importing sigma.xml #18

Open qdsmm opened 1 year ago

qdsmm commented 1 year ago

Hey guys. At the risk of embarrassing myself now. I have loaded the rules and run the script. I tried to read the sigma.xml into my Wazuh test server, but the whole thing crashes. Even if I take only Windows rules, there are too many. What am I doing wrong? Or do I have to change the Wazuh?

theflakes commented 1 year ago

Unfortunately, I won't be able to get back to this project any time soon. But, there's issues with Wazuh and the number of rules and how we create dependencies between them. It can cause OOM errors.

Maybe try playing with: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#memory-size

qdsmm commented 1 year ago

Thanks, buddy. I was beginning to think it was my fault. I used a small script to split the sigma rules and then created separate rules accordingly. sigma-application.xml for example. Those worked as well. Only Windows was then still too big. I think about dividing the xml here according to severity.
I keep you up to date. I will also check the link. Thanks for your quick feedback and help.

qdsmm commented 1 year ago

I could now solve it somewhat awkwardly first. This is how it works. With the command I share the sigma.xml: $ awk '/<rule id=/{i++} {print > "sigma-rule. "int((i+19)/60)".xml"}' sigma.xml

Herewith I insert the group name again: $ for f in sigma-rule.xml; do sed -i "1s/^/<group name=\"${f%.},\">\n/" "$f"; sed -i -e "\$a" "$f"; done

With this I give the files a logical name: $ rename 's/.//' sigma-rule.*.xml

In rule 0 the group name is then duplicated. I then delete it manually.

Now it becomes a bit tricky. You can only import 5 rules at a time. But the advantage is that Wazuh always says which rule does not work. If he says line 357 for example, then it is the rule before the line 357. For example line 348 to 356. I then delete this rule manually and impose the faulty one again. Was only with 3 sentences and also always only one rule he did not want. In the meantime the rules run and report also clean alarms. I currently run the process once a week by hand. Let's see if I can get this automated somehow.

theflakes commented 1 year ago

NIce work. You can test rules on the command line with /var/osssec/bin/wazuh-logtest. There's the legacy rule testing tool in the same directory called ossec-logtest. I think both will tell you what line in the rules file there is an error on as well.