3.10 tests: Use case

[chemamartinez]

Testing: Use case

Version	Revision	Branch
3.10.0	31006	3.10

Bruteforce Attack - Linux agent

• [x] Trigger an alert of bruteforce attack (5712) for a Linux agent.

Bruteforce Attack - Windows agent

• [x] Trigger an alert of bruteforce attack (18152/20086) for a Windows agent.

Audit user actions - Linux agent

• [x] Trigger an alert about audit events (rules are located at 0365-auditd_rules.xml).
• [x] Check that values at the CDB list audit-keys are matched correctly (rule 80792).

Netcat- Linux agent

• [x] Create a localfile command to collect the list of opened processes.
• [x] Create a custom rule to catch if netcat is running in the previous processes list.

Shellshock detection - Linux agent

• [x] Detect a shellshock attack with Apache logs.

https://documentation.wazuh.com/current/learning-wazuh/shellshock.html

IP reputation - Linux agent

• [x] Create a CDB list containing a black list of IP addresses.
• [x] Create a custom rule to look for malicious IPs in that CDB list.
• [x] Use the firewall-drop.sh script to block the IP when the rule is generated.

Changing Windows audit policy - Windows agent

• [x] Check the rule 18113 (< 3.8.0) or 60112 (>= 3.8.0) is triaged when modifying a Windows security policy.

FIM - Windows agent

• [x] Create, modify, delete and change the attributes of a file monitored by FIM.

FIM - Linux agent

• [x] Create, modify, delete and change the permissions and owner of a monitored file.

Rootkit detection - Linux agent

• [x] Use the rootkit Diamorphine to hide a running process.
• [x] Get the hidden process alert by a Rootcheck scan.

https://github.com/m0nad/Diamorphine

Detecting a trojan - Linux agent

• [x] Detect a trojan with Rootcheck by scanning the file rootkit_trojans.txt.

OpenSCAP SSG AND CVE - Linux agent (RedHat 7/CentOS 7)

• [x] Perform an OpenScap scan with the following configuration.

<wodle name="open-scap">
    <disabled>no</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>

    <content type="xccdf" path="ssg-rhel-7-ds.xml">
        <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
        <profile>xccdf_org.ssgproject.content_profile_common</profile>
    </content>
    <content type="xccdf" path="cve-redhat-7-ds.xml"/>
</wodle>

• [x] Check alerts from both scans are generated.

Virustotal integration - Manager

• [x] Enable the VirusTotal integration.
• [x] Create a custom rule to detect when a file monitored by FIM is created in /tmp.
• [x] In the agent side, insert a known malware into the /tmp folder.

API - Manager

• [x] Install the API in the manager.

• [x] From a browser, do the following checks:

• Check the active agents. (http://localhost:55000/agents?status=active)

• Look for Apache rules in a range of levels. (http://localhost:55000/rules?search=apache&level=7-15)

• Read the Syscheck configuration. (http://localhost:55000/manager/configuration?section=syscheck)

• Read the Rootcheck database of an agent. (http://localhost:55000/rootcheck/001)

• Read the Syscheck database of an agent. (http://localhost:55000/syscheck/001)

Remote upgrades

• [x] Create a custom WPK with a future version of Wazuh.
• [x] Upgrade an agent to that version.
• [x] Downgrade the agent to the current stable version by the official repository.

Here you can find a guide to create a custom WPK easily: https://documentation.wazuh.com/current/user-manual/agents/remote-upgrading/create-custom-wpk/create-custom-wpk-manually.html

Anti flooding mechanisms - Linux agent

• [x] Flood the agent queue and see flooding alerts.

Analysisd performance - Manager

• [x] Use the script queue.py to test the Analysis daemon performance.

https://github.com/wazuh/wazuh-tools/blob/master/utils/queue.py

[DaveVG1]

Bruteforce Attack - Linux Agent

** Alert 1565697130.142276: - syslog,sshd,authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_SC.7,nist_800_53_AU.3.1,nist_800_53_IA.10,
2019 Aug 13 11:52:10 vm-manager-ubuntu->/var/log/auth.log
Rule: 5712 (level 10) -> 'sshd: brute force trying to get access to the system.'
Src IP: 10.0.0.1
Aug 13 11:52:08 vm-manager-ubuntu sshd[4243]: Invalid user user from 10.0.0.1
Aug 13 11:52:05 vm-manager-ubuntu sshd[4241]: Invalid user user from 10.0.0.1
Aug 13 11:51:59 vm-manager-ubuntu sshd[4239]: Invalid user user from 10.0.0.1
Aug 13 11:51:56 vm-manager-ubuntu sshd[4237]: Invalid user user from 10.0.0.1
Aug 13 11:51:52 vm-manager-ubuntu sshd[4235]: Invalid user user from 10.0.0.1
Aug 13 11:51:50 vm-manager-ubuntu sshd[4233]: Invalid user user from 10.0.0.1
Aug 13 11:51:45 vm-manager-ubuntu sshd[4231]: Invalid user user from 10.0.0.1
Aug 13 11:50:15 vm-manager-ubuntu sshd[4229]: Invalid user user from 10.0.0.1

[DaveVG1]

Netcat - Linux agent

Localfile:

  <localfile>
    <log_format>command</log_format>
    <command>ps -A</command>
    <alias>List of opened processes</alias>
    <frequency>15</frequency>
  </localfile>

ossec.log:

2019/08/13 12:29:00 ossec-logcollector: INFO: Monitoring output of command(15): ps -A

archives.log:

...
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes':  3804 ?        00:00:00 (sd-pam)
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes':  4962 ?        00:00:00 auditd
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes':  5002 pts/4    00:00:00 tail
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes':  2950 pts/4    00:00:00 bash
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes':  5003 pts/4    00:00:00 perl
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes':  2948 pts/4    00:00:00 sudo
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes':  5009 ?        00:00:00 tlsmgr
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 11496 ?        00:00:00 kworker/2:1
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes':  8879 ?        00:00:00 pickup
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 12589 ?        00:00:00 kworker/0:0
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 14063 ?        00:00:00 master
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 14820 ?        00:00:00 kworker/1:2
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 15278 ?        00:00:00 kworker/1:3
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 18158 ?        00:00:00 kworker/0:2
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 19033 ?        00:00:00 kworker/u8:0
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 20448 ?        00:00:00 kworker/u8:2
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 21223 pts/0    00:00:00 nc
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 21347 ?        00:00:00 kworker/0:1
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 21398 ?        00:00:00 ossec-authd
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 21407 ?        00:00:00 wazuh-db
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 21424 ?        00:00:00 ossec-execd
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 21432 ?        00:00:00 ossec-analysisd
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 21438 ?        00:00:00 ossec-syscheckd
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 20593 ?        00:00:00 kworker/2:2
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 21447 ?        00:00:00 ossec-remoted
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes':  8880 ?        00:00:00 qmgr
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 21452 ?        00:00:00 ossec-logcollec
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 21482 ?        00:00:00 wazuh-modulesd
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 21604 pts/2    00:00:00 nano
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 21639 pts/2    00:00:00 tail
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes':  3571 ?        00:00:12 cifsd
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 21458 ?        00:00:00 ossec-monitord
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 21553 pts/1    00:00:00 tail
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 21641 ?        00:00:00 ps
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 30705 ?        00:00:01 kworker/3:0
2019 Aug 13 12:51:54 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 21640 ?        00:00:00 sh
...

Rule:

  <rule id="100002" level="10">
    <if_sid>530</if_sid>
    <match>nc</match>
    <description>Netcat process is active</description>
    <category>ossec</category>
  </rule>

Log:

2019 Aug 14 07:13:58 vm-manager-ubuntu->List of opened processes ossec: output: 'List of opened processes': 25598 pts/3    00:00:00 nc

Alert:

** Alert 1565766838.21730: - local,syslog,sshd,
2019 Aug 14 07:13:58 vm-manager-ubuntu->List of opened processes
Rule: 100002 (level 10) -> 'Netcat process is active'
ossec: output: 'List of opened processes': 25598 pts/3    00:00:00 nc

[DaveVG1]

FIM - Linux Agent

• Create:

  
  ** Alert 1565780957.142315: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,
  2019 Aug 14 11:09:17 (vm-ubuntu3) 10.0.0.123->syscheck
  Rule: 554 (level 5) -> 'File added to the system.'
  File '/home/test/filenew.txt' was added.
  (Audit) User: 'root (0)'
  (Audit) Login user: 'vagrant (1000)'
  (Audit) Effective user: 'root (0)'
  (Audit) Group: 'root (0)'
  (Audit) Process id: '991'
  (Audit) Process name: '/bin/touch'

Attributes:

• Size: 0
• Date: Wed Aug 14 11:09:17 2019
• Inode: 262722
• User: root (0)
• Group: root (0)
• MD5: d41d8cd98f00b204e9800998ecf8427e
• SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
• SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
• Permissions: 100644

  - Modify:

  ** Alert 1565781032.143852: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7, 2019 Aug 14 11:10:32 (vm-ubuntu3) 10.0.0.123->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' File '/home/test/filenew.txt' checksum changed. Size changed from '0' to '12' Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' New md5sum is : 'f0ef7081e1539ac00ef5b761b4fb01b3' Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' New sha1sum is : '33ab5639bfd8e7b95eb1d8d0b87781d4ffea4d5d' Old sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' New sha256sum is : '1894a19c85ba153acbf743ac4e43fc004c891604b26f8c69e1e83ea2afc7c48f' Old modification time was: 'Wed Aug 14 11:09:17 2019', now it is 'Wed Aug 14 11:10:32 2019' (Audit) User: 'root (0)' (Audit) Login user: 'vagrant (1000)' (Audit) Effective user: 'root (0)' (Audit) Group: 'root (0)' (Audit) Process id: '30879' (Audit) Process name: '/bin/bash'

Attributes:

• Size: 12
• Date: Wed Aug 14 11:10:32 2019
• Inode: 262722
• User: root (0)
• Group: root (0)
• MD5: f0ef7081e1539ac00ef5b761b4fb01b3
• SHA1: 33ab5639bfd8e7b95eb1d8d0b87781d4ffea4d5d
• SHA256: 1894a19c85ba153acbf743ac4e43fc004c891604b26f8c69e1e83ea2afc7c48f
• Permissions: 100644

  - Change permission: 

  ** Alert 1565781174.146785: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7, 2019 Aug 14 11:12:54 (vm-ubuntu3) 10.0.0.123->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' File '/home/test/filenew.txt' checksum changed. Permissions changed from 'rw-r--r--' to 'rwxrwxrwx' (Audit) User: 'root (0)' (Audit) Login user: 'vagrant (1000)' (Audit) Effective user: 'root (0)' (Audit) Group: 'root (0)' (Audit) Process id: '1001' (Audit) Process name: '/bin/chmod'

Attributes:

• Size: 12
• Date: Wed Aug 14 11:10:32 2019
• Inode: 262722
• User: root (0)
• Group: root (0)
• MD5: f0ef7081e1539ac00ef5b761b4fb01b3
• SHA1: 33ab5639bfd8e7b95eb1d8d0b87781d4ffea4d5d
• SHA256: 1894a19c85ba153acbf743ac4e43fc004c891604b26f8c69e1e83ea2afc7c48f
• Permissions: 100777

  - Change owner:

  ** Alert 1565781189.147619: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7, 2019 Aug 14 11:13:09 (vm-ubuntu3) 10.0.0.123->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' File '/home/test/filenew.txt' checksum changed. Ownership was 'root (0)', now it is 'ossec (112)' (Audit) User: 'root (0)' (Audit) Login user: 'vagrant (1000)' (Audit) Effective user: 'root (0)' (Audit) Group: 'root (0)' (Audit) Process id: '1014' (Audit) Process name: '/bin/chown'

Attributes:

• Size: 12
• Date: Wed Aug 14 11:10:32 2019
• Inode: 262722
• User: ossec (112)
• Group: root (0)
• MD5: f0ef7081e1539ac00ef5b761b4fb01b3
• SHA1: 33ab5639bfd8e7b95eb1d8d0b87781d4ffea4d5d
• SHA256: 1894a19c85ba153acbf743ac4e43fc004c891604b26f8c69e1e83ea2afc7c48f
• Permissions: 100777

  - Delete:

  ** Alert 1565781206.148454: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7, 2019 Aug 14 11:13:26 (vm-ubuntu3) 10.0.0.123->syscheck Rule: 553 (level 7) -> 'File deleted.' File '/home/test/filenew.txt' was deleted. (Audit) User: 'root (0)' (Audit) Login user: 'vagrant (1000)' (Audit) Effective user: 'root (0)' (Audit) Group: 'root (0)' (Audit) Process id: '1020' (Audit) Process name: '/bin/rm'

[DaveVG1]

FIM - Windows Agent

• Create:

  
  ** Alert 1565781449.149462: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,
  2019 Aug 14 11:17:29 (Win) 10.0.0.1->syscheck
  Rule: 554 (level 5) -> 'File added to the system.'
  File 'd:\libraries\escritorio\testfim\filenew.txt' was added.

Attributes:

• Size: 0
• Date: Wed Aug 14 11:17:12 2019
• User: DaveVG (S-1-5-21-4218398017-4192086937-1907420761-1001)
• MD5: d41d8cd98f00b204e9800998ecf8427e
• SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
• SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
• File attributes: ARCHIVE
• Permissions: Administradores (ALLOWED) - DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES SYSTEM (ALLOWED) - DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES Authenticated Users (ALLOWED) - DELETE, READ_CONTROL, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES Usuarios (ALLOWED) - READ_CONTROL, SYNCHRONIZE, FILE_READ_DATA, FILE_READ_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES

  - Modify:

  ** Alert 1565781543.150869: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7, 2019 Aug 14 11:19:03 (Win) 10.0.0.1->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' File 'd:\libraries\escritorio\testfim\filenew.txt' checksum changed. Size changed from '0' to '11' Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' New md5sum is : '2663b8c3d614b414806167aa390cae46' Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' New sha1sum is : '8e521fa4c53541760446fb8a51516d522deb5cd9' Old sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' New sha256sum is : '990ee3cdfa155f0b9f8e2497b211371c5f3a50781265f8592e95ccc136775dfc' Old modification time was: 'Wed Aug 14 11:17:12 2019', now it is 'Wed Aug 14 11:19:02 2019'

Attributes:

• Size: 11
• Date: Wed Aug 14 11:19:02 2019
• User: DaveVG (S-1-5-21-4218398017-4192086937-1907420761-1001)
• MD5: 2663b8c3d614b414806167aa390cae46
• SHA1: 8e521fa4c53541760446fb8a51516d522deb5cd9
• SHA256: 990ee3cdfa155f0b9f8e2497b211371c5f3a50781265f8592e95ccc136775dfc
• File attributes: ARCHIVE
• Permissions: Administradores (ALLOWED) - DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES SYSTEM (ALLOWED) - DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES Authenticated Users (ALLOWED) - DELETE, READ_CONTROL, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES Usuarios (ALLOWED) - READ_CONTROL, SYNCHRONIZE, FILE_READ_DATA, FILE_READ_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES

  - Change attributes: 

  ** Alert 1565781619.152802: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7, 2019 Aug 14 11:20:19 (Win) 10.0.0.1->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' File 'd:\libraries\escritorio\testfim\filenew.txt' checksum changed. Permissions changed.

Attributes:

• Size: 11
• Date: Wed Aug 14 11:19:02 2019
• User: DaveVG (S-1-5-21-4218398017-4192086937-1907420761-1001)
• MD5: 2663b8c3d614b414806167aa390cae46
• SHA1: 8e521fa4c53541760446fb8a51516d522deb5cd9
• SHA256: 990ee3cdfa155f0b9f8e2497b211371c5f3a50781265f8592e95ccc136775dfc
• File attributes: ARCHIVE
• Permissions: Authenticated Users (ALLOWED) - DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES Administradores (ALLOWED) - DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES SYSTEM (ALLOWED) - DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES Authenticated Users (ALLOWED) - DELETE, READ_CONTROL, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES Usuarios (ALLOWED) - READ_CONTROL, SYNCHRONIZE, FILE_READ_DATA, FILE_READ_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES

  - Delete:

  ** Alert 1565781634.154473: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7, 2019 Aug 14 11:20:34 (Win) 10.0.0.1->syscheck Rule: 553 (level 7) -> 'File deleted.' File 'd:\libraries\escritorio\testfim\filenew.txt' was deleted.

[DaveVG1]

Changing Windows audit policy - Windows agent

** Alert 1565781685.154761: - windows, windows_security,policy_changed,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,
2019 Aug 14 11:21:25 (Win) 10.0.0.1->EventChannel
Rule: 60112 (level 8) -> 'Windows Audit Policy changed'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4719","version":"0","level":"0","task":"13568","opcode":"0","keywords":"0x8020000000000000","systemTime":"2019-08-14T11:21:24.248461100Z","eventRecordID":"7420131","processID":"836","threadID":"8552","channel":"Security","computer":"COMPUTERNAME","severityValue":"AUDIT_SUCCESS","message":"Se cambió la directiva de auditoría del sistema."},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"COMPUTERNAME$","subjectDomainName":"WORKGROUP","subjectLogonId":"0x3e7","categoryId":"%%8274","subcategoryId":"%%12800","subcategoryGuid":"{0cce921d-69ae-11d9-bed3-505054503030}","auditPolicyChangesId":"%%8448","category":"Object Access","subcategory":"File System","auditPolicyChanges":"Success removed"}}}
win.system.providerName: Microsoft-Windows-Security-Auditing
win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d}
win.system.eventID: 4719
win.system.version: 0
win.system.level: 0
win.system.task: 13568
win.system.opcode: 0
win.system.keywords: 0x8020000000000000
win.system.systemTime: 2019-08-14T11:21:24.248461100Z
win.system.eventRecordID: 7420131
win.system.processID: 836
win.system.threadID: 8552
win.system.channel: Security
win.system.computer: COMPUTERNAME
win.system.severityValue: AUDIT_SUCCESS
win.system.message: Se cambió la directiva de auditoría del sistema.
win.eventdata.subjectUserSid: S-1-5-18
win.eventdata.subjectUserName: COMPUTERNAME$
win.eventdata.subjectDomainName: WORKGROUP
win.eventdata.subjectLogonId: 0x3e7
win.eventdata.categoryId: %%8274
win.eventdata.subcategoryId: %%12800
win.eventdata.subcategoryGuid: {0cce921d-69ae-11d9-bed3-505054503030}
win.eventdata.auditPolicyChangesId: %%8448
win.eventdata.category: Object Access
win.eventdata.subcategory: File System
win.eventdata.auditPolicyChanges: Success removed

[DaveVG1]

Audit user actions - Linux agent

** Alert 1565782155.159113: - audit,audit_daemon,service_availability,pci_dss_10.6.1,gpg13_10.1,gpg13_4.14,gdpr_IV_35.7.d,gdpr_IV_30.1.g,hipaa_164.312.b,nist_800_53_AU.6,
2019 Aug 14 11:29:15 vm-manager-ubuntu->/var/log/audit/audit.log
Rule: 80703 (level 10) -> 'Auditd: End'
type=DAEMON_END msg=audit(1565782155.011:6539): auditd normal halt, sending auid=0 pid=1 subj= res=success
audit.type: DAEMON_END
audit.id: 6539
audit.pid: 1
audit.auid: 0
audit.res: success

[Skeptor]

Bruteforce Attack

Linux

** Alert 1566466049.222570: - syslog,sshd,authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.3.1,nist_800_53_IA.10,nist_800_53_SC.7,
2019 Aug 22 11:27:29 work->/var/log/auth.log
Rule: 5720 (level 10) -> 'sshd: Multiple authentication failures.'
Src IP: 192.168.0.108
Src Port: 48804
User: p
Aug 22 11:27:29 pablo-work sshd[17346]: Failed password for p from 192.168.0.108 port 48804 ssh2
Aug 22 11:27:24 pablo-work sshd[17346]: Failed password for p from 192.168.0.108 port 48804 ssh2
Aug 22 11:27:18 pablo-work sshd[17332]: Failed password for p from 192.168.0.108 port 48800 ssh2
Aug 22 11:27:14 pablo-work sshd[17332]: Failed password for p from 192.168.0.108 port 48800 ssh2
Aug 22 11:27:11 pablo-work sshd[17332]: Failed password for p from 192.168.0.108 port 48800 ssh2
Aug 22 11:27:04 pablo-work sshd[17134]: Failed password for p from 192.168.0.108 port 48798 ssh2
Aug 22 11:27:01 pablo-work sshd[17134]: Failed password for p from 192.168.0.108 port 48798 ssh2
Aug 22 11:27:00 pablo-work sshd[17134]: Failed password for p from 192.168.0.108 port 48798 ssh2

Windows

** Alert 1566468459.468117: - windows, windows_security,authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.3.1,nist_800_53_IA.10,nist_800_53_SC.7,
2019 Aug 22 12:07:39 (DESKTOP-6AMQRMM) any->EventChannel
Rule: 60204 (level 10) -> 'Multiple Windows Logon Failures'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2019-08-22T10:07:36.348879400Z","eventRecordID":"53221","processID":"664","threadID":"720","channel":"Security","computer":"DESKTOP-6AMQRMM","severityValue":"AUDIT_FAILURE","message":"Error de una cuenta al iniciar sesión."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"p","targetDomainName":"pablo-PC","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc0000064","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"PABLO-PC","keyLength":"0","processId":"0x0","ipAddress":"192.168.0.108","ipPort":"0"}}}
win.system.providerName: Microsoft-Windows-Security-Auditing
win.system.providerGuid: {54849625-5478-4994-A5BA-3E3B0328C30D}
win.system.eventID: 4625
win.system.version: 0
win.system.level: 0
win.system.task: 12544
win.system.opcode: 0
win.system.keywords: 0x8010000000000000
win.system.systemTime: 2019-08-22T10:07:36.348879400Z
win.system.eventRecordID: 53221
win.system.processID: 664
win.system.threadID: 720
win.system.channel: Security
win.system.computer: DESKTOP-6AMQRMM
win.system.severityValue: AUDIT_FAILURE
win.system.message: Error de una cuenta al iniciar sesión.
win.eventdata.subjectUserSid: S-1-0-0
win.eventdata.subjectLogonId: 0x0
win.eventdata.targetUserSid: S-1-0-0
win.eventdata.targetUserName: p
win.eventdata.targetDomainName: pablo-PC
win.eventdata.status: 0xc000006d
win.eventdata.failureReason: %%2313
win.eventdata.subStatus: 0xc0000064
win.eventdata.logonType: 3
win.eventdata.logonProcessName: NtLmSsp
win.eventdata.authenticationPackageName: NTLM
win.eventdata.workstationName: PABLO-PC
win.eventdata.keyLength: 0
win.eventdata.processId: 0x0
win.eventdata.ipAddress: 192.168.0.108
win.eventdata.ipPort: 0
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2019-08-22T10:07:27.576204700Z","eventRecordID":"53219","processID":"664","threadID":"720","channel":"Security","computer":"DESKTOP-6AMQRMM","severityValue":"AUDIT_FAILURE","message":"Error de una cuenta al iniciar sesión."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"p","targetDomainName":"pablo-PC","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc0000064","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"PABLO-PC","keyLength":"0","processId":"0x0","ipAddress":"192.168.0.108","ipPort":"0"}}}
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2019-08-22T10:07:24.738557000Z","eventRecordID":"53217","processID":"664","threadID":"720","channel":"Security","computer":"DESKTOP-6AMQRMM","severityValue":"AUDIT_FAILURE","message":"Error de una cuenta al iniciar sesión."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"p","targetDomainName":"pablo-PC","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc0000064","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"PABLO-PC","keyLength":"0","processId":"0x0","ipAddress":"192.168.0.108","ipPort":"0"}}}
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2019-08-22T10:07:21.960918200Z","eventRecordID":"53215","processID":"664","threadID":"720","channel":"Security","computer":"DESKTOP-6AMQRMM","severityValue":"AUDIT_FAILURE","message":"Error de una cuenta al iniciar sesión."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"p","targetDomainName":"pablo-PC","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc0000064","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"PABLO-PC","keyLength":"0","processId":"0x0","ipAddress":"192.168.0.108","ipPort":"0"}}}
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2019-08-22T10:07:18.414285100Z","eventRecordID":"53213","processID":"664","threadID":"720","channel":"Security","computer":"DESKTOP-6AMQRMM","severityValue":"AUDIT_FAILURE","message":"Error de una cuenta al iniciar sesión."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"p","targetDomainName":"pablo-PC","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc0000064","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"PABLO-PC","keyLength":"0","processId":"0x0","ipAddress":"192.168.0.108","ipPort":"0"}}}
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2019-08-22T10:07:15.362980800Z","eventRecordID":"53211","processID":"664","threadID":"720","channel":"Security","computer":"DESKTOP-6AMQRMM","severityValue":"AUDIT_FAILURE","message":"Error de una cuenta al iniciar sesión."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"p","targetDomainName":"pablo-PC","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc0000064","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"PABLO-PC","keyLength":"0","processId":"0x0","ipAddress":"192.168.0.108","ipPort":"0"}}}
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2019-08-22T10:07:12.699098200Z","eventRecordID":"53209","processID":"664","threadID":"720","channel":"Security","computer":"DESKTOP-6AMQRMM","severityValue":"AUDIT_FAILURE","message":"Error de una cuenta al iniciar sesión."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"p","targetDomainName":"pablo-PC","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc0000064","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"PABLO-PC","keyLength":"0","processId":"0x0","ipAddress":"192.168.0.108","ipPort":"0"}}}

[Skeptor]

Audit alert

** Alert 1566473784.560094: - audit,audit_watch_write,audit_watch_create,gdpr_II_5.1.f,gdpr_IV_30.1.g,
2019 Aug 22 13:36:24 (Seven) any->/var/log/audit/audit.log
Rule: 80790 (level 3) -> 'Audit: Created: /home/test'
type=SYSCALL msg=audit(1566473783.140:822): arch=c000003e syscall=2 success=yes exit=3 a0=7ffe2b3f3794 a1=941 a2=1b6 a3=7ffe2b3f1ca0 items=2 ppid=4921 pid=5665 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="touch" exe="/usr/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="audit-wazuh-w" type=CWD msg=audit(1566473783.140:822):  cwd="/home/vagrant" type=PATH msg=audit(1566473783.140:822): item=0 name="/home/" inode=6174 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1566473783.140:822): item=1 name="/home/test" inode=6205 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:home_root_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1566473783.140:822): proctitle=746F756368002F686F6D652F74657374
audit.type: SYSCALL
audit.id: 822
audit.arch: c000003e
audit.syscall: 2
audit.success: yes
audit.exit: 3
audit.ppid: 4921
audit.pid: 5665
audit.auid: 1000
audit.uid: 0
audit.gid: 0
audit.euid: 0
audit.suid: 0
audit.fsuid: 0
audit.egid: 0
audit.sgid: 0
audit.fsgid: 0
audit.tty: pts0
audit.session: 3
audit.command: touch
audit.exe: /usr/bin/touch
audit.key: audit-wazuh-w
audit.cwd: /home/vagrant
audit.directory.name: /home/
audit.directory.inode: 6174
audit.directory.mode: 040755
audit.file.name: /home/test
audit.file.inode: 6205
audit.file.mode: 0100644

[Skeptor]

Netcat

** Alert 1566474722.626218: - ossec,process_monitor,
2019 Aug 22 13:52:02 (Seven) any->process list
Rule: 100051 (level 7) -> 'Netcat listening for incoming connections.'
ossec: output: 'process list':
 5778 root     /var/ossec/bin/ossec-execd
 5783 ossec    /var/ossec/bin/ossec-agentd
 5791 root     /var/ossec/bin/ossec-syscheckd
 5795 root     /var/ossec/bin/ossec-logcollector
 5805 root     /var/ossec/bin/wazuh-modulesd
 5867 root     nc -l -p 8000
 5868 root     ps -e -o pid,uname,command

[Skeptor]

Shellshock attack detected

curl --insecure http://10.0.0.151 -H "User-Agent: () { :; }; /bin/cat /etc/passwd"

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
    <head>
        <title>Test Page for the Nginx HTTP Server on Fedora</title>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
        <style type="text/css">
            /*<![CDATA[*/
            body {
                background-color: #fff;
                color: #000;
                font-size: 0.9em;
                font-family: sans-serif,helvetica;
                margin: 0;
                padding: 0;
            }
            :link {
                color: #c00;
            }
            :visited {
                color: #c00;
            }
            a:hover {
                color: #f50;
            }
            h1 {
                text-align: center;
                margin: 0;
                padding: 0.6em 2em 0.4em;
                background-color: #294172;
                color: #fff;
                font-weight: normal;
                font-size: 1.75em;
                border-bottom: 2px solid #000;
            }
            h1 strong {
                font-weight: bold;
                font-size: 1.5em;
            }
            h2 {
                text-align: center;
                background-color: #3C6EB4;
                font-size: 1.1em;
                font-weight: bold;
                color: #fff;
                margin: 0;
                padding: 0.5em;
                border-bottom: 2px solid #294172;
            }
            hr {
                display: none;
            }
            .content {
                padding: 1em 5em;
            }
            .alert {
                border: 2px solid #000;
            }

            img {
                border: 2px solid #fff;
                padding: 2px;
                margin: 2px;
            }
            a:hover img {
                border: 2px solid #294172;
            }
            .logos {
                margin: 1em;
                text-align: center;
            }
            /*]]>*/
        </style>
    </head>

    <body>
        <h1>Welcome to <strong>nginx</strong> on Fedora!</h1>

        <div class="content">
            <p>This page is used to test the proper operation of the
            <strong>nginx</strong> HTTP server after it has been
            installed. If you can read this page, it means that the
            web server installed at this site is working
            properly.</p>

            <div class="alert">
                <h2>Website Administrator</h2>
                <div class="content">
                    <p>This is the default <tt>index.html</tt> page that
                    is distributed with <strong>nginx</strong> on
                    Fedora.  It is located in
                    <tt>/usr/share/nginx/html</tt>.</p>

                    <p>You should now put your content in a location of
                    your choice and edit the <tt>root</tt> configuration
                    directive in the <strong>nginx</strong>
                    configuration file
                    <tt>/etc/nginx/nginx.conf</tt>.</p>

                </div>
            </div>

            <div class="logos">
                <a href="http://nginx.net/"><img
                    src="nginx-logo.png" 
                    alt="[ Powered by nginx ]"
                    width="121" height="32" /></a>

                <a href="http://fedoraproject.org/"><img 
                    src="poweredby.png" 
                    alt="[ Powered by Fedora ]" 
                    width="88" height="31" /></a>
            </div>
        </div>
    </body>
</html>

** Alert 1566888204.100687: mail  - web,accesslog,attack,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SC.7,
2019 Aug 27 08:43:24 (Seven) any->/var/log/nginx/access.log
Rule: 31166 (level 15) -> 'Shellshock attack detected'
Src IP: 10.0.0.1
10.0.0.1 - - [27/Aug/2019:06:43:22 +0000] "GET / HTTP/1.1" 200 3700 "-" "() { :; }; /bin/cat /etc/passwd" "-"

[Skeptor]

IP Reputation

** Alert 1566894124.243128: - attack,
2019 Aug 27 10:22:04 pablo-work->/var/log/auth.log
Rule: 100100 (level 10) -> 'IP address found in AlienVault reputation database.'
Src IP: 192.168.0.122
Src Port: 33360
User: pablo
Aug 27 10:22:03 pablo-work sshd[28573]: Failed password for pablo from 192.168.0.122 port 33360 ssh2

** Alert 1566894125.243450: - ossec,active_response,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_SC.7,
2019 Aug 27 10:22:05 pablo-work->/var/ossec/logs/active-responses.log
Rule: 601 (level 3) -> 'Host Blocked by firewall-drop.sh Active Response'
Src IP: 192.168.0.122
mar ago 27 10:22:04 CEST 2019 /var/ossec/active-response/bin/firewall-drop.sh add - 192.168.0.122 1566894124.243128 100100
script: firewall-drop.sh
type: add

[Skeptor]

FIM Linux

• Create

  
  ** Alert 1566895099.263067: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,
  2019 Aug 27 10:38:19 (Seven) any->syscheck
  Rule: 554 (level 5) -> 'File added to the system.'
  File '/home/vagrant/newfile' was added.

Attributes:

• Size: 0
• Date: Tue Aug 27 10:34:45 2019
• Inode: 5238207
• User: root (0)
• Group: root (0)
• MD5: d41d8cd98f00b204e9800998ecf8427e
• SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
• SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
• Permissions: 100644

• Modify

  
  ** Alert 1566895175.267012: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,
  2019 Aug 27 10:39:35 (Seven) any->syscheck
  Rule: 550 (level 7) -> 'Integrity checksum changed.'
  File '/home/vagrant/newfile' checksum changed.
  Size changed from '0' to '4'
  Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'
  New md5sum is : 'ee567e026d2d4e1db0473ab9084d3f9e'
  Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'
  New sha1sum is : '5ca2c015b57a74e28d4aae6a154b489368922827'
  Old sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
  New sha256sum is : '84852059e1321a6d7c437c943ff38032b76331c95fd3f7e4f323ca7545e38ac1'
  Old modification time was: 'Tue Aug 27 10:34:45 2019', now it is 'Tue Aug 27 10:39:35 2019'

Attributes:

• Size: 4
• Date: Tue Aug 27 10:39:35 2019
• Inode: 5238207
• User: root (0)
• Group: root (0)
• MD5: ee567e026d2d4e1db0473ab9084d3f9e
• SHA1: 5ca2c015b57a74e28d4aae6a154b489368922827
• SHA256: 84852059e1321a6d7c437c943ff38032b76331c95fd3f7e4f323ca7545e38ac1
• Permissions: 100644

• Delete

  ** Alert 1566895256.268819: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,
  2019 Aug 27 10:40:56 (Seven) any->syscheck
  Rule: 553 (level 7) -> 'File deleted.'
  File '/home/vagrant/newfile' was deleted.

• Change the permissions and owner

  
  ** Alert 1566895216.268111: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,
  2019 Aug 27 10:40:16 (Seven) any->syscheck
  Rule: 550 (level 7) -> 'Integrity checksum changed.'
  File '/home/vagrant/newfile' checksum changed.
  Ownership was 'root (0)', now it is 'vagrant (1000)'
  Group ownership was 'root (0)', now it is 'vagrant (1000)'

Attributes:

• Size: 4
• Date: Tue Aug 27 10:39:35 2019
• Inode: 5238207
• User: vagrant (1000)
• Group: vagrant (1000)
• MD5: ee567e026d2d4e1db0473ab9084d3f9e
• SHA1: 5ca2c015b57a74e28d4aae6a154b489368922827
• SHA256: 84852059e1321a6d7c437c943ff38032b76331c95fd3f7e4f323ca7545e38ac1
• Permissions: 100644

[Skeptor]

Rootkit detection

** Alert 1566897931.376026: - ossec,rootcheck,gdpr_IV_35.7.d,
2019 Aug 27 11:25:31 (Seven) any->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Process '4874' hidden from /proc. Possible kernel level rootkit.
title: Process '4874' hidden from /proc.

** Alert 1566897935.376312: - ossec,rootcheck,gdpr_IV_35.7.d,
2019 Aug 27 11:25:35 (Seven) any->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Process '31007' hidden from /proc. Possible kernel level rootkit.
title: Process '31007' hidden from /proc.

[Skeptor]

Detecting a trojan

** Alert 1566903816.1580858: - ossec,rootcheck,gdpr_IV_35.7.d,
2019 Aug 27 13:03:36 (Seven) any->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Rootkit 'Suspicious' detected by the presence of file '/dev/ptyr'.
title: Rootkit 'Suspicious' detected by the presence of file '/dev/ptyr'.

** Alert 1566903818.1581180: - ossec,rootcheck,gdpr_IV_35.7.d,
2019 Aug 27 13:03:38 (Seven) any->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
File '/dev/ptyr' present on /dev. Possible hidden file.
title: File present on /dev.
file: /dev/ptyr

[Skeptor]

OpenSCAP scan

** Alert 1566905953.2153718: - oscap,oscap-result,pci_dss_2.2,nist_800_53_CM.1,
2019 Aug 27 13:39:13 (Seven) any->wodle_open-scap
Rule: 81530 (level 7) -> 'OpenSCAP: Ensure auditd Collects Information on Kernel Module Loading and Unloading (not passed)'
oscap: msg: "xccdf-result", scan-id: "0001566905871", content: "ssg-centos-7-ds.xml", title: "Ensure auditd Collects Information on Kernel Module Loading and Unloading", id: "xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading", result: "fail", severity: "medium", description: "If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules", rationale: "The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel." references: "AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)", identifiers: "", oval-id: "oval:ssg-audit_rules_kernel_module_loading:def:1", benchmark-id: "xccdf_org.ssgproject.content_benchmark_RHEL-7", profile-id: "xccdf_org.ssgproject.content_profile_common", profile-title: "Common Profile for General-Purpose Systems".
oscap.scan.id: 0001566905871
oscap.scan.content: ssg-centos-7-ds.xml
oscap.check.title: Ensure auditd Collects Information on Kernel Module Loading and Unloading
oscap.check.id: xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading
oscap.check.result: fail
oscap.check.severity: medium
oscap.check.description: If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
oscap.check.rationale: The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
oscap.check.references: AC-17(7) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-1(b) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-2(d) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(a) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), AU-12(c) (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), IR-5 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Req-10.2.7 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf), 5.2.17 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf), 172 (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 5.4.1.1 (https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf), 3.1.7 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf)
oscap.check.oval.id: oval:ssg-audit_rules_kernel_module_loading:def:1
oscap.scan.benchmark.id: xccdf_org.ssgproject.content_benchmark_RHEL-7
oscap.scan.profile.id: xccdf_org.ssgproject.content_profile_common
oscap.scan.profile.title: Common Profile for General-Purpose Systems

** Alert 1566905955.2159840: - oscap,oscap-report,pci_dss_2.2,nist_800_53_CM.1,
2019 Aug 27 13:39:15 (Seven) any->wodle_open-scap
Rule: 81542 (level 5) -> 'OpenSCAP Report overview: Score less than 80'
oscap: msg: "xccdf-overview", scan-id: "0001566905871", content: "ssg-centos-7-ds.xml", benchmark-id: "xccdf_org.ssgproject.content_benchmark_RHEL-7", profile-id: "xccdf_org.ssgproject.content_profile_common", profile-title: "Common Profile for General-Purpose Systems", score: "75.000000".
oscap.scan.id: 0001566905871
oscap.scan.content: ssg-centos-7-ds.xml
oscap.scan.benchmark.id: xccdf_org.ssgproject.content_benchmark_RHEL-7
oscap.scan.profile.id: xccdf_org.ssgproject.content_profile_common
oscap.scan.profile.title: Common Profile for General-Purpose Systems
oscap.scan.score: 75.000000

[Skeptor]

Create a file in /tmp with content: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Rule: 87105 (level 12) -> 'VirusTotal: Alert - /tmp/suspicious - 56 engines detected this file'
{"virustotal": {"found": 1, "malicious": 1, "source": {"alert_id": "1566907249.2312452", "file": "/tmp/suspicious", "md5": "aa991d6e29bf8eb4c1b56c599dffce0a", "sha1": "506db7cc75304c29459061ebf9d1d3305aa5b798"}, "sha1": "506db7cc75304c29459061ebf9d1d3305aa5b798", "scan_date": "2019-07-29 13:44:10", "positives": 56, "total": 60, "permalink": "https://www.virustotal.com/file/e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494/analysis/1564407850/"}, "integration": "virustotal"}
virustotal.source.file: /tmp/suspicious

[cristgl]

Changing Windows audit policy - Windows agent

** Alert 1566907385.15588: - windows, windows_security,policy_changed,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,
2019 Aug 27 14:03:05 (win) any->EventChannel
Rule: 60112 (level 8) -> 'Windows Audit Policy changed'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4719","version":"0","level":"0","task":"13568","opcode":"0","keywords":"0x8020000000000000","systemTime":"2019-08-27T12:03:04.114350100Z","eventRecordID":"17406704","processID":"944","threadID":"972","channel":"Security","computer":"pcname","severityValue":"AUDIT_SUCCESS","message":"System audit policy was changed."},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"PCNAME$","subjectDomainName":"WORKGROUP","subjectLogonId":"0x3e7","categoryId":"%%8273","subcategoryId":"%%12549","subcategoryGuid":"{0CCE9219-69AE-11D9-BED3-505054503030}","auditPolicyChangesId":"%%8448","category":"Logon/Logoff","subcategory":"IPSec Extended Mode","auditPolicyChanges":"Success removed"}}}
win.system.providerName: Microsoft-Windows-Security-Auditing
win.system.providerGuid: {54849625-5478-4994-A5BA-3E3B0328C30D}
win.system.eventID: 4719
win.system.version: 0
win.system.level: 0
win.system.task: 13568
win.system.opcode: 0
win.system.keywords: 0x8020000000000000
win.system.systemTime: 2019-08-27T12:03:04.114350100Z
win.system.eventRecordID: 17406704
win.system.processID: 944
win.system.threadID: 972
win.system.channel: Security
win.system.computer: pcname
win.system.severityValue: AUDIT_SUCCESS
win.system.message: System audit policy was changed.
win.eventdata.subjectUserSid: S-1-5-18
win.eventdata.subjectUserName: PCNAME$
win.eventdata.subjectDomainName: WORKGROUP
win.eventdata.subjectLogonId: 0x3e7
win.eventdata.categoryId: %%8273
win.eventdata.subcategoryId: %%12549
win.eventdata.subcategoryGuid: {0CCE9219-69AE-11D9-BED3-505054503030}
win.eventdata.auditPolicyChangesId: %%8448
win.eventdata.category: Logon/Logoff
win.eventdata.subcategory: IPSec Extended Mode
win.eventdata.auditPolicyChanges: Success removed

[cristgl]

FIM - Windows agent

** Alert 1566908436.8554695: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,
2019 Aug 27 14:20:36 (win) any->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
File 'c:\users\user\desktop\fd\newfile.txt' was added.

Attributes:
 - Size: 0
 - Date: Tue Aug 27 14:20:28 2019
 - User: user (S-1-5-21-3416783167-2895274904-3428114391-1001)
 - MD5: d41d8cd98f00b204e9800998ecf8427e
 - SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
 - SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 - File attributes: ARCHIVE
 - Permissions: 
   SYSTEM  (ALLOWED) - DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES
   Administrators  (ALLOWED) - DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES
   user  (ALLOWED) - DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES

** Alert 1566908500.8555980: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,
2019 Aug 27 14:21:40 (win) any->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
File 'c:\users\user\desktop\fd\newfile.txt' checksum changed.
Size changed from '0' to '8'
Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'
New md5sum is : 'e708864855f3bb69c4d9a213b9108b9f'
Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'
New sha1sum is : '27ef11c24a1d336f46c69762b655a1495656820f'
Old sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
New sha256sum is : '9cba6e4275a4b455bd163fbb2e3c04d95cd36291f51ba85974303558ca739bf6'
Old modification time was: 'Tue Aug 27 14:20:28 2019', now it is 'Tue Aug 27 14:21:38 2019'

Attributes:
 - Size: 8
 - Date: Tue Aug 27 14:21:38 2019
 - User: user (S-1-5-21-3416783167-2895274904-3428114391-1001)
 - MD5: e708864855f3bb69c4d9a213b9108b9f
 - SHA1: 27ef11c24a1d336f46c69762b655a1495656820f
 - SHA256: 9cba6e4275a4b455bd163fbb2e3c04d95cd36291f51ba85974303558ca739bf6
 - File attributes: ARCHIVE
 - Permissions: 
   SYSTEM  (ALLOWED) - DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES
   Administrators  (ALLOWED) - DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES
   user  (ALLOWED) - DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES

** Alert 1566908524.8557789: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,
2019 Aug 27 14:22:04 (win) any->syscheck
Rule: 553 (level 7) -> 'File deleted.'
File 'c:\users\user\desktop\fd\newfile.txt' was deleted.

** Alert 1566908611.8560933: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,
2019 Aug 27 14:23:31 (win) any->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
File 'c:\users\user\desktop\fd\newfile.txt' checksum changed.
Old attributes were: 'ARCHIVE'
Now they are 'ARCHIVE, READONLY'

Attributes:
 - Size: 0
 - Date: Tue Aug 27 14:22:35 2019
 - User: user (S-1-5-21-3416783167-2895274904-3428114391-1001)
 - MD5: d41d8cd98f00b204e9800998ecf8427e
 - SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
 - SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 - File attributes: ARCHIVE, READONLY
 - Permissions: 
   SYSTEM  (ALLOWED) - DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES
   Administrators  (ALLOWED) - DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES
   user  (ALLOWED) - DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES

[Skeptor]

Analysisd performance

sudo python wazuh-tools/utils/queue.py -L "1:/var/log/example.log:Hello, this is another log."
Messages: 2364629
Bytes: 118231450

sudo python wazuh-tools/utils/queue.py -L '1:testing:{"timestamp":"2017-12-19T01:58:20.042229-0500","flow_id":2058980353063007,"in_iface":"eth0","event_type":"alert","src_ip":"10.0.0.250","src_port":59582,"dest_ip":"10.0.0.166","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019232,"rev":4,"signature":"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers","category":"Attempted Administrator Privilege Gain","severity":1},"http":{"hostname":"ag-redhat.wazuh.net","url":"\/","http_user_agent":"() { :; }; \/bin\/cat \/etc\/passwd","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":31}}'
^C
Messages: 4318289
Bytes: 2750750093

I didn't get any flood alert.

[Skeptor]

I've performed the test again to assess the results. Although I don't have any alert, the manager logs a warning:

2019/08/29 11:57:02 ossec-analysisd[20677] analysisd.c:1743 at ad_input_main(): WARNING: Input queue is full.

[Skeptor]

WPK Upgrade

[root@c7-agent-151 vagrant]# cat /var/ossec/logs/upgrade.log 
2019/08/29 08:45:25 - Generating Backup.
2019/08/29 08:45:25 - Upgrade started.

 Wazuh v3.11.0 (Rev. 31007) Installation Script - http://www.wazuh.com

 You are about to start the installation process of Wazuh.
 You must have a C compiler pre-installed in your system.

  - System: Linux c7-agent-151 3.10.0-957.12.2.el7.x86_64 (centos 7.6)
  - User: root
  - Host: c7-agent-151

  -- Press ENTER to continue or Ctrl-C to abort. --

 - You already have Wazuh installed. Do you want to update it? (y/n): 

2- Setting up the installation environment.

    - Installation will be made at  /var/ossec .

4- Installing the system

 - Running the Makefile

make -C external/audit-userspace/lib CC=cc
make[1]: Entering directory `/var/ossec/var/upgrade/src/external/audit-userspace/lib'
make[2]: Entering directory `/var/ossec/var/upgrade/src/external/audit-userspace'
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh /home/vagrant/wazuh/src/external/audit-userspace/missing autoconf
make[2]: Leaving directory `/var/ossec/var/upgrade/src/external/audit-userspace'
cd .. && make  am--refresh
make[2]: Entering directory `/var/ossec/var/upgrade/src/external/audit-userspace'
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh /home/vagrant/wazuh/src/external/audit-userspace/missing autoconf
make[2]: Leaving directory `/var/ossec/var/upgrade/src/external/audit-userspace'
make[2]: Entering directory `/var/ossec/var/upgrade/src/external/audit-userspace'
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh /home/vagrant/wazuh/src/external/audit-userspace/missing autoconf
make[2]: Leaving directory `/var/ossec/var/upgrade/src/external/audit-userspace'
cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  '-DTABLE_H="actiontab.h"' -g -O2 -MT gen_actiontabs_h-gen_tables.o -MD -MP -MF .deps/gen_actiontabs_h-gen_tables.Tpo -c -o gen_actiontabs_h-gen_tables.o `test -f 'gen_tables.c' || echo './'`gen_tables.c
mv -f .deps/gen_actiontabs_h-gen_tables.Tpo .deps/gen_actiontabs_h-gen_tables.Po
/bin/sh ../libtool  --tag=CC   --mode=link cc '-DTABLE_H="actiontab.h"' -g -O2   -o gen_actiontabs_h gen_actiontabs_h-gen_tables.o  
libtool: link: cc -DTABLE_H=\"actiontab.h\" -g -O2 -o gen_actiontabs_h gen_actiontabs_h-gen_tables.o 
./gen_actiontabs_h --lowercase --i2s --s2i action > actiontabs.h
cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  '-DTABLE_H="errtab.h"' -g -O2 -MT gen_errtabs_h-gen_tables.o -MD -MP -MF .deps/gen_errtabs_h-gen_tables.Tpo -c -o gen_errtabs_h-gen_tables.o `test -f 'gen_tables.c' || echo './'`gen_tables.c
mv -f .deps/gen_errtabs_h-gen_tables.Tpo .deps/gen_errtabs_h-gen_tables.Po
/bin/sh ../libtool  --tag=CC   --mode=link cc '-DTABLE_H="errtab.h"' -g -O2   -o gen_errtabs_h gen_errtabs_h-gen_tables.o  
libtool: link: cc -DTABLE_H=\"errtab.h\" -g -O2 -o gen_errtabs_h gen_errtabs_h-gen_tables.o 
./gen_errtabs_h --duplicate-ints --uppercase --i2s --s2i err > errtabs.h
cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  '-DTABLE_H="fieldtab.h"' -g -O2 -MT gen_fieldtabs_h-gen_tables.o -MD -MP -MF .deps/gen_fieldtabs_h-gen_tables.Tpo -c -o gen_fieldtabs_h-gen_tables.o `test -f 'gen_tables.c' || echo './'`gen_tables.c
mv -f .deps/gen_fieldtabs_h-gen_tables.Tpo .deps/gen_fieldtabs_h-gen_tables.Po
/bin/sh ../libtool  --tag=CC   --mode=link cc '-DTABLE_H="fieldtab.h"' -g -O2   -o gen_fieldtabs_h gen_fieldtabs_h-gen_tables.o  
libtool: link: cc -DTABLE_H=\"fieldtab.h\" -g -O2 -o gen_fieldtabs_h gen_fieldtabs_h-gen_tables.o 
./gen_fieldtabs_h --duplicate-ints --lowercase --i2s --s2i field > fieldtabs.h
cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  '-DTABLE_H="flagtab.h"' -g -O2 -MT gen_flagtabs_h-gen_tables.o -MD -MP -MF .deps/gen_flagtabs_h-gen_tables.Tpo -c -o gen_flagtabs_h-gen_tables.o `test -f 'gen_tables.c' || echo './'`gen_tables.c
mv -f .deps/gen_flagtabs_h-gen_tables.Tpo .deps/gen_flagtabs_h-gen_tables.Po
/bin/sh ../libtool  --tag=CC   --mode=link cc '-DTABLE_H="flagtab.h"' -g -O2   -o gen_flagtabs_h gen_flagtabs_h-gen_tables.o  
libtool: link: cc -DTABLE_H=\"flagtab.h\" -g -O2 -o gen_flagtabs_h gen_flagtabs_h-gen_tables.o 
./gen_flagtabs_h --lowercase --i2s --s2i flag > flagtabs.h
cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  '-DTABLE_H="fstypetab.h"' -g -O2 -MT gen_fstypetabs_h-gen_tables.o -MD -MP -MF .deps/gen_fstypetabs_h-gen_tables.Tpo -c -o gen_fstypetabs_h-gen_tables.o `test -f 'gen_tables.c' || echo './'`gen_tables.c
mv -f .deps/gen_fstypetabs_h-gen_tables.Tpo .deps/gen_fstypetabs_h-gen_tables.Po
/bin/sh ../libtool  --tag=CC   --mode=link cc '-DTABLE_H="fstypetab.h"' -g -O2   -o gen_fstypetabs_h gen_fstypetabs_h-gen_tables.o  
libtool: link: cc -DTABLE_H=\"fstypetab.h\" -g -O2 -o gen_fstypetabs_h gen_fstypetabs_h-gen_tables.o 
./gen_fstypetabs_h --lowercase --i2s --s2i fstype > fstypetabs.h
cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  '-DTABLE_H="ftypetab.h"' -g -O2 -MT gen_ftypetabs_h-gen_tables.o -MD -MP -MF .deps/gen_ftypetabs_h-gen_tables.Tpo -c -o gen_ftypetabs_h-gen_tables.o `test -f 'gen_tables.c' || echo './'`gen_tables.c
mv -f .deps/gen_ftypetabs_h-gen_tables.Tpo .deps/gen_ftypetabs_h-gen_tables.Po
/bin/sh ../libtool  --tag=CC   --mode=link cc '-DTABLE_H="ftypetab.h"' -g -O2   -o gen_ftypetabs_h gen_ftypetabs_h-gen_tables.o  
libtool: link: cc -DTABLE_H=\"ftypetab.h\" -g -O2 -o gen_ftypetabs_h gen_ftypetabs_h-gen_tables.o 
./gen_ftypetabs_h --lowercase --i2s --s2i ftype > ftypetabs.h
cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  '-DTABLE_H="i386_table.h"' -g -O2 -MT gen_i386_tables_h-gen_tables.o -MD -MP -MF .deps/gen_i386_tables_h-gen_tables.Tpo -c -o gen_i386_tables_h-gen_tables.o `test -f 'gen_tables.c' || echo './'`gen_tables.c
mv -f .deps/gen_i386_tables_h-gen_tables.Tpo .deps/gen_i386_tables_h-gen_tables.Po
/bin/sh ../libtool  --tag=CC   --mode=link cc '-DTABLE_H="i386_table.h"' -g -O2   -o gen_i386_tables_h gen_i386_tables_h-gen_tables.o  
libtool: link: cc -DTABLE_H=\"i386_table.h\" -g -O2 -o gen_i386_tables_h gen_i386_tables_h-gen_tables.o 
./gen_i386_tables_h --duplicate-ints --lowercase --i2s --s2i \
    i386_syscall > i386_tables.h
cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  '-DTABLE_H="ia64_table.h"' -g -O2 -MT gen_ia64_tables_h-gen_tables.o -MD -MP -MF .deps/gen_ia64_tables_h-gen_tables.Tpo -c -o gen_ia64_tables_h-gen_tables.o `test -f 'gen_tables.c' || echo './'`gen_tables.c
mv -f .deps/gen_ia64_tables_h-gen_tables.Tpo .deps/gen_ia64_tables_h-gen_tables.Po
/bin/sh ../libtool  --tag=CC   --mode=link cc '-DTABLE_H="ia64_table.h"' -g -O2   -o gen_ia64_tables_h gen_ia64_tables_h-gen_tables.o  
libtool: link: cc -DTABLE_H=\"ia64_table.h\" -g -O2 -o gen_ia64_tables_h gen_ia64_tables_h-gen_tables.o 
./gen_ia64_tables_h --lowercase --i2s --s2i ia64_syscall > ia64_tables.h
cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  '-DTABLE_H="machinetab.h"' -g -O2 -MT gen_machinetabs_h-gen_tables.o -MD -MP -MF .deps/gen_machinetabs_h-gen_tables.Tpo -c -o gen_machinetabs_h-gen_tables.o `test -f 'gen_tables.c' || echo './'`gen_tables.c
mv -f .deps/gen_machinetabs_h-gen_tables.Tpo .deps/gen_machinetabs_h-gen_tables.Po
/bin/sh ../libtool  --tag=CC   --mode=link cc '-DTABLE_H="machinetab.h"' -g -O2   -o gen_machinetabs_h gen_machinetabs_h-gen_tables.o  
libtool: link: cc -DTABLE_H=\"machinetab.h\" -g -O2 -o gen_machinetabs_h gen_machinetabs_h-gen_tables.o 
./gen_machinetabs_h --duplicate-ints --lowercase --i2s --s2i machine \
    > machinetabs.h
cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  '-DTABLE_H="msg_typetab.h"' -g -O2 -MT gen_msg_typetabs_h-gen_tables.o -MD -MP -MF .deps/gen_msg_typetabs_h-gen_tables.Tpo -c -o gen_msg_typetabs_h-gen_tables.o `test -f 'gen_tables.c' || echo './'`gen_tables.c
mv -f .deps/gen_msg_typetabs_h-gen_tables.Tpo .deps/gen_msg_typetabs_h-gen_tables.Po
/bin/sh ../libtool  --tag=CC   --mode=link cc '-DTABLE_H="msg_typetab.h"' -g -O2   -o gen_msg_typetabs_h gen_msg_typetabs_h-gen_tables.o  
libtool: link: cc -DTABLE_H=\"msg_typetab.h\" -g -O2 -o gen_msg_typetabs_h gen_msg_typetabs_h-gen_tables.o 
./gen_msg_typetabs_h --uppercase --i2s --s2i msg_type > msg_typetabs.h
cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  '-DTABLE_H="optab.h"' -g -O2 -MT gen_optabs_h-gen_tables.o -MD -MP -MF .deps/gen_optabs_h-gen_tables.Tpo -c -o gen_optabs_h-gen_tables.o `test -f 'gen_tables.c' || echo './'`gen_tables.c
mv -f .deps/gen_optabs_h-gen_tables.Tpo .deps/gen_optabs_h-gen_tables.Po
/bin/sh ../libtool  --tag=CC   --mode=link cc '-DTABLE_H="optab.h"' -g -O2   -o gen_optabs_h gen_optabs_h-gen_tables.o  
libtool: link: cc -DTABLE_H=\"optab.h\" -g -O2 -o gen_optabs_h gen_optabs_h-gen_tables.o 
./gen_optabs_h --i2s op > optabs.h
cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  '-DTABLE_H="ppc_table.h"' -g -O2 -MT gen_ppc_tables_h-gen_tables.o -MD -MP -MF .deps/gen_ppc_tables_h-gen_tables.Tpo -c -o gen_ppc_tables_h-gen_tables.o `test -f 'gen_tables.c' || echo './'`gen_tables.c
mv -f .deps/gen_ppc_tables_h-gen_tables.Tpo .deps/gen_ppc_tables_h-gen_tables.Po
/bin/sh ../libtool  --tag=CC   --mode=link cc '-DTABLE_H="ppc_table.h"' -g -O2   -o gen_ppc_tables_h gen_ppc_tables_h-gen_tables.o  
libtool: link: cc -DTABLE_H=\"ppc_table.h\" -g -O2 -o gen_ppc_tables_h gen_ppc_tables_h-gen_tables.o 
./gen_ppc_tables_h --lowercase --i2s --s2i ppc_syscall > ppc_tables.h
cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  '-DTABLE_H="s390_table.h"' -g -O2 -MT gen_s390_tables_h-gen_tables.o -MD -MP -MF .deps/gen_s390_tables_h-gen_tables.Tpo -c -o gen_s390_tables_h-gen_tables.o `test -f 'gen_tables.c' || echo './'`gen_tables.c
mv -f .deps/gen_s390_tables_h-gen_tables.Tpo .deps/gen_s390_tables_h-gen_tables.Po
/bin/sh ../libtool  --tag=CC   --mode=link cc '-DTABLE_H="s390_table.h"' -g -O2   -o gen_s390_tables_h gen_s390_tables_h-gen_tables.o  
libtool: link: cc -DTABLE_H=\"s390_table.h\" -g -O2 -o gen_s390_tables_h gen_s390_tables_h-gen_tables.o 
./gen_s390_tables_h --lowercase --i2s --s2i s390_syscall > s390_tables.h
cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  '-DTABLE_H="s390x_table.h"' -g -O2 -MT gen_s390x_tables_h-gen_tables.o -MD -MP -MF .deps/gen_s390x_tables_h-gen_tables.Tpo -c -o gen_s390x_tables_h-gen_tables.o `test -f 'gen_tables.c' || echo './'`gen_tables.c
mv -f .deps/gen_s390x_tables_h-gen_tables.Tpo .deps/gen_s390x_tables_h-gen_tables.Po
/bin/sh ../libtool  --tag=CC   --mode=link cc '-DTABLE_H="s390x_table.h"' -g -O2   -o gen_s390x_tables_h gen_s390x_tables_h-gen_tables.o  
libtool: link: cc -DTABLE_H=\"s390x_table.h\" -g -O2 -o gen_s390x_tables_h gen_s390x_tables_h-gen_tables.o 
./gen_s390x_tables_h --lowercase --i2s --s2i s390x_syscall > s390x_tables.h
cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  '-DTABLE_H="x86_64_table.h"' -g -O2 -MT gen_x86_64_tables_h-gen_tables.o -MD -MP -MF .deps/gen_x86_64_tables_h-gen_tables.Tpo -c -o gen_x86_64_tables_h-gen_tables.o `test -f 'gen_tables.c' || echo './'`gen_tables.c
mv -f .deps/gen_x86_64_tables_h-gen_tables.Tpo .deps/gen_x86_64_tables_h-gen_tables.Po
/bin/sh ../libtool  --tag=CC   --mode=link cc '-DTABLE_H="x86_64_table.h"' -g -O2   -o gen_x86_64_tables_h gen_x86_64_tables_h-gen_tables.o  
libtool: link: cc -DTABLE_H=\"x86_64_table.h\" -g -O2 -o gen_x86_64_tables_h gen_x86_64_tables_h-gen_tables.o 
./gen_x86_64_tables_h --lowercase --i2s --s2i x86_64_syscall > x86_64_tables.h
make  all-recursive
make[2]: Entering directory `/var/ossec/var/upgrade/src/external/audit-userspace/lib'
make[3]: Entering directory `/var/ossec/var/upgrade/src/external/audit-userspace'
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh /home/vagrant/wazuh/src/external/audit-userspace/missing autoconf
make[3]: Leaving directory `/var/ossec/var/upgrade/src/external/audit-userspace'
cd .. && make  am--refresh
make[3]: Entering directory `/var/ossec/var/upgrade/src/external/audit-userspace'
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh /home/vagrant/wazuh/src/external/audit-userspace/missing autoconf
make[3]: Leaving directory `/var/ossec/var/upgrade/src/external/audit-userspace'
make[3]: Entering directory `/var/ossec/var/upgrade/src/external/audit-userspace'
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh /home/vagrant/wazuh/src/external/audit-userspace/missing autoconf
make[3]: Leaving directory `/var/ossec/var/upgrade/src/external/audit-userspace'
Making all in test
make[3]: Entering directory `/var/ossec/var/upgrade/src/external/audit-userspace/lib/test'
make[4]: Entering directory `/var/ossec/var/upgrade/src/external/audit-userspace'
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh /home/vagrant/wazuh/src/external/audit-userspace/missing autoconf
make[4]: Leaving directory `/var/ossec/var/upgrade/src/external/audit-userspace'
cd ../.. && make  am--refresh
make[4]: Entering directory `/var/ossec/var/upgrade/src/external/audit-userspace'
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh /home/vagrant/wazuh/src/external/audit-userspace/missing autoconf
make[4]: Leaving directory `/var/ossec/var/upgrade/src/external/audit-userspace'
make[4]: Entering directory `/var/ossec/var/upgrade/src/external/audit-userspace'
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh /home/vagrant/wazuh/src/external/audit-userspace/missing autoconf
make[4]: Leaving directory `/var/ossec/var/upgrade/src/external/audit-userspace'
make[3]: Nothing to be done for `all'.
make[3]: Leaving directory `/var/ossec/var/upgrade/src/external/audit-userspace/lib/test'
make[3]: Entering directory `/var/ossec/var/upgrade/src/external/audit-userspace/lib'
make[4]: Entering directory `/var/ossec/var/upgrade/src/external/audit-userspace'
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh /home/vagrant/wazuh/src/external/audit-userspace/missing autoconf
make[4]: Leaving directory `/var/ossec/var/upgrade/src/external/audit-userspace'
cd .. && make  am--refresh
make[4]: Entering directory `/var/ossec/var/upgrade/src/external/audit-userspace'
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh /home/vagrant/wazuh/src/external/audit-userspace/missing autoconf
make[4]: Leaving directory `/var/ossec/var/upgrade/src/external/audit-userspace'
make[4]: Entering directory `/var/ossec/var/upgrade/src/external/audit-userspace'
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh /home/vagrant/wazuh/src/external/audit-userspace/missing autoconf
make[4]: Leaving directory `/var/ossec/var/upgrade/src/external/audit-userspace'
/bin/sh ../libtool  --tag=CC   --mode=compile cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  -fPIC -DPIC -D_GNU_SOURCE -fPIC -MT libaudit.lo -MD -MP -MF .deps/libaudit.Tpo -c -o libaudit.lo libaudit.c
libtool: compile:  cc -DHAVE_CONFIG_H -I. -I.. -I. -I.. -I../auparse -fPIC -DPIC -D_GNU_SOURCE -fPIC -MT libaudit.lo -MD -MP -MF .deps/libaudit.Tpo -c libaudit.c  -fPIC -DPIC -o .libs/libaudit.o
libtool: compile:  cc -DHAVE_CONFIG_H -I. -I.. -I. -I.. -I../auparse -fPIC -DPIC -D_GNU_SOURCE -fPIC -MT libaudit.lo -MD -MP -MF .deps/libaudit.Tpo -c libaudit.c -o libaudit.o >/dev/null 2>&1
mv -f .deps/libaudit.Tpo .deps/libaudit.Plo
/bin/sh ../libtool  --tag=CC   --mode=compile cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  -fPIC -DPIC -D_GNU_SOURCE -fPIC -MT message.lo -MD -MP -MF .deps/message.Tpo -c -o message.lo message.c
libtool: compile:  cc -DHAVE_CONFIG_H -I. -I.. -I. -I.. -I../auparse -fPIC -DPIC -D_GNU_SOURCE -fPIC -MT message.lo -MD -MP -MF .deps/message.Tpo -c message.c  -fPIC -DPIC -o .libs/message.o
libtool: compile:  cc -DHAVE_CONFIG_H -I. -I.. -I. -I.. -I../auparse -fPIC -DPIC -D_GNU_SOURCE -fPIC -MT message.lo -MD -MP -MF .deps/message.Tpo -c message.c -o message.o >/dev/null 2>&1
mv -f .deps/message.Tpo .deps/message.Plo
/bin/sh ../libtool  --tag=CC   --mode=compile cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  -fPIC -DPIC -D_GNU_SOURCE -fPIC -MT netlink.lo -MD -MP -MF .deps/netlink.Tpo -c -o netlink.lo netlink.c
libtool: compile:  cc -DHAVE_CONFIG_H -I. -I.. -I. -I.. -I../auparse -fPIC -DPIC -D_GNU_SOURCE -fPIC -MT netlink.lo -MD -MP -MF .deps/netlink.Tpo -c netlink.c  -fPIC -DPIC -o .libs/netlink.o
libtool: compile:  cc -DHAVE_CONFIG_H -I. -I.. -I. -I.. -I../auparse -fPIC -DPIC -D_GNU_SOURCE -fPIC -MT netlink.lo -MD -MP -MF .deps/netlink.Tpo -c netlink.c -o netlink.o >/dev/null 2>&1
mv -f .deps/netlink.Tpo .deps/netlink.Plo
/bin/sh ../libtool  --tag=CC   --mode=compile cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  -fPIC -DPIC -D_GNU_SOURCE -fPIC -MT lookup_table.lo -MD -MP -MF .deps/lookup_table.Tpo -c -o lookup_table.lo lookup_table.c
libtool: compile:  cc -DHAVE_CONFIG_H -I. -I.. -I. -I.. -I../auparse -fPIC -DPIC -D_GNU_SOURCE -fPIC -MT lookup_table.lo -MD -MP -MF .deps/lookup_table.Tpo -c lookup_table.c  -fPIC -DPIC -o .libs/lookup_table.o
libtool: compile:  cc -DHAVE_CONFIG_H -I. -I.. -I. -I.. -I../auparse -fPIC -DPIC -D_GNU_SOURCE -fPIC -MT lookup_table.lo -MD -MP -MF .deps/lookup_table.Tpo -c lookup_table.c -o lookup_table.o >/dev/null 2>&1
mv -f .deps/lookup_table.Tpo .deps/lookup_table.Plo
/bin/sh ../libtool  --tag=CC   --mode=compile cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  -fPIC -DPIC -D_GNU_SOURCE -fPIC -MT audit_logging.lo -MD -MP -MF .deps/audit_logging.Tpo -c -o audit_logging.lo audit_logging.c
libtool: compile:  cc -DHAVE_CONFIG_H -I. -I.. -I. -I.. -I../auparse -fPIC -DPIC -D_GNU_SOURCE -fPIC -MT audit_logging.lo -MD -MP -MF .deps/audit_logging.Tpo -c audit_logging.c  -fPIC -DPIC -o .libs/audit_logging.o
libtool: compile:  cc -DHAVE_CONFIG_H -I. -I.. -I. -I.. -I../auparse -fPIC -DPIC -D_GNU_SOURCE -fPIC -MT audit_logging.lo -MD -MP -MF .deps/audit_logging.Tpo -c audit_logging.c -o audit_logging.o >/dev/null 2>&1
mv -f .deps/audit_logging.Tpo .deps/audit_logging.Plo
/bin/sh ../libtool  --tag=CC   --mode=compile cc -DHAVE_CONFIG_H -I. -I..  -I. -I.. -I../auparse  -fPIC -DPIC -D_GNU_SOURCE -fPIC -MT deprecated.lo -MD -MP -MF .deps/deprecated.Tpo -c -o deprecated.lo deprecated.c
libtool: compile:  cc -DHAVE_CONFIG_H -I. -I.. -I. -I.. -I../auparse -fPIC -DPIC -D_GNU_SOURCE -fPIC -MT deprecated.lo -MD -MP -MF .deps/deprecated.Tpo -c deprecated.c  -fPIC -DPIC -o .libs/deprecated.o
libtool: compile:  cc -DHAVE_CONFIG_H -I. -I.. -I. -I.. -I../auparse -fPIC -DPIC -D_GNU_SOURCE -fPIC -MT deprecated.lo -MD -MP -MF .deps/deprecated.Tpo -c deprecated.c -o deprecated.o >/dev/null 2>&1
mv -f .deps/deprecated.Tpo .deps/deprecated.Plo
/bin/sh ../libtool  --tag=CC   --mode=link cc -fPIC -DPIC -D_GNU_SOURCE -fPIC -Wl,-z,relro -version-info 1:0  -o libaudit.la -rpath /usr/local/lib libaudit.lo message.lo netlink.lo lookup_table.lo audit_logging.lo deprecated.lo strsplit.lo     
libtool: link: rm -fr  .libs/libaudit.a .libs/libaudit.la .libs/libaudit.lai .libs/libaudit.so .libs/libaudit.so.1 .libs/libaudit.so.1.0.0
libtool: link: gcc -shared  -fPIC -DPIC  .libs/libaudit.o .libs/message.o .libs/netlink.o .libs/lookup_table.o .libs/audit_logging.o .libs/deprecated.o .libs/strsplit.o    -Wl,-z -Wl,relro   -Wl,-soname -Wl,libaudit.so.1 -o .libs/libaudit.so.1.0.0
libtool: link: (cd ".libs" && rm -f "libaudit.so.1" && ln -s "libaudit.so.1.0.0" "libaudit.so.1")
libtool: link: (cd ".libs" && rm -f "libaudit.so" && ln -s "libaudit.so.1.0.0" "libaudit.so")
libtool: link: ar cru .libs/libaudit.a  libaudit.o message.o netlink.o lookup_table.o audit_logging.o deprecated.o strsplit.o
libtool: link: ranlib .libs/libaudit.a
libtool: link: ( cd ".libs" && rm -f "libaudit.la" && ln -s "../libaudit.la" "libaudit.la" )
cd .. && /bin/sh ./config.status lib/audit.pc
config.status: creating lib/audit.pc
make[3]: Leaving directory `/var/ossec/var/upgrade/src/external/audit-userspace/lib'
make[2]: Leaving directory `/var/ossec/var/upgrade/src/external/audit-userspace/lib'
make[1]: Leaving directory `/var/ossec/var/upgrade/src/external/audit-userspace/lib'
make ossec-agentd agent-auth ossec-logcollector ossec-syscheckd ossec-execd manage_agents wazuh-modulesd
make[1]: Entering directory `/var/ossec/var/upgrade/src'
    CC config/localfile-config.o
    CC config/config.o
    CC config/agentlessd-config.o
    CC config/active-response.o
    CC config/integrator-config.o
    CC config/reports-config.o
    CC config/global-config.o
    CC config/labels-config.o
    CC config/buffer-config.o
    CC config/rootcheck-config.o
    CC config/csyslogd-config.o
    CC shared/file-queue.o
    CC shared/json-queue.o
    CC shared/read-alert.o
    CC shared/rootcheck_op.o
    CC shared/wazuhdb_op.o
    CC shared/fs_op.o
    CC shared/os_utils.o
    CC shared/request_op.o
    CC shared/file_op.o
    CC shared/store_op.o
    CC shared/syscheck_op.o
    CC shared/vector_op.o
    CC shared/notify_op.o
    CC shared/help.o
    CC shared/mq_op.o
    CC shared/dirtree_op.o
    CC shared/debug_op.o
    CC shared/rules_op.o
    CC shared/read-agents.o
    CC shared/time_op.o
    CC shared/validate_op.o
    CC shared/json_op.o
    CC shared/utf8_op.o
    CC shared/randombytes.o
    LINK libwazuh.a
    RANLIB libwazuh.a
    CC libwazuhext.so
    CC ossec-agentd
    CC agent-auth
    CC ossec-logcollector
    CC ossec-syscheckd
    CC ossec-execd
    CC manage_agents
    CC wazuh-modulesd
make[1]: Leaving directory `/var/ossec/var/upgrade/src'
make settings
make[1]: Entering directory `/var/ossec/var/upgrade/src'

General settings:
    TARGET:             agent
    V:                  
    DEBUG:              
    DEBUGAD             
    PREFIX:             /var/ossec
    MAXAGENTS:          14000
    DATABASE:           
    ONEWAY:             no
    CLEANFULL:          no
    RESOURCES_URL:      https://packages.wazuh.com/deps/3.11
User settings:
    OSSEC_GROUP:        ossec
    OSSEC_USER:         ossec
    OSSEC_USER_MAIL:    ossecm
    OSSEC_USER_REM:     ossecr
USE settings:
    USE_ZEROMQ:         no
    USE_GEOIP:          no
    USE_PRELUDE:        no
    USE_INOTIFY:        no
    USE_BIG_ENDIAN:     no
    USE_SELINUX:        yes
    USE_AUDIT:          yes
    USE_FRAMEWORK_LIB:  no
Mysql settings:
    includes:           
    libs:               
Pgsql settings:
    includes:           
    libs:               
Defines:
    -DMAX_AGENTS=14000 -DOSSECHIDS -DDEFAULTDIR="/var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -D_XOPEN_SOURCE=600 -D_GNU_SOURCE -DENABLE_SYSC -DENABLE_CISCAT -DENABLE_SHARED -DENABLE_AUDIT -DCLIENT
Compiler:
    CFLAGS            -Wl,--start-group -Iexternal/audit-userspace/lib -pthread -Iexternal/libdb/build_unix/ -DNDEBUG -O2 -DMAX_AGENTS=14000 -DOSSECHIDS -DDEFAULTDIR="/var/ossec" -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" -DLinux -DINOTIFY_ENABLED -D_XOPEN_SOURCE=600 -D_GNU_SOURCE -DENABLE_SYSC -DENABLE_CISCAT -DENABLE_SHARED -DENABLE_AUDIT -DCLIENT -pipe -Wall -Wextra -I./ -I./headers/ -Iexternal/openssl/include -Iexternal/cJSON/ -Iexternal/libyaml/include -Iexternal/curl/include -Iexternal/msgpack/include
    LDFLAGS            '-Wl,-rpath,/../lib' -pthread -lrt -ldl -O2
    CC                cc
    MAKE              make
make[1]: Leaving directory `/var/ossec/var/upgrade/src'

Done building agent

Stopping Wazuh...
Wait for success...
success
Removing old SCA policies...
Installing SCA policies...
Starting Wazuh...

 - Configuration finished properly.

 - To start Wazuh:
      /var/ossec/bin/ossec-control start

 - To stop Wazuh:
      /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

   Thanks for using Wazuh.
   Please don't hesitate to contact us if you need help or find
   any bugs.

   Use our public Mailing List at:
          https://groups.google.com/forum/#!forum/wazuh

   More information can be found at:
          - http://www.wazuh.com
          - http://www.ossec.net

    ---  Press ENTER to finish (maybe more information below). ---

 - Update completed.

2019/08/29 08:46:20 - Installation result = 0
2019/08/29 08:46:21 - Waiting connection... Status = pending. Remaining attempts: 29.
2019/08/29 08:46:22 - Waiting connection... Status = pending. Remaining attempts: 28.
2019/08/29 08:46:23 - Waiting connection... Status = pending. Remaining attempts: 27.
2019/08/29 08:46:24 - Waiting connection... Status = connected. Remaining attempts: 26.
2019/08/29 08:46:24 - Connected to manager.
2019/08/29 08:46:24 - Upgrade finished successfully.