Check that a memory leak in Analysisd is fixed

[vikman90]

Related issue	Related PR
https://github.com/wazuh/wazuh/issues/13505	https://github.com/wazuh/wazuh/pull/13587

Rationale

We found that Analysisd leaked some memory when overwriting the same rule multiple times, as described at https://github.com/wazuh/wazuh/issues/13505.

Checks

• [x] Verify that Analysisd is leaking no memory when defining the same rule three or more times. You can use either AddressSanitizer or Valgrind.
• [x] Manually test Analysisd works correctly generating alert without overwritting rules
• [x] Manually test overwritten rules without having generated alerts with same rule before
• [x] Add overwritten rules and manually test after having generated alerts with same rule before.
• [x] Run Analysisd on a memory tool and execute the ruleset tests. (Reproduce the error)

[Deblintrake09]

Configuration details

• Enable analysisd debug in local_internal_options: analysisd.debug=2

• Add the following rules on /var/ossec/etc/rules/local_rules.xml

  Details

  ```xml 5700 illegal user|invalid user sshd: Attempt to login using a non-existent user T1110.001 T1021.004 T1078 authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 5700 illegal user|invalid user sshd: Attempt to login using a non-existent user (Overwrite 1) T1110.001 T1021.004 T1078 authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_ds$,tsc_CC7.3, 5700 illegal user|invalid user sshd: Attempt to login using a non-existent user (Overwrite 2) T1110.001 T1021.004 T1078 authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_ds$,tsc_CC7.3, 5700 illegal user|invalid user sshd: Attempt to login using a non-existent (user Overwrite 3) T1110.001 T1021.004 T1078 authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_ds$,tsc_CC7.3, 5700 illegal user|invalid user sshd: Attempt to login using a non-existent (user Overwrite 4) T1110.001 T1021.004 T1078 authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_ds$,tsc_CC7.3, ```

[Deblintrake09]

Task results

Task 1 - Verify that Analysisd is not leaking memory using Valgrind :green_circle:

- Add overwritten rules - Start Wazuh Manager - Check dmesg  - Check valgrind using command `valgrind wazuh-analysisd`.

Details

``` valgrind wazuh-analysisd ==4507== Memcheck, a memory error detector ==4507== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==4507== Using Valgrind-3.16.0 and LibVEX; rerun with -h for copyright info ==4507== Command: wazuh-analysisd ==4507== 2022/06/15 17:21:13 wazuh-analysisd[4507] debug_op.c:70 at _log(): DEBUG: Logging module auto-initialized 2022/06/15 17:21:12 wazuh-analysisd[4507] analysisd.c:375 at main(): DEBUG: Wazuh home directory: /var/ossec 2022/06/15 17:21:13 wazuh-analysisd[4507] analysisd.c:390 at main(): DEBUG: Found user/group ... 2022/06/15 17:21:13 wazuh-analysisd[4507] analysisd.c:397 at main(): DEBUG: Active response initialized ... 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:193 at Read_Rules(): DEBUG: Adding decoder dir: ruleset/decoders 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:223 at Read_Rules(): DEBUG: Adding rules dir: ruleset/rules 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:177 at Read_Rules(): DEBUG: Excluding rule: 0215-policy_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:193 at Read_Rules(): DEBUG: Adding decoder dir: etc/decoders 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:223 at Read_Rules(): DEBUG: Adding rules dir: etc/rules 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:278 at Read_Rules(): DEBUG: Reading decoders folder: ruleset/decoders 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0225-postgresql_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0005-wazuh_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0230-proftpd_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0006-json_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0235-puppet_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0007-wazuh-api_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0170-nginx_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0010-active-response_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0240-pure-ftpd_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0015-aix-ipsec_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0245-racoon_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0025-apache_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0250-redis_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0030-arpwatch_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0255-roundcube_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0035-asterisk_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0260-rsa-auth-manager_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0040-auditd_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0265-rshd_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0045-barracuda_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0165-netscreen_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0050-checkpoint_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0175-ntpd_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0051-checkpoint-smart1_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0270-samba_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0055-cimserver_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0180-openbsd_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0060-cisco-estreamer_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0275-sendmail_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0062-cisco-ftd_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0280-serv-u_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0063-pix_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0285-snort_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0064-cisco-asa_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0290-solaris_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0065-cisco-ios_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0295-sonicwall_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0070-cisco-vpn_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0300-sophos_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0075-clamav_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0305-squid_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0080-courier_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0310-ssh_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0085-dovecot_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0205-pam_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0090-dragon-nids_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0315-su_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0095-dropbear_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0320-sudo_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0100-fortigate_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0325-suhosin_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0101-fortiddos_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0330-symantec_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0102-fortimail_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0335-telnet_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0103-fortiauth_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0340-trend-osce_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0105-freeipa_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0345-unbound_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0110-ftpd_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0215-portsentry_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0115-grandstream_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0350-unix_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0120-horde_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0355-vm-pop3_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0125-hp_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0360-vmware_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0130-imapd_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0365-vpopmail_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0135-imperva_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0370-vsftpd_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0140-kernel_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0220-postfix_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0145-mailscanner_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0375-web-accesslog_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0150-mysql_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0377-huawei-usg_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0155-named_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0378-mariadb_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0160-netscaler_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0185-openldap_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0379-dpkg_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0190-openvpn_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0380-windows_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0195-oscap_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0385-wordpress_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0200-ossec_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0390-zeus_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0395-sqlserver_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0400-identity_guard_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0405-mongodb_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0410-docker_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0415-jenkins_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0420-vshell_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0425-qualysguard_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0430-cylance_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0435-owncloud_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0440-proxmox-ve_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0445-exim_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0450-openvas_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0455-pfsense_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0460-kaspersky_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0465-azure_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0470-panda-paps_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0475-mcafee_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0480-perdition_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0485-nextcloud_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0490-junos_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0495-freepbs_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0505-paloalto_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0510-sophos_fw_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0520-msexchange-log-decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0525-f5_bigip_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0540-gitlab_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0550-arbor_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0555-fireeye_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0560-oracledb_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0565-aws-eks-authenticator_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0575-eset-remote_decoders.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:278 at Read_Rules(): DEBUG: Reading decoders folder: etc/decoders 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:318 at Read_Rules(): DEBUG: Adding decoder: etc/decoders/local_decoder.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:331 at Read_Rules(): DEBUG: Reading rules folder: ruleset/rules 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0010-rules_config.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0220-msauth_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0015-ossec_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0225-mcafee_av_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0016-wazuh_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0230-ms-se_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0017-wazuh-api_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0235-vmware_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0020-syslog_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0270-web_appsec_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0025-sendmail_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0275-squid_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0030-postfix_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0280-attack_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0035-spamd_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0285-systemd_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0040-imapd_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0290-firewalld_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0045-mailscanner_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0295-mysql_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0050-ms-exchange_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0300-postgresql_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0055-courier_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0430-ms_wdefender_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0065-pix_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0305-dropbear_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0070-netscreenfw_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0310-openbsd_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0075-cisco-ios_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0315-apparmor_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0080-sonicwall_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0435-ms_logs_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0085-pam_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0320-clam_av_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0090-telnetd_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0440-ms_sqlserver_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0095-sshd_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0325-opensmtpd_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0100-solaris_bsm_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0330-sysmon_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0105-asterisk_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0335-unbound_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0110-ms_dhcp_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0340-puppet_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0115-arpwatch_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0345-netscaler_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0120-symantec-av_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0350-amazon_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0125-symantec-ws_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0360-serv-u_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0130-trend-osce_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0365-auditd_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0135-hordeimp_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0375-usb_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0140-roundcube_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0380-redis_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0145-wordpress_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0385-oscap_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0150-cimserver_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0390-fortiddos_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0155-dovecot_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0391-fortigate_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0160-vmpop3d_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0392-fortimail_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0165-vpopmail_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0450-mongodb_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0170-ftpd_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0393-fortiauth_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0175-proftpd_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0395-hp_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0180-pure-ftpd_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0400-openvpn_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0185-vsftpd_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0405-rsa-auth-manager_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0190-ms_ftpd_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0410-imperva_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0195-named_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0455-docker_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0200-smbd_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0415-sophos_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0205-racoon_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0265-php_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0210-vpn_concentrator_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0240-ids_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0460-jenkins_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0245-web_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0420-freeipa_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0250-apache_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0470-vshell_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0255-zeus_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0425-cisco-estreamer_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0260-nginx_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0445-identity_guard_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0475-suricata_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0480-qualysguard_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0485-cylance_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0490-virustotal_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0495-proxmox-ve_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0500-owncloud_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0505-vuls_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0510-ciscat_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0515-exim_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0520-vulnerability-detector_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0525-openvas_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0530-mysql_audit_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0535-mariadb_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0540-pfsense_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0545-osquery_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0550-kaspersky_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0555-azure_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0560-docker_integration_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0565-ms_ipsec_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0570-sca_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0575-win-base_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0580-win-security_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0585-win-application_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0590-win-system_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0595-win-sysmon_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0600-win-wdefender_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0601-win-vipre_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0602-win-wfirewall_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0605-win-mcafee_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0610-win-ms_logs_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0615-win-ms-se_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0620-win-generic_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0625-cisco-asa_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0625-mcafee_epo_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0630-nextcloud_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0635-owlh-zeek_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0640-junos_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0675-panda-paps_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0680-checkpoint-smart1_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0690-gcp_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0695-f5_bigip_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0700-paloalto_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0705-sophos_fw_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0715-freepbx_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0750-github_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0755-office365_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0770-gitlab_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0775-arbor_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0780-fireeye_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0785-huawei-usg_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0800-sysmon_id_1.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0810-sysmon_id_3.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0820-sysmon_id_7.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0830-sysmon_id_11.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0840-win_event_channel.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0850-audit_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0860-sysmon_id_13.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0870-sysmon_id_8.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0900-firewall_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0905-cisco-ftd_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0910-ms-exchange-proxylogon_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0915-win-powershell_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0920-oracledb_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0925-eset-remote_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: ruleset/rules/0935-cloudflare-waf_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:331 at Read_Rules(): DEBUG: Reading rules folder: etc/rules 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: etc/rules/local_rules.xml 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:385 at Read_Rules(): DEBUG: Decoders added: 120 / excluded: 0 2022/06/15 17:21:13 wazuh-analysisd[4507] rules-config.c:386 at Read_Rules(): DEBUG: Rules added: 159 / excluded: 1 2022/06/15 17:21:13 wazuh-analysisd[4507] analysisd.c:404 at main(): DEBUG: Read configuration ... 2022/06/15 17:21:13 wazuh-analysisd[4507] analysisd.c:451 at main(): ERROR: Could not set resource limit for file descriptors to 458752: Operation not permitted (1) ==4507== ==4507== HEAP SUMMARY: ==4507== in use at exit: 19,156 bytes in 346 blocks ==4507== total heap usage: 16,266 allocs, 15,920 frees, 63,824,281 bytes allocated ==4507== ==4507== LEAK SUMMARY: ==4507== definitely lost: 0 bytes in 0 blocks ==4507== indirectly lost: 0 bytes in 0 blocks ==4507== possibly lost: 0 bytes in 0 blocks ==4507== still reachable: 19,156 bytes in 346 blocks ==4507== suppressed: 0 bytes in 0 blocks ==4507== Reachable blocks (those to which a pointer was found) are not shown. ==4507== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==4507== ==4507== For lists of detected and suppressed errors, rerun with: -s ==4507== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) [root@c3 vagrant]# ==4508== ==4508== HEAP SUMMARY: ==4508== in use at exit: 19,156 bytes in 346 blocks ==4508== total heap usage: 16,266 allocs, 15,920 frees, 63,824,281 bytes allocated ==4508== ==4508== LEAK SUMMARY: ==4508== definitely lost: 0 bytes in 0 blocks ==4508== indirectly lost: 0 bytes in 0 blocks ==4508== possibly lost: 0 bytes in 0 blocks ==4508== still reachable: 19,156 bytes in 346 blocks ==4508== suppressed: 0 bytes in 0 blocks ==4508== Reachable blocks (those to which a pointer was found) are not shown. ==4508== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==4508== ==4508== For lists of detected and suppressed errors, rerun with: -s ==4508== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ```

Task 2 - Manually generate alert without overwritting :green_circle:

- Start Wazuh Manager - Check alerts in `/var/ossec/alerts/alerts.json` ``` {"timestamp":"2022-06-21T12:50:01.173+0000","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user","id":"5710","mitre":{"id":["T1110.001","T1021.004","T1078"],"tactic":["Credential Access","Lateral Movement","Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Password Guessing","SSH","Valid Accounts"]},"firedtimes":3,"mail":false,"groups":["syslog","sshd","authentication_failed","invalid_login"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"c3"},"manager":{"name":"c3"},"id":"1655815801.503198","full_log":"Jun 21 12:50:00 c3 sshd[6284]: Failed password for invalid user fake-user from 192.168.56.1 port 34280 ssh2","predecoder":{"program_name":"sshd","timestamp":"Jun 21 12:50:00","hostname":"c3"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.1","srcuser":"fake-user"},"location":"/var/log/secure"} {"timestamp":"2022-06-21T12:50:03.176+0000","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user","id":"5710","mitre":{"id":["T1110.001","T1021.004","T1078"],"tactic":["Credential Access","Lateral Movement","Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Password Guessing","SSH","Valid Accounts"]},"firedtimes":4,"mail":false,"groups":["syslog","sshd","authentication_failed","invalid_login"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"c3"},"manager":{"name":"c3"},"id":"1655815803.503714","full_log":"Jun 21 12:50:01 c3 sshd[6284]: Failed password for invalid user fake-user from 192.168.56.1 port 34280 ssh2","predecoder":{"program_name":"sshd","timestamp":"Jun 21 12:50:01","hostname":"c3"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.1","srcuser":"fake-user"},"location":"/var/log/secure"} ``` - Check Wazuh status is running ``` [root@c3 vagrant]# /var/ossec/bin/wazuh-control status wazuh-clusterd not running... wazuh-modulesd is running... wazuh-monitord is running... wazuh-logcollector is running... wazuh-remoted is running... wazuh-syscheckd is running... wazuh-analysisd is running... wazuh-maild not running... wazuh-execd is running... wazuh-db is running... wazuh-authd is running... wazuh-agentlessd not running... wazuh-integratord not running... wazuh-dbd not running... wazuh-csyslogd not running... wazuh-apid is running... ```

Task 3 - Manually activate overwritten alert :green_circle:

- Add overwritten rules - Start Wazuh Manager - Check dmesg  - Try to log in through ssh with `fake-user` - Check alerts in `/var/ossec/alerts/alerts.json` ``` {"timestamp":"2022-06-21T12:33:27.549+0000","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent (user Overwrite 4)","id":"5710","mitre":{"id":["T1110.001","T1021.004","T1078"],"tactic":["Credential Access","Lateral Movement","Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Password Guessing","SSH","Valid Accounts"]},"firedtimes":2,"mail":false,"groups":["syslog","sshd","authentication_failed","invalid_login","pci_ds$"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC7.3"]},"agent":{"id":"000","name":"c3"},"manager":{"name":"c3"},"id":"1655814807.500463","full_log":"Jun 21 12:33:26 c3 sshd[4900]: Failed none for invalid user fake-user from 192.168.56.1 port 34278 ssh2","predecoder":{"program_name":"sshd","timestamp":"Jun 21 12:33:26","hostname":"c3"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.1","srcuser":"fake-user"},"location":"/var/log/secure"} {"timestamp":"2022-06-21T12:33:29.550+0000","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent (user Overwrite 4)","id":"5710","mitre":{"id":["T1110.001","T1021.004","T1078"],"tactic":["Credential Access","Lateral Movement","Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Password Guessing","SSH","Valid Accounts"]},"firedtimes":3,"mail":false,"groups":["syslog","sshd","authentication_failed","invalid_login","pci_ds$"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC7.3"]},"agent":{"id":"000","name":"c3"},"manager":{"name":"c3"},"id":"1655814809.500952","full_log":"Jun 21 12:33:27 c3 sshd[4900]: Failed password for invalid user fake-user from 192.168.56.1 port 34278 ssh2","predecoder":{"program_name":"sshd","timestamp":"Jun 21 12:33:27","hostname":"c3"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.1","srcuser":"fake-user"},"location":"/var/log/secure"} {"timestamp":"2022-06-21T12:33:29.550+0000","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent (user Overwrite 4)","id":"5710","mitre":{"id":["T1110.001","T1021.004","T1078"],"tactic":["Credential Access","Lateral Movement","Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Password Guessing","SSH","Valid Accounts"]},"firedtimes":4,"mail":false,"groups":["syslog","sshd","authentication_failed","invalid_login","pci_ds$"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC7.3"]},"agent":{"id":"000","name":"c3"},"manager":{"name":"c3"},"id":"1655814809.501445","full_log":"Jun 21 12:33:27 c3 sshd[4900]: Failed password for invalid user fake-user from 192.168.56.1 port 34278 ssh2","predecoder":{"program_name":"sshd","timestamp":"Jun 21 12:33:27","hostname":"c3"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.1","srcuser":"fake-user"},"location":"/var/log/secure"} ``` - Check Wazuh status is running ``` [root@c3 vagrant]# /var/ossec/bin/wazuh-control status wazuh-clusterd not running... wazuh-modulesd is running... wazuh-monitord is running... wazuh-logcollector is running... wazuh-remoted is running... wazuh-syscheckd is running... wazuh-analysisd is running... wazuh-maild not running... wazuh-execd is running... wazuh-db is running... wazuh-authd is running... wazuh-agentlessd not running... wazuh-integratord not running... wazuh-dbd not running... wazuh-csyslogd not running... wazuh-apid is running... ```

Task 4 - Manually activate overwritten alert after alert activation :green_circle:

- Add overwritten rules (after doing Task 2) - Start Wazuh Manager - Check dmesg  - Try to log in through ssh with `fake-user` - Check alerts in `/var/ossec/alerts/alerts.json` ``` "mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"c3"},"manager":{"name":"c3"},"id":"1655816049.504230","full_log":"ossec: Ossec started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"} {"timestamp":"2022-06-21T12:54:16.696+0000","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user (Overwrite 4)","id":"5710","mitre":{"id":["T1110.001","T1021.004","T1078"],"tactic":["Credential Access","Lateral Movement","Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Password Guessing","SSH","Valid Accounts"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failed","invalid_login"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"c3"},"manager":{"name":"c3"},"id":"1655816056.504471","full_log":"Jun 21 12:54:14 c3 sshd[7499]: Invalid user fake-user from 192.168.56.1 port 34292","predecoder":{"program_name":"sshd","timestamp":"Jun 21 12:54:14","hostname":"c3"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.1","srcport":"34292","srcuser":"fake-user"},"location":"/var/log/secure"} ``` - Check Wazuh status is running ``` [root@c3 vagrant]# /var/ossec/bin/wazuh-control status wazuh-clusterd not running... wazuh-modulesd is running... wazuh-monitord is running... wazuh-logcollector is running... wazuh-remoted is running... wazuh-syscheckd is running... wazuh-analysisd is running... wazuh-maild not running... wazuh-execd is running... wazuh-db is running... wazuh-authd is running... wazuh-agentlessd not running... wazuh-integratord not running... wazuh-dbd not running... wazuh-csyslogd not running... wazuh-apid is running... ``` - Check ossec.log for errors or warnings ``` 2022/06/21 12:57:44 wazuh-analysisd[7876] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: etc/rules/local_rules.xml 2022/06/21 12:57:44 wazuh-analysisd[7876] rules-config.c:385 at Read_Rules(): DEBUG: Decoders added: 120 / excluded: 0 2022/06/21 12:57:44 wazuh-analysisd[7876] rules-config.c:386 at Read_Rules(): DEBUG: Rules added: 159 / excluded: 1 2022/06/21 12:57:44 wazuh-analysisd[7876] analysisd.c:404 at main(): DEBUG: Read configuration ... Started wazuh-analysisd... Started wazuh-syscheckd... Started wazuh-remoted... Started wazuh-logcollector... Started wazuh-monitord... Started wazuh-modulesd... Completed. [root@c3 vagrant]# cat /var/ossec/logs/ossec.log | grep warning [root@c3 vagrant]# cat /var/ossec/logs/ossec.log | grep error ```

Task 5 - Run Analysisd on a memory tool and execute the ruleset tests :green_circle:

- Start Wazuh Manager - Check Wazuh status is running ``` [root@c3 vagrant]# /var/ossec/bin/wazuh-control status wazuh-clusterd not running... wazuh-modulesd is running... wazuh-monitord is running... wazuh-logcollector is running... wazuh-remoted is running... wazuh-syscheckd is running... wazuh-analysisd is running... wazuh-maild not running... wazuh-execd is running... wazuh-db is running... wazuh-authd is running... wazuh-agentlessd not running... wazuh-integratord not running... wazuh-dbd not running... wazuh-csyslogd not running... wazuh-apid is running... ``` - Run analysis with valgrind command ``` valgrind --leak-check=full --num-callers=20 --track-origins=yes /var/ossec/bin/wazuh-analysisd -f ``` - Run overwrite analysis tests ``` [root@c3 testing]# python2 runtests.py -t overwrite.ini Restarting wazuh-manager... - [ File = ./tests/overwrite.ini ] --------- .......... ``` - Log result from Valgrind ``` 2022/06/21 13:21:08 wazuh-analysisd[9604] accumulator.c:92 at Accumulate_Init(): DEBUG: Accumulator Init completed. 2022/06/21 13:21:08 wazuh-analysisd[9604] logtest.c:1090 at w_logtest_process_request_log_processing(): DEBUG: (7202): Session initialized with token '103cf9d4' 2022/06/21 13:21:08 wazuh-analysisd[9604] logtest.c:594 at w_logtest_remove_session(): DEBUG: (7206): The session '103cf9d4' was closed successfully ==9604== ==9604== HEAP SUMMARY: ==9604== in use at exit: 21,604,906 bytes in 118,133 blocks ==9604== total heap usage: 9,180,587 allocs, 9,062,454 frees, 28,554,453,159 bytes allocated ==9604== ==9604== 272 bytes in 1 blocks are possibly lost in loss record 280 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42708F: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 272 bytes in 1 blocks are possibly lost in loss record 281 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4272DC: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 272 bytes in 1 blocks are possibly lost in loss record 282 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x416581: w_logtest_init (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x6035149: start_thread (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x6349DC2: clone (in /usr/lib64/libc-2.28.so) ==9604== ==9604== 272 bytes in 1 blocks are possibly lost in loss record 283 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x437F88: SecurityConfigurationAssessmentInit (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4256DE: OS_ReadMSG (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42737B: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 272 bytes in 1 blocks are possibly lost in loss record 284 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x425A8E: OS_ReadMSG (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42737B: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 272 bytes in 1 blocks are possibly lost in loss record 285 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x425BBB: OS_ReadMSG (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42737B: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 272 bytes in 1 blocks are possibly lost in loss record 286 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x425BEB: OS_ReadMSG (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42737B: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 272 bytes in 1 blocks are possibly lost in loss record 287 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x425C5A: OS_ReadMSG (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42737B: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 272 bytes in 1 blocks are possibly lost in loss record 288 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x425C83: OS_ReadMSG (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42737B: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 272 bytes in 1 blocks are possibly lost in loss record 289 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x425CAC: OS_ReadMSG (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42737B: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 272 bytes in 1 blocks are possibly lost in loss record 290 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x425CD5: OS_ReadMSG (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42737B: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 272 bytes in 1 blocks are possibly lost in loss record 291 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x425F10: OS_ReadMSG (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42737B: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 272 bytes in 1 blocks are possibly lost in loss record 292 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x425F39: OS_ReadMSG (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42737B: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 544 bytes in 2 blocks are possibly lost in loss record 335 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x425D06: OS_ReadMSG (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42737B: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 544 bytes in 2 blocks are possibly lost in loss record 336 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x425D42: OS_ReadMSG (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42737B: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 544 bytes in 2 blocks are possibly lost in loss record 337 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x425D9B: OS_ReadMSG (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42737B: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 544 bytes in 2 blocks are possibly lost in loss record 338 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x425DC8: OS_ReadMSG (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42737B: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 544 bytes in 2 blocks are possibly lost in loss record 339 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x425DE8: OS_ReadMSG (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42737B: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 544 bytes in 2 blocks are possibly lost in loss record 340 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x425E04: OS_ReadMSG (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42737B: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 544 bytes in 2 blocks are possibly lost in loss record 341 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x425E21: OS_ReadMSG (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42737B: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 544 bytes in 2 blocks are possibly lost in loss record 342 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x425E44: OS_ReadMSG (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42737B: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== 544 bytes in 2 blocks are possibly lost in loss record 343 of 549 ==9604== at 0x4C3721A: calloc (vg_replace_malloc.c:760) ==9604== by 0x40129EB: _dl_allocate_tls (in /usr/lib64/ld-2.28.so) ==9604== by 0x6035DA2: pthread_create@@GLIBC_2.2.5 (in /usr/lib64/libpthread-2.28.so) ==9604== by 0x4C6621: CreateThreadJoinable (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x4C6736: CreateThread (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x425EC9: OS_ReadMSG (in /var/ossec/bin/wazuh-analysisd) ==9604== by 0x42737B: main (in /var/ossec/bin/wazuh-analysisd) ==9604== ==9604== LEAK SUMMARY: ==9604== definitely lost: 0 bytes in 0 blocks ==9604== indirectly lost: 0 bytes in 0 blocks ==9604== possibly lost: 8,432 bytes in 31 blocks ==9604== still reachable: 21,596,474 bytes in 118,102 blocks ==9604== suppressed: 0 bytes in 0 blocks ==9604== Reachable blocks (those to which a pointer was found) are not shown. ==9604== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==9604== ==9604== For lists of detected and suppressed errors, rerun with: -s ==9604== ERROR SUMMARY: 22 errors from 22 contexts (suppressed: 0 from 0) ==9604== could not unlink /tmp/vgdb-pipe-from-vgdb-to-9604-by-root-on-c3 ==9604== could not unlink /tmp/vgdb-pipe-to-vgdb-from-9604-by-root-on-c3 ==9604== could not unlink /tmp/vgdb-pipe-shared-mem-vgdb-9604-by-root-on-c3 ```