Closed 72nomada closed 1 year ago
Tester | PR commit |
---|---|
@Rebits | https://github.com/wazuh/wazuh/pull/16530/commits/ae4be0992921cdd4a0f52e73c687b0cebdc45560 |
OS | OS version | Deployment | Image/AMI | Notes |
---|---|---|---|---|
Ubuntu | Ubuntu 20.04 | EC2 | ami-003530de8839921c4 |
wazuh-manager |
wazuh-agent |
---|---|
wazuh-manager | wazuh-agent |
ULS macOS events with positive timezone are now correctly parsed.
macOS Agent
``` sh-3.2# launchctl setenv WAZUH_MANAGER "192.168.10.120" && installer -pkg wazuh-agent-4.4.2-0.commitae4be09.pkg -target / installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful. ```Manager
``` Transaction test succeeded Running transaction Instalando : wazuh-manager-4.4.2-0.commitae4be09. [######################### ] 1/1 Instalando : wazuh-manager-4.4.2-0.commitae4be09.x86_64 1/1 Comprobando : wazuh-manager-4.4.2-0.commitae4be09.x86_64 1/1 Instalado: wazuh-manager.x86_64 0:4.4.2-0.commitae4be09 ¡Listo! ```
Suggested developers events :green_circle:
- `2022-12-13 14:19:30.429319+0200 localhost sshd[1115]: Failed password for invalid user hacker from 192.168.56.1 port 50384 ssh2` ``` 2022-12-13 14:19:30.429319+0200 localhost sshd[1115]: Failed password for invalid user hacker from 192.168.56.1 port 50384 ssh2 **Phase 1: Completed pre-decoding. full event: '2022-12-13 14:19:30.429319+0200 localhost sshd[1115]: Failed password for invalid user hacker from 192.168.56.1 port 50384 ssh2' timestamp: '2022-12-13 14:19:30.429319+0200' program_name: 'sshd' **Phase 2: Completed decoding. name: 'sshd' parent: 'sshd' srcip: '192.168.56.1' srcuser: 'hacker' **Phase 3: Completed filtering (rules). id: '5710' level: '5' description: 'sshd: Attempt to login using a non-existent user' groups: '['syslog', 'sshd', 'authentication_failed', 'invalid_login']' firedtimes: '2' gdpr: '['IV_35.7.d', 'IV_32.2']' gpg13: '['7.1']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1110.001', 'T1021.004', 'T1078']' mitre.tactic: '['Credential Access', 'Lateral Movement', 'Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']' mitre.technique: '['Password Guessing', 'SSH', 'Valid Accounts']' nist_800_53: '['AU.14', 'AC.7', 'AU.6']' pci_dss: '['10.2.4', '10.2.5', '10.6.1']' tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated. ``` - `2023-04-13 22:02:51.837266+0200 localhost loginwindow[164]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.sessionagent.screenIsLocked, with userID:501` ``` 2023-04-13 22:02:51.837266+0200 localhost loginwindow[164]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.sessionagent.screenIsLocked, with userID:501 **Phase 1: Completed pre-decoding. full event: '2023-04-13 22:02:51.837266+0200 localhost loginwindow[164]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.sessionagent.screenIsLocked, with userID:501' timestamp: '2023-04-13 22:02:51.837266+0200' program_name: 'loginwindow' **Phase 2: Completed decoding. No decoder matched. ```Real ULS collected events :green_circle:
- `2023-04-18 11:58:10.591934+0200 localhost findmydeviced[249]: [com.apple.icloud.findmydeviced:_] UCRT state - [3]. Error getting UCRT state - (null)` ``` 2023-04-18 11:58:10.591934+0200 localhost findmydeviced[249]: [com.apple.icloud.findmydeviced:_] UCRT state - [3]. Error getting UCRT state - (null) **Phase 1: Completed pre-decoding. full event: '2023-04-18 11:58:10.591934+0200 localhost findmydeviced[249]: [com.apple.icloud.findmydeviced:_] UCRT state - [3]. Error getting UCRT state - (null)' timestamp: '2023-04-18 11:58:10.591934+0200' program_name: 'findmydeviced' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). id: '1002' level: '2' description: 'Unknown problem somewhere in the system.' groups: '['syslog', 'errors']' firedtimes: '2' gpg13: '['4.3']' mail: 'False' ``` - `2023-04-13 22:02:51.837266+0200 localhost loginwindow[164]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.sessionagent.screenIsLocked, with userID:501` ``` **Phase 1: Completed pre-decoding. full event: '2023-04-13 22:02:51.837266+0200 localhost loginwindow[164]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.sessionagent.screenIsLocked, with userID:501' timestamp: '2023-04-13 22:02:51.837266+0200' program_name: 'loginwindow' **Phase 2: Completed decoding. No decoder matched. ```
Everything seems to be working properly
Description
Added support in analysisd to decode timestamps with the '+' symbol typically used in macOS logs timestamp.
Proposed checks
[ ] use an ini content like this:
Expected results
when using a log line like the one in the test, an alert should be generated like this