jnasselle
commented
3 years ago Hi @jtyocum!
Unfortunately ossec-logtest can't be used to test Windows EventChannel logs. This is because said logs would be decoded as windows-eventchannel when reaching Wazuh, however, when testing with ossec-logtest it won't be able to determine if it comes from Windows EventChannel, so it will use the default JSON_decoder and the logs end decoded as JSON.
There is a workaround used for testing these type of rules. All Windows EventChannel events will have the rule 60000 as its parent (0575-win-base_rules.xml). Change this rule as follows in /var/ossec/ruleset/rules/0575-win-base-rules.xml:
<rule id="60000" level="0">
<decoded_as>json</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules</description>
</rule>IMPORTANT: Remember this change is only aimed for testing with ossec-logtest and the rule should be restored to its original state once you are done.
Then set rule 60601 (Windows Application warning event) as your grouping rule parent:
<rule id="110000" level="0">
<if_sid>60601</if_sid>
<field name="win.system.providerName">^Sophos</field>
<description>Sophos Endpoint messages grouped.</description>
</rule>After this change, you can see which rule is consuming your event with ossec-logtest and adding -v option.
[root@manager ~]# /var/ossec/bin/ossec-logtest -v
2021/01/21 23:29:20 ossec-testrule: INFO: Started (pid: 4460).
ossec-testrule: Type one log per line.
{"win":{"system":{"providerName":"Sophos Anti-Virus","eventID":"32","level":"3","task":"1","keywords":"0x80000000000000","systemTime":"2021-01-21T18:27:17.655992100Z","eventRecordID":"438016","channel":"Application","computer":"deohs-pshrdsh01.deohs.washington.edu","severityValue":"WARNING","message":"\"File \"C:\\temp\\Firefox\\cache\\cache2\\entries\\6F4EAA33D575A7F737F1D2C6724057E986ADE83A\" belongs to virus/spyware 'EICAR-AV-Test'.\r\n\""},"eventdata":{"data":"File, C:\\temp\\Firefox\\cache\\cache2\\entries\\6F4EAA33D575A7F737F1D2C6724057E986ADE83A, EICAR-AV-Test, -1, VEA, A threat has been blocked and quarantined., 539295806"}}}
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Sophos Anti-Virus","eventID":"32","level":"3","task":"1","keywords":"0x80000000000000","systemTime":"2021-01-21T18:27:17.655992100Z","eventRecordID":"438016","channel":"Application","computer":"deohs-pshrdsh01.deohs.washington.edu","severityValue":"WARNING","message":"\"File \"C:\\temp\\Firefox\\cache\\cache2\\entries\\6F4EAA33D575A7F737F1D2C6724057E986ADE83A\" belongs to virus/spyware 'EICAR-AV-Test'.\r\n\""},"eventdata":{"data":"File, C:\\temp\\Firefox\\cache\\cache2\\entries\\6F4EAA33D575A7F737F1D2C6724057E986ADE83A, EICAR-AV-Test, -1, VEA, A threat has been blocked and quarantined., 539295806"}}}'
timestamp: '(null)'
hostname: 'manager'
program_name: '(null)'
log: '{"win":{"system":{"providerName":"Sophos Anti-Virus","eventID":"32","level":"3","task":"1","keywords":"0x80000000000000","systemTime":"2021-01-21T18:27:17.655992100Z","eventRecordID":"438016","channel":"Application","computer":"deohs-pshrdsh01.deohs.washington.edu","severityValue":"WARNING","message":"\"File \"C:\\temp\\Firefox\\cache\\cache2\\entries\\6F4EAA33D575A7F737F1D2C6724057E986ADE83A\" belongs to virus/spyware 'EICAR-AV-Test'.\r\n\""},"eventdata":{"data":"File, C:\\temp\\Firefox\\cache\\cache2\\entries\\6F4EAA33D575A7F737F1D2C6724057E986ADE83A, EICAR-AV-Test, -1, VEA, A threat has been blocked and quarantined., 539295806"}}}'
**Phase 2: Completed decoding.
decoder: 'json'
win.system.providerName: 'Sophos Anti-Virus'
win.system.eventID: '32'
win.system.level: '3'
win.system.task: '1'
win.system.keywords: '0x80000000000000'
win.system.systemTime: '2021-01-21T18:27:17.655992100Z'
win.system.eventRecordID: '438016'
win.system.channel: 'Application'
win.system.computer: 'deohs-pshrdsh01.deohs.washington.edu'
win.system.severityValue: 'WARNING'
win.system.message: '"File "C:\temp\Firefox\cache\cache2\entries\6F4EAA33D575A7F737F1D2C6724057E986ADE83A" belongs to virus/spyware 'EICAR-AV-Test'.
"'
win.eventdata.data: 'File, C:\temp\Firefox\cache\cache2\entries\6F4EAA33D575A7F737F1D2C6724057E986ADE83A, EICAR-AV-Test, -1, VEA, A threat has been blocked and quarantined., 539295806'
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched.
*Trying child rules.
Trying rule: 600 - Active Response Messages Grouped
Trying rule: 200 - Grouping of wazuh rules.
Trying rule: 2100 - NFS rules grouped.
Trying rule: 2507 - OpenLDAP group.
Trying rule: 2550 - rshd messages grouped.
Trying rule: 2701 - Ignoring procmail messages.
Trying rule: 2800 - Pre-match rule for smartd.
Trying rule: 5100 - Pre-match rule for kernel messages.
Trying rule: 5200 - Ignoring hpiod for producing useless logs.
Trying rule: 2830 - Crontab rule group.
Trying rule: 5300 - Initial grouping for su messages.
Trying rule: 5905 - useradd failed.
Trying rule: 5400 - Initial group for sudo messages.
Trying rule: 9100 - PPTPD messages grouped.
Trying rule: 9200 - Squid syslog messages grouped.
Trying rule: 2900 - Dpkg (Debian Package) log.
Trying rule: 2930 - Yum logs.
Trying rule: 2931 - Yum logs.
Trying rule: 2940 - NetworkManager grouping.
Trying rule: 2943 - nouveau driver grouping.
Trying rule: 2962 - Perdition custom app group.
Trying rule: 3100 - Grouping of the sendmail rules.
Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules.
Trying rule: 3300 - Grouping of the postfix reject rules.
Trying rule: 3320 - Grouping of the postfix rules.
Trying rule: 3390 - Grouping of the clamsmtpd rules.
Trying rule: 3395 - Grouping of the postfix warning rules.
Trying rule: 3500 - Grouping for the spamd rules
Trying rule: 3600 - Grouping of the imapd rules.
Trying rule: 3700 - Grouping of mailscanner rules.
Trying rule: 3800 - Grouping of Exchange rules.
Trying rule: 3900 - Grouping for the courier rules.
Trying rule: 4300 - Grouping of PIX rules
Trying rule: 4500 - Grouping for the Netscreen Firewall rules
Trying rule: 4700 - Grouping of Cisco IOS rules.
Trying rule: 4800 - SonicWall messages grouped.
Trying rule: 5500 - Grouping of the pam_unix rules.
Trying rule: 5556 - unix_chkpwd grouping.
Trying rule: 5600 - Grouping for the telnetd rules
Trying rule: 5700 - SSHD messages grouped.
Trying rule: 5757 - Bad DNS mapping.
Trying rule: 6100 - Solaris BSM Auditing messages grouped.
Trying rule: 6200 - Asterisk messages grouped.
Trying rule: 6300 - Grouping for the MS-DHCP ipv4 rules.
Trying rule: 6350 - Grouping for the MS-DHCP ipv6 rules.
Trying rule: 7200 - Arpwatch messages grouped.
Trying rule: 7300 - Grouping of Symantec AV rules.
Trying rule: 7400 - Grouping of Symantec Web Security rules.
Trying rule: 7600 - Grouping of Trend OSCE rules.
Trying rule: 9300 - Grouping for the Horde imp rules.
Trying rule: 9400 - Roundcube messages grouped.
Trying rule: 9500 - Wordpress messages grouped.
Trying rule: 9600 - cimserver messages grouped.
Trying rule: 9700 - Dovecot Messages Grouped.
Trying rule: 9770 - dovecot-info grouping.
Trying rule: 9800 - Grouping for the vm-pop3d rules.
Trying rule: 9900 - Grouping for the vpopmail rules.
Trying rule: 11100 - Grouping for the ftpd rules.
Trying rule: 11200 - Grouping for the proftpd rules.
Trying rule: 11300 - Grouping for the pure-ftpd rules.
Trying rule: 11310 - Rule grouping for pure ftpd transfers.
Trying rule: 11400 - Grouping for the vsftpd rules.
Trying rule: 11500 - Grouping for the Microsoft ftp rules.
Trying rule: 12100 - Grouping of the named rules
Trying rule: 13100 - Grouping for the smbd rules.
Trying rule: 13106 - Grouping for the nmbd rules.
Trying rule: 14100 - Grouping of racoon rules.
Trying rule: 14200 - Grouping of Cisco VPN concentrator rules
Trying rule: 19100 - VMWare messages grouped.
Trying rule: 19101 - VMWare ESX syslog messages grouped.
Trying rule: 30100 - Apache messages grouped.
Trying rule: 31200 - Grouping of Zeus rules.
Trying rule: 31300 - Nginx messages grouped.
Trying rule: 31404 - PHP Warning message.
Trying rule: 31405 - PHP Fatal error.
Trying rule: 31406 - PHP Parse error.
Trying rule: 40700 - Systemd rules
Trying rule: 40900 - firewalld grouping
Trying rule: 50100 - MySQL messages grouped.
Trying rule: 50500 - PostgreSQL messages grouped.
Trying rule: 51000 - Grouping for dropbear rules.
Trying rule: 51500 - Grouping of bsd_kernel alerts
Trying rule: 51521 - Grouping for groupdel rules.
Trying rule: 51523 - No core dumps.
Trying rule: 51525 - ftp-proxy cannot connect to a server.
Trying rule: 51526 - Hard drive is dying.
Trying rule: 51527 - CARP master to backup.
Trying rule: 51528 - Duplicate IPv6 address.
Trying rule: 51529 - Could not load a firmware.
Trying rule: 51530 - hotplugd could not open a file.
Trying rule: 51532 - Bad ntp peer.
Trying rule: 51550 - doas grouping
Trying rule: 52500 - Clamd messages grouped.
Trying rule: 52501 - ClamAV: database update
Trying rule: 53500 - OpenSMTPd grouping.
Trying rule: 500000 - Unbound grouping.
Trying rule: 80000 - Puppet Master messages grouped.
Trying rule: 80001 - Puppet Agent messages grouped.
Trying rule: 80100 - Netscaler messages grouped.
Trying rule: 80200 - AWS alert.
Trying rule: 80500 - Serv-u messages grouped.
Trying rule: 80700 - Audit: messages grouped.
Trying rule: 81100 - USB messages grouped.
Trying rule: 81300 - Redis messages grouped.
Trying rule: 81400 - OpenSCAP messages grouped.
Trying rule: 81600 - Fortigate v3 messages grouped.
Trying rule: 81601 - Fortigate v4 messages grouped.
Trying rule: 81602 - Fortigate v5 messages grouped.
Trying rule: 81700 - HP 5500 EI messages grouped.
Trying rule: 81800 - OpenVPN messages grouped.
Trying rule: 81900 - RSA Authentication Manager messages grouped.
Trying rule: 82000 - Imperva messages grouped.
Trying rule: 82100 - Sophos alerts.
Trying rule: 82200 - FreeIPA syslog.
Trying rule: 82400 - Cisco eStreamer messages grouped.
Trying rule: 85000 - SQL Server messages.
Trying rule: 85500 - Identity Guard Log.
Trying rule: 85750 - MongoDB messages
Trying rule: 86000 - Docker messages
Trying rule: 86250 - Jenkins messages
Trying rule: 86800 - VShell message grouped.
Trying rule: 86600 - Suricata messages.
Trying rule: 86900 - Qualysguard messages grouped.
Trying rule: 87000 - Cylance events messages grouped.
Trying rule: 87050 - Cylance threats messages grouped.
Trying rule: 87100 - VirusTotal integration messages.
Trying rule: 87200 - pvedaemon messages grouped.
Trying rule: 87300 - ownCloud messages grouped.
Trying rule: 87310 - ownCloud messages grouped.
Trying rule: 22401 - Vuls integration event.
Trying rule: 87402 - CIS-CAT events.
Trying rule: 87403 - Old CIS-CAT events.
Trying rule: 87500 - Exim SMTP Messages Grouped.
Trying rule: 87501 - dovecot messages grouped.
Trying rule: 23501 - $(vulnerability.cve) affects $(vulnerability.package.name)
Trying rule: 87600 - OpenVAS (gsad) messages grouped.
Trying rule: 87608 - OpenVAS (openvasmd) messages grouped.
Trying rule: 88000 - Percona Server audit events grouped.
Trying rule: 89050 - McAfee AUDIT Plugin for MySQL events grouped.
Trying rule: 88100 - MariaDB group messages.
Trying rule: 87700 - pfSense firewall rules grouped.
Trying rule: 87900 - Docker alerts: $(docker.Type)
Trying rule: 60000 - Group of windows rules
*Rule 60000 matched.
*Trying child rules.
Trying rule: 60001 - Group of Windows rules for the Security channel
Trying rule: 60002 - Group of Windows rules for the System channel
Trying rule: 60003 - Group of Windows rules for the Application channel
*Rule 60003 matched.
*Trying child rules.
Trying rule: 60006 - Group of Windows rules for the McAfee channel
Trying rule: 60600 - Windows Application informational event
Trying rule: 60601 - Windows Application warning event
*Rule 60601 matched.
*Trying child rules.
Trying rule: 61063 - Group of Microsoft-Windows-SoftwareRestrictionPolicies events
Trying rule: 110000 - Sophos Endpoint messages grouped.
*Rule 110000 matched.
*Trying child rules.
Trying rule: 110001 - Sophos Endpoint: Virus/spyware has been detected
*Rule 110001 matched.
**Phase 3: Completed filtering (rules).
Rule id: '110001'
Level: '12'
Description: 'Sophos Endpoint: Virus/spyware has been detected'
**Alert to be generated.
Finally, remember to restore the rule 60000 and restart your manager. You should see your rules working as expected now.
I hope it helps. Let me know if you have further questions
Regards, Nico
I created some local rules for Sophos AV / Endpoint. When testing the rules, I found they work (generate alert) using ossec-logtest. However, they don't generate any alerts with Wazuh manager. I did try restarting the manager service multiple times, and verified that the process did in fact restart. It would appear there is some difference in rule processing between logtest and the manager. local_sophos_rules.zip
Below is an example from ossec-logtest:
I have attached the rules I wrote.