Wazuh - Configuring Custom Rules Based on Hostname



  • We want to edit /var/ossec/etc/rules/local_rules.xml

    sudo nano /var/ossec/etc/rules/local_rules.xml
    

    Our file should look like this:

    GNU nano 2.9.3   /var/ossec/etc/rules/local_rules.xml            
     
    <!-- Local rules -->
     
    <!-- Modify it at your will. -->
    <!-- Copyright (C) 2015-2019, Wazuh Inc. -->
     
    <!-- Example -->
    <group name="local,syslog,sshd,">
     
      <!--
      Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.$
      -->
      <rule id="100001" level="5">
        <if_sid>5716</if_sid>
        <srcip>1.1.1.1</srcip>
        <description>sshd: authentication failed from IP 1.1.1.1.</desc$
        <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</gr$
      </rule>
     
    </group>
    

    Let’s take a look at the current rule 5402 for privilege escalation so we can create the child rule

    ** Alert 1555331931.323394: - syslog,sudo,pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,
    2019 Apr 15 12:38:51 (jupiter) 192.168.122.252->/var/log/auth.log
    Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
    User: root
    Apr 15 12:38:51 jupiter sudo:     joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu
    tty: pts/1
    pwd: /home/joel
    command: /usr/bin/docker run -it ubuntu
    

    This is the information we want, but the severity level is only 3. That is fine on most servers, but privilege escalation is more severe on docker containers so we actually want to make it a 12 without affecting other servers.

    Add the Child Rule

    sudo nano /var/ossec/etc/rules/local_rules.xml
    

    Add this to the bottom of the file. Replace jupiter|saturn
    with your hostnames for you docker hosts.

    
    <group name="local,syslog,sshd,">
     
      <rule id="100023" level="12">
       <if_sid>5402</if_sid>
       <hostname>jupiter|saturn</hostname>
       <description>Privelege Escalation on Docker Host!!!</description>
     </rule>
     
    </group>
    

    Save and exit nano.

    Verify Rule is processing properly

    Go to your docker host and run a command using sudo. This should generate our typical 5402 alert.

    Now pull the alert from the .json file

    cat /var/ossec/logs/alerts/alerts.json | grep "\"5402\"" | head -n1 | python -m json.tool | grep full_log | cut -d "\"" -f4
    

    You should get output similar to this:

    Apr 15 12:38:51 jupiter sudo: joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu
    

    Now copy that output and past it in the log test tool:

    /var/ossec/bin/ossec-logtest
    

    If executed properly, you should get this:

    **Phase 1: Completed pre-decoding.
           full event: 'Apr 15 12:38:51 jupiter sudo:     joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu'
           timestamp: 'Apr 15 12:38:51'
           hostname: 'jupiter'
           program_name: 'sudo'
           log: '    joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu'
     
    **Phase 2: Completed decoding.
           decoder: 'sudo'
           srcuser: 'joel'
           tty: 'pts/1'
           pwd: '/home/joel'
           dstuser: 'root'
           command: '/usr/bin/docker run -it ubuntu'
     
    **Phase 3: Completed filtering (rules).
           Rule id: '100023'
           Level: '12'
           Description: 'Privelege Escalation on Docker Host!!!'
    **Alert to be generated.
    

    Restart Wazuh Manager

    sudo systemctl restart wazuh-manager
    

    Test generating the alert using any sudo command
    Enjoy your new alert πŸ™‚

    ** Alert 1555351056.962538: mail  - local,syslog,sshd,
    2019 Apr 15 17:57:36 (jupiter) 192.168.122.252->/var/log/auth.log
    Rule: 100023 (level 12) -> 'Privelege Escalation on Docker Host!!!'
    User: root
    Apr 15 17:57:35 jupiter sudo:     joel : TTY=pts/0 ; PWD=/home ; USER=root ; COMMAND=/bin/nano text
    tty: pts/0
    pwd: /home
    command: /bin/nano text
    

    c476fc93-17be-4cc4-b124-2a754d2e0d0a-image.png

    Testing on server not listed on the rule

    I ssh into my lab server mercury and run a sudo command from there. Since it is not jupiter or saturn like we set it in our rule, it did not generate a wazuh custom rule

    ** Alert 1555354943.969236: - syslog,sudo,pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,
    2019 Apr 15 19:02:23 (mercury) 192.168.122.86->/var/log/auth.log
    Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
    User: root
    Apr 15 15:02:21 mercury sudo:     joel : TTY=pts/0 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/apt install glances
    tty: pts/0
    pwd: /home/joel
    command: /usr/bin/apt install glances
    


  • It sucks that you cant create rules by group yet. The devs have submitted a feature request for it on my behalf so hopefully soon πŸ™‚


Log in to reply