Skip to content

analysisd: Fix Missing fields in rules description evaluation#7073

Merged
vikman90 merged 2 commits intomasterfrom
7044-analysisd-fix-rules-description
Jan 15, 2021
Merged

analysisd: Fix Missing fields in rules description evaluation#7073
vikman90 merged 2 commits intomasterfrom
7044-analysisd-fix-rules-description

Conversation

@juliancnn
Copy link
Member

@juliancnn juliancnn commented Dec 31, 2020
edited
Loading

Related issue
#7044

Hi team!,

This PR fix the description output in rules evaluation.

Description

When variables are used in the description option, the dstgeoip and dstport variables are never filled. This does not affect the evaluation of the rule but the output of the alert.

Wazuh-Logtest Output

simple example for test

decoders

<decoder name="example">
  <program_name>^example</program_name>
</decoder>

<decoder name="example">
  <parent>example</parent>
  <regex>User '(\w+)' logged from '(\d+.\d+.\d+.\d+):(\d+)' to '(\d+.\d+.\d+.\d+):(\d+)'</regex>
  <order>user, srcip, srcport, dstip, dstport</order>
</decoder>

rules

  <rule id="100010" level="0">
  <program_name>example</program_name>
  <description>User logged from $(srcip):$(srcport) to $(dstip):$(dstport)[$(dstgeoip)] </description>
</rule>

test log

Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '8.8.8.8:55000' to '200.16.19.1:22'

Current output

missing dstgeoip and dstport in description (Phase 3)

Starting wazuh-logtest v4.2.0
Type one log per line
Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '8.8.8.8:55000' to '200.16.19.1:22'
**Phase 1: Completed pre-decoding.
        full event: 'Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '8.8.8.8:55000' to '200.16.19.1:22''
        timestamp: 'Dec 25 20:45:02'
        hostname: 'MyHost'
        program_name: 'example'
**Phase 2: Completed decoding.
        name: 'example'
        dstip: '200.16.19.1'
        dstport: '22'
        dstuser: 'admin'
        srcip: '8.8.8.8'
        srcport: '55000'
**Phase 3: Completed filtering (rules).
        id: '100010'
        level: '0'
        description: 'User logged from 8.8.8.8:55000 to 200.16.19.1:[] '
        groups: '['local', 'syslog', 'sshd']'
        firedtimes: '1'
        mail: 'False'

PR output

Starting wazuh-logtest v4.2.0
Type one log per line

Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '8.8.8.8:55000' to '200.16.19.1:22'

**Phase 1: Completed pre-decoding.
        full event: 'Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '8.8.8.8:55000' to '200.16.19.1:22''
        timestamp: 'Dec 25 20:45:02'
        hostname: 'MyHost'
        program_name: 'example'

**Phase 2: Completed decoding.
        name: 'example'
        dstip: '200.16.19.1'
        dstport: '22'
        dstuser: 'admin'
        srcip: '8.8.8.8'
        srcport: '55000'

**Phase 3: Completed filtering (rules).
        id: '100010'
        level: '0'
        description: 'User logged from 8.8.8.8:55000 to 200.16.19.1:22[AR / Cordoba] '
        groups: '['local', 'syslog', 'sshd']'
        firedtimes: '1'
        mail: 'False'

Tests

  • runtest.py -c -g
  • Compilation without warnings in every supported platform
    • Linux
    • Windows
    • MAC OS X
  • Source installation
  • Package installation

  • Memory tests for Linux

    • Scan-build report
    • Coverity
    • Valgrind (memcheck and descriptor leaks check)
    • Dr. Memory
    • AddressSanitizer

  • Memory tests for Windows

  • Memory tests for macOS

  • Retrocompatibility with older Wazuh versions

  • Working on cluster environments

  • Configuration on demand reports new parameters

  • The data flow works as expected (agent-manager-api-app)

@juliancnn juliancnn self-assigned this Dec 31, 2020
@juliancnn juliancnn linked an issue Dec 31, 2020 that may be closed by this pull request
Missing fields in rules description evaluation #7044
Closed
jnasselle
jnasselle requested changes Jan 4, 2021
View reviewed changes
Copy link
Member

@jnasselle jnasselle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @juliancnn !

This changes still doesn't fix the use of static fields like program_name, hostname and location. Could you please add them in order to have full support?

Regards,
Nico

@juliancnn juliancnn force-pushed the 7044-analysisd-fix-rules-description branch from 3492abe to abf29ee Compare January 4, 2021 16:12
@juliancnn
Copy link
Member Author

juliancnn commented Jan 4, 2021

Hi @juliancnn !

This changes still doesn't fix the use of static fields like program_name, hostname and location. Could you please add them in order to have full support?

Regards,
Nico

Hi @jnasselle,

You're right, hostname and program_name was added in the last commit.
@chemamartinez suggested not adding the location field, since this is an internal Wazuh data that is not decoded from log

Regards,
Juli

@juliancnn juliancnn requested a review from jnasselle January 4, 2021 16:25
@juliancnn
Copy link
Member Author

juliancnn commented Jan 4, 2021

New test rule:

  <rule id="100010" level="0">
    <program_name>example</program_name>
    <description>User logged from $(srcip):$(srcport) to $(dstip):$(dstport)[$(dstgeoip)] - program_name: '$(program_name)' hostname '$(hostname)'</description>
  </rule>

PR output

Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '8.8.8.8:55000' to '200.16.19.1:22'

**Phase 1: Completed pre-decoding.
        full event: 'Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '8.8.8.8:55000' to '200.16.19.1:22''
        timestamp: 'Dec 25 20:45:02'
        hostname: 'MyHost'
        program_name: 'example'

**Phase 2: Completed decoding.
        name: 'example'
        dstip: '200.16.19.1'
        dstport: '22'
        dstuser: 'admin'
        srcip: '8.8.8.8'
        srcport: '55000'

**Phase 3: Completed filtering (rules).
        id: '100010'
        level: '0'
        description: 'User logged from 8.8.8.8:55000 to 200.16.19.1:22[] - program_name: 'example' hostname 'MyHost''
        groups: '['local', 'syslog', 'sshd']'
        firedtimes: '1'
        mail: 'False'

jnasselle
jnasselle approved these changes Jan 4, 2021
View reviewed changes
Copy link
Member

@jnasselle jnasselle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@juliancnn juliancnn added type/bug Something isn't working module/analysis Issues related to the Analysis daemon labels Jan 6, 2021
@vikman90 vikman90 merged commit 99372bd into master Jan 15, 2021
@vikman90 vikman90 deleted the 7044-analysisd-fix-rules-description branch January 15, 2021 11:20
This was referenced Feb 10, 2021
Closed
Closed
@jnasselle jnasselle mentioned this pull request May 15, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jnasselle jnasselle jnasselle approved these changes

+2 more reviewers

@Lopuiz Lopuiz Lopuiz approved these changes

@JcabreraC JcabreraC JcabreraC approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@juliancnn juliancnn

Labels

module/analysis Issues related to the Analysis daemon type/bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Missing fields in rules description evaluation

5 participants

@juliancnn @jnasselle @Lopuiz @JcabreraC @vikman90