Logtest from the app #1434
Comments
jctello
added
type/enhancement
jesusgn90
added
priority/medium
UI/UX
|
Hi team, For the first iteration of this issue, I've designed de solution below: A new button for open de This button would open a new section with an empty text area where introduce the log, and a text viewer on seeing the
It will be possible thanks to a new API endpoint that sending a log in string fromat e.g.: {"timestamp":"2019-09-03T13:22:27.950+0000","rule":{"level":7,"description":"python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms","id":"23504","firedtimes":33,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"]},"agent":{"id":"000","name":"a205e5b2a1aa"},"manager":{"name":"a205e5b2a1aa"},"id":"1567516947.252273","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"cve":"CVE-2019-9948","title":"python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms","severity":"Medium","published":"2019-03-23T00:00:00+00:00","state":"Fixed","cvss":{"cvss3_score":"7.400000"},"package":{"name":"python","version":"2.7.5-80.el7_6","condition":"less than 2.7.5-86.el7"},"advisories":"RHSA-2019:2030,RHSA-2019:1700","cwe_reference":"CWE-749","bugzilla_reference":"https://bugzilla.redhat.com/show_bug.cgi?id=1695570","reference":"https://access.redhat.com/security/cve/CVE-2019-9948"}},"location":"vulnerability-detector"}Returns us a **Phase 1: Completed pre-decoding.
full event: 'timestamp:2019-09-03T13:22:27.950+0000 rule:level:7 rule:description:python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms rule:id:23504 rule:firedtimes:33 rule:mail:false rule:groups:[vulnerability-detector] rule:gdpr:[IV_35.7.d] agent:id:000 agent:name:a205e5b2a1aa manager:{name:a205e5b2a1aa} id:1567516947.252273 cluster:name:wazuh cluster:node:master decoder:{name:json} data:{vulnerability:cve:CVE-2019-9948} data:{vulnerability:title:python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms} data:{vulnerability:severity:Medium} data:{vulnerability:published:2019-03-23T00:00:00+00:00} data:{vulnerability:state:Fixed} data:{vulnerability:cvss:{cvss3_score:7.400000}} data:{vulnerability:package:name:python} data:{vulnerability:package:version:2.7.5-80.el7_6} data:{vulnerability:package:condition:less than 2.7.5-86.el7} data:{vulnerability:advisories:RHSA-2019:2030,RHSA-2019:1700} data:{vulnerability:cwe_reference:CWE-749} data:{vulnerability:bugzilla_reference:https://bugzilla.redhat.com/show_bug.cgi?id=1695570} data:{vulnerability:reference:https://access.redhat.com/security/cve/CVE-2019-9948} location:vulnerability-detector'
timestamp: '(null)'
hostname: 'a205e5b2a1aa'
program_name: '(null)'
log: 'timestamp:2019-09-03T13:22:27.950+0000 rule:level:7 rule:description:python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms rule:id:23504 rule:firedtimes:33 rule:mail:false rule:groups:[vulnerability-detector] rule:gdpr:[IV_35.7.d] agent:id:000 agent:name:a205e5b2a1aa manager:{name:a205e5b2a1aa} id:1567516947.252273 cluster:name:wazuh cluster:node:master decoder:{name:json} data:{vulnerability:cve:CVE-2019-9948} data:{vulnerability:title:python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms} data:{vulnerability:severity:Medium} data:{vulnerability:published:2019-03-23T00:00:00+00:00} data:{vulnerability:state:Fixed} data:{vulnerability:cvss:{cvss3_score:7.400000}} data:{vulnerability:package:name:python} data:{vulnerability:package:version:2.7.5-80.el7_6} data:{vulnerability:package:condition:less than 2.7.5-86.el7} data:{vulnerability:advisories:RHSA-2019:2030,RHSA-2019:1700} data:{vulnerability:cwe_reference:CWE-749} data:{vulnerability:bugzilla_reference:https://bugzilla.redhat.com/show_bug.cgi?id=1695570} data:{vulnerability:reference:https://access.redhat.com/security/cve/CVE-2019-9948} location:vulnerability-detector'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'The API issue is this wazuh/wazuh-api#449 Regards. |
|
Update 04/09/2019 Today I implemented a new ruleset shortcuts component. From these shortcuts, you can create a new file (either rule, decoder or lists), upload files, and open the For this, I have used the
On the other hand, for the Logtest, the requests have been mocked, and a component has been created consisting of a text area where the log would be introduced, and on the other hand, a
|
|
Update 05/09/2019 Today the navigation in ruleset tabs was changed. The right sidebar was deprecated by an improved action bar inside the tables. On the other hand, the way to show the result of the test has been changed from
Additionally, the design of the ruleset tables has been improved to adapt them to the look and feel of eui tables (they are not going to be migrated still).
|
|
Update 06/09/2019 Today the design and logic of the testlog have been improved. In addition, the ruleset tables have been redesigned to resemble Finally, the
Branch: https://github.com/wazuh/wazuh-kibana-app/tree/logtest |
|
Update 09/09/2019 Today I've done an alternative mode to show de logtest. I renamed de Dev tools section by Tools. In this section, I would show selectable cards with some options. The first would be the old dev tools console, named now API Dev console, and a second option that would be the logtest. It looks like this:
|
|
Update 13/07/2020 The implementation of Logtest from the app has been resumed. We have added a new login menu and a new view for Logtest:
We've also added some accesses from the Rules, Decoders and CDB Lists view, which keeps the session open while you browse these sections, so you can try out the different options:
|
frankeros
added
priority/high
and removed
pending-api
|
Working on this PR (draft).
|
|
PR on revision. |
With the amazing enhancements and capabilities done to the app with version 3.9.0 the experience of creating custom decoders and rules has been greatly improved.
Almost everything can now be done through the web interface while also having the added benefit of syntax and general verification as the files are being edited.
It feels only natural to provide the users with the ability to test log messages as their rules and decoders are being written in that interface, with the possibility of providing even better feedback.
So this issue is to request a tool to test how the ruleset would react to specific log messages. As an enhancement upon the ossec-logtest, it could visually provide an interactive tree of all the rules showing the "path" taken by analysisd and highlighting why each rule and decoder matched (so like
ossec-logtest -vbut interactive).(@jesusgn90 added)
The main target of this ticket is to give the user the ability to do not need to log in using SSH into the Wazuh manager instance for testing a sample log.
Update 24/09/2019
Pending-api and Pending-core wazuh/wazuh-api#449
The text was updated successfully, but these errors were encountered: