Cosmetic syntactic and housekeeping fixes

[kravietz]

Clean up rule files

[candlerb]

AFAICS, ossec/wazuh configuration files are not XML, I would say they are "XML-like".

Specifically:

1. XML documents must have a single root element
2. To match a literal left angle bracket, wazuh uses \< instead of <. This breaks real XML parsers.

# xmllint --noout ./decoders/0340-trend-osce_decoders.xml
./decoders/0340-trend-osce_decoders.xml:19: parser error : StartTag: invalid element name
  <prematch>^20\d\d\d\d\d\d\<;></prematch>
                             ^
./decoders/0340-trend-osce_decoders.xml:20: parser error : StartTag: invalid element name
  <regex offset="after_prematch">^\d+\<;>\S+\<;>(\d+)\<;</regex>
                                       ^
./decoders/0340-trend-osce_decoders.xml:20: parser error : StartTag: invalid element name
  <regex offset="after_prematch">^\d+\<;>\S+\<;>(\d+)\<;</regex>
                                              ^
./decoders/0340-trend-osce_decoders.xml:20: parser error : StartTag: invalid element name
  <regex offset="after_prematch">^\d+\<;>\S+\<;>(\d+)\<;</regex>
                                                       ^

This is also why the regex engine treats \< as a special case, because the parser doesn't decode this sequence but passes both characters straight through.

[kravietz]

@candlerb They aren't a well-formed XML but with a little cheating they can be processed using a XML parser. The cheating involves e.g. temporarily wrapping each .xml file with artificial <rules>...</rules> which resolves the multiple roots issue. Since I need to process the rules in batch frequently (rewrite, selectively enable and disable etc) I wrote a simple tool wazuh-rule-manager and obviously reimplementing a custom XML-like parser from scratch didn't really sound like the most exciting plan :)

[candlerb]

Sure, although your preprocessor would have to convert \< to something else too, at least if you're processing decoders. If your tool is only processing rules, then I don't think there are any examples of that syntax in the current ruleset.

[Lopuiz]

Hello @kravietz,

First of all, thank you for your contribution to the Ruleset repository. And I am sorry for so late answer.
I had approved your modification in rules/0020-syslog_rules.xml and rules/log-entries/kernel in this PR.
Also, there is no difference between the original rules/0350-amazon_rules.xml file and the file in your PR.
I understand that it was a mistake and you just want to add the changes to the rules/log-entries/87300, rules/0485-cylance_rules.xml and rules/0500-owncloud_rules.xml files.
Can you solve it so the PR can be merged?

Kind regards, Eva

[kravietz]

@Lopuiz There is an important change in the amazon_rules.xml commit - the problem is that the original version has Unicode ZERO WIDTH SPACE U+200B character inside the GuardDuty name which is not rendered in the diff (obviously) and only visible in hex editor. I stumbled upon this when I tried to grep logs for GuardDuty but didn't find anything because the string in log message was really Guard<U+200B>Duty. I think I described it in detail in the original commit message. Most likely the original author of the rule just copy-pasted the name from GuardDuty website not noticing it has this character inside.

[Lopuiz]

All right, forgive the misunderstanding.
I will review it and give you an answer as soon as possible.

Regards, Eva

[kravietz]

Hi @Lopuiz any luck with these? This is a small but important fix that will cause no problems.

[Lopuiz]

Hi!

We will add these modifications in version 3.11 of Wazuh Ruleset

Regards,
Eva

[chemamartinez]

Hi @kravietz,

Sorry for the delay in the revisions and response, and thank you for the contribution. It is really appreciated.

I can see you add new rules for syslog events. However, you mentioned it neither in the title nor in the description. I am also missing sample events that match with new rules.

They would be very useful to create unit tests for newly rules. They are a requirement to add new rules to the repository. Here you can see some examples: https://github.com/wazuh/wazuh-ruleset/tree/master/tools/rules-testing/tests

Finally, the pull request has conflicts for the syslog rules file, probably due to other changes that have been added to the file. Can you rebase the 3.12 branch to solve them?

Again many thanks for the contribution, we hope changes are merged soon.

Best regards,
Chema.