Merge branch 'master' into dev-download-shared-files

CHANGELOG.md

@@ -15,39 +15,68 @@ All notable changes to this project will be documented in this file.
 - Get Windows packages inventory natively. ([#471](https://github.com/wazuh/wazuh/pull/471))
 - Supporting AES encryption for manager and agent. ([#448](https://github.com/wazuh/wazuh/pull/448))
 - Added Rids Synchronization. ([#459](https://github.com/wazuh/wazuh/pull/459))
+- Added option for setting the group that the agent belongs to when registering it with authd ([#460](https://github.com/wazuh/wazuh/pull/460))
+- Added option for setting the source IP when the agent registers with authd ([#460](https://github.com/wazuh/wazuh/pull/460))
+- Included millisecond timing in timestamp to JSON events. ([#467](https://github.com/wazuh/wazuh/pull/467))
+- Added an option in Analysisd to set input event offset for plugin decoders. ([#512](https://github.com/wazuh/wazuh/pull/512))
 
 ### Changed
 
 - Add default value for option -x in agent_control tool.
 - Syscheck RT process granularized to make frequency option more accurate.
 - External libraries moved to an external repository.
+- Allow more than 256 directories in real-time for Windows agent using recursive watchers. ([#540](https://github.com/wazuh/wazuh/pull/540))
+- Ignore OverlayFS directories on Rootcheck system scan.
+- Compiling external libraries as shared objects in order to shrink space. ([#483](https://github.com/wazuh/wazuh/pull/483))
 
 ### Fixed
 
 - Fix bug in Logcollector when removing duplicate localfiles. ([#402](https://github.com/wazuh/wazuh/pull/402))
 - Fix weird behavior in Syscheck when a modified file returns back to its first state. ([#434](https://github.com/wazuh/wazuh/pull/434))
 - Fixed invalid alerts reported by Syscollector when the event contains the word "error". ([#461](https://github.com/wazuh/wazuh/pull/461))
+- Fixed registry_ignore problem on syscheck for Windows when arch="both" was used. ([#525](https://github.com/wazuh/wazuh/pull/525))
+- Silenced Vuls integration starting and ending alerts. ([#541](https://github.com/wazuh/wazuh/pull/541))
+- Windows delete pending active-responses before reset agent. ([#563](https://github.com/wazuh/wazuh/pull/563))
+- Fix bug in Rootcheck for Windows that searches for keys in 32-bit mode only. ([#566](https://github.com/wazuh/wazuh/pull/566))
 
 ### Removed
 
 - Deleted Lua language support.
 
 ## [v3.2.2]
 
+### Added
+
+- Created an input queue for Remoted to prevent agent connection starvation. ([#509](https://github.com/wazuh/wazuh/pull/509))
+
 ### Changed
 
 - Updated Slack integration. ([#443](https://github.com/wazuh/wazuh/pull/443))
-
+- Increased connection timeout for remote upgrades. ([#480](https://github.com/wazuh/wazuh/pull/480))
+- Vulnerability-detector does not stop agents detection if it fails to find the software for one of them.
+- Improve the version comparator algorithm in vulnerability-detector. ([#508](https://github.com/wazuh/wazuh/pull/508/files))
 
 ### Fixed
 
 - Fixed bug in labels settings parser that may make Agentd or Logcollector crash.
-- Fixed issue when setting multiple <server-ip> stanzas in versions 3.0 - 3.2.1. ([#433](https://github.com/wazuh/wazuh/pull/433))
-- Fixed bug when socket database messages we not sent correctly. ([#435](https://github.com/wazuh/wazuh/pull/435))
-- Fixed sudden stop in the sources installer when overwriting a previous corrupt installation.
+- Fixed issue when setting multiple `<server-ip>` stanzas in versions 3.0 - 3.2.1. ([#433](https://github.com/wazuh/wazuh/pull/433))
+- Fixed bug when socket database messages are not sent correctly. ([#435](https://github.com/wazuh/wazuh/pull/435))
+- Fixed unexpected stop in the sources installer when overwriting a previous corrupt installation.
 - Added a synchronization timeout in the cluster to prevent it from blocking ([#447](https://github.com/wazuh/wazuh/pull/447))
 - Fixed issue in CSyslogd when filtering by rule group. ([#446](https://github.com/wazuh/wazuh/pull/446))
 - Fixed error on DB daemon when parsing rules with options introduced in version 3.0.0.
+- Fixed unrecognizable characters error in Windows version name. ([#478](https://github.com/wazuh/wazuh/pull/478))
+- Fix Authd client in old versions of Windows ([#479](https://github.com/wazuh/wazuh/pull/479))
+- Cluster's socket management improved to use persistent connections ([#481](https://github.com/wazuh/wazuh/pull/481))
+- Fix memory corruption in Syscollector decoder and memory leaks in Vulnerability Detector. ([#482](https://github.com/wazuh/wazuh/pull/482))
+- Fixed memory corruption in Wazuh DB autoclosing procedure.
+- Fixed dangling db files at DB Sync module folder. ([#489](https://github.com/wazuh/wazuh/pull/489))
+- Fixed agent group file deletion when using Authd.
+- Fix memory leak in Maild with JSON input. ([#498](https://github.com/wazuh/wazuh/pull/498))
+- Fixed remote command switch option. ([#504](https://github.com/wazuh/wazuh/pull/504))
+- Fixed agent wait condition and improve logging messages. ([#550](https://github.com/wazuh/wazuh/pull/550))
+- Fix race condition in settings load time by Windows agent. ([#551](https://github.com/wazuh/wazuh/pull/551))
+- Fix bug in Authd that prevented it from deleting agent-info files when removing agents.
 
 ## [v3.2.1] 2018-03-03
 

active-response/win/route-null.cmd

@@ -23,7 +23,7 @@ EXIT /B 1
 :: Check for a valid IP
 ECHO "%3" | %WINDIR%\system32\findstr.exe /R %IP_REGEX% >nul || ECHO Invalid IP && EXIT /B 2
 :: Extracts last ip address from ipconfig and routes to this address. Windows will not allow routing to 127.0.0.1
-FOR /F "TOKENS=2* DELIMS=:" %%A IN ('%WINDIR%\system32\ipconfig.exe ^| %WINDIR%\system32\findstr.exe /R /C:"IPv*4* Address"') DO FOR %%B IN (%%A) DO SET IPADDR=%%B
+FOR /F "TOKENS=2* DELIMS=:" %%A IN ('%WINDIR%\system32\ipconfig.exe ^| %WINDIR%\system32\findstr.exe /R /C:".*IP.*[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*"') DO FOR %%B IN (%%A) DO SET IPADDR=%%B
 :: Adding IP to be null-routed. IP will be routed to local machine IP
 %WINDIR%\system32\route.exe -p ADD %3 MASK 255.255.255.255 %IPADDR%
 GOTO LOG

etc/decoders/0065-cisco-ios_decoders.xml

@@ -9,28 +9,69 @@
 
 <!--
   - Group for Cisco IOS messages.
-  - We would need to support multiple formats, but currently we require
-  - no service time stamp and no sequence-numbers.
-  -
-  - Aug 17 17:41:26 xyz.com 681: Aug 17 17:41:24.776 AEST: %SEC-6-IPACCESSLOGS: list 30 denied 124.254.75.141 1 packet
-  - Aug 20 11:33:41 RouterName 696: %SYS-5-CONFIG_I: Configured from
-  console by admin on vty0 (210.x.x.12)
-  - 681: Aug 17 17:41:24.776 AEST: %SEC-6-IPACCESSLOGS:
-  - 1348: .Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:
-  - 1348: *Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:
-  - 23: May  3 05:15:25.217 UTC: %SEC-6-IPACCESSLOGP:
-  - Possible regex:
-  "^%\w+-\d-\w+: |^\S\w\w+ \.\d \d\d:\S+ \w+: %\w+-\d-\w+:"
-  -->
+ -->
+
+
 <decoder name="cisco-ios">
   <prematch>^%\w+-\d-\w+: </prematch>
 </decoder>
 
+<!--
+  - With "empty" program name
+-->
 <decoder name="cisco-ios">
   <program_name />
   <prematch>^%\w+-\d-\w+: </prematch>
 </decoder>
 
+<!--
+  - Hour first, no date or sequence number
+  - 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
+-->
+
+<decoder name="cisco-ios">
+  <prematch>^\d+:\d+:\d+:\s+%</prematch>
+</decoder>
+
+<!--
+  - Date and hour (preceded by * or nothing), no sequence number
+  - *Mar  1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
+  - Mar  1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
+-->
+<decoder name="cisco-ios">
+  <prematch>^\p*\w+\s+\d*\s+\d+:\d+:\d+:\s+%</prematch>
+</decoder>
+
+<!--
+  - Date and hour (preceded by * or nothing) with ms and timezone, no sequence number
+  - *Mar  1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
+-->
+<decoder name="cisco-ios">
+  <prematch>^\p*\w+\s+\d*\s+\d+:\d+:\d+.\d+\s+\w+:\s+%</prematch>
+</decoder>
+
+
+<!--
+  - Sequence number, no date or time
+  - 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
+-->
+
+<decoder name="cisco-ios">
+  <prematch>^\d+: %</prematch>
+</decoder>
+
+<!--
+  - Sequence number, date (preceded by * or . or nothing) and hour
+  - 1348: .Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:
+  - 1348: *Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:
+  - 1348: Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:
+  - 681: Aug 17 17:41:24.776 AEST: %SEC-6-IPACCESSLOGS:
+-->
+
+<decoder name="cisco-ios">
+  <prematch>^\d+:\s+\p*\w+\s+\d+\s+\S+\s+\w+:\s+%</prematch>
+</decoder>
+
 
 <!-- Cisco IOS
   - Will extract the action, srcip, srcport, dstip and dstport
@@ -39,6 +80,7 @@
   - %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.6.56(3067) -> 172.36.4.7(139), 1 packet
   - %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1477) -> 10.0.127.20(445), 1 packet
   -->
+
 <decoder name="cisco-ios-acl">
   <parent>cisco-ios</parent>
   <type>firewall</type>
@@ -68,10 +110,11 @@
 
 
 <!-- Cisco IOS
-  - Extracts the ID of cisco ios messages.
+  - Extracts the ID of cisco ios messages IF NOT IDS/ACL log.
   -->
-<decoder name="cisco-ios-generic">
+<decoder name="cisco-ios-default">
   <parent>cisco-ios</parent>
-  <regex>^(%\w+-\d-\w+): </regex>
+  <regex>(%\w+-\d-\w+):</regex>
   <order>id</order>
 </decoder>
+

etc/decoders/0140-kernel_decoders.xml

@@ -175,10 +175,14 @@ Examples:
 USB
 
 Feb  3 10:23:08 testsys kernel: usb 1-1.2: New USB device found, idVendor=0781, idProduct=5575
+Mar 23 15:04:52 manager kernel: [62828.333722] usb 1-1: New USB device found, idVendor=0930, idProduct=6544
+Mar 23 15:05:23 manager kernel: usb 1-1: USB disconnect, device number 2
+Mar 23 15:05:23 manager kernel: [62859.373865] usb 1-1: USB disconnect, device number 2
+
 -->
 <decoder name="usb-storage-attached">
     <parent>kernel</parent>
-    <prematch offset="after_parent">^usb</prematch>
-    <regex offset="after_parent">^(usb) </regex>
+    <prematch offset="after_parent">^usb|^[\S+] usb</prematch>
+    <regex offset="after_parent">^(usb) |^[\S+] (usb)</regex>
     <order>id</order>
 </decoder>

etc/decoders/0185-openldap_decoders.xml

@@ -19,17 +19,28 @@
   - Jan 11 09:26:57 hostname slapd[20872]: conn=999999 fd=64
         ^- Connection closed
 
+  - Oct  2 19:51:22 example slapd[30864]: conn=1068 fd=19 ACCEPT from IP=192.168.0.2:59800 (IP=0.0.0.0:636)
+  - Feb 11 20:12:27 ldap slapd[13129]: conn=15098 fd=23 ACCEPT from IP=[fda2:3ab6:adf4:aa2a::0]:45242 (IP=[::]:389)
+
   -->
 <decoder name="openldap">
     <program_name>^slapd</program_name>
     <accumulate/>
 </decoder>
 
-<decoder name="openldap-connect">
+<decoder name="openldap-connect_ipv6">
+    <parent>openldap</parent>
+    <prematch>ACCEPT from IP=[</prematch>
+    <regex>^conn=(\d+) fd=\d+ ACCEPT from IP=[(\S+)]:\d+ \(IP=[(\S+)]:</regex>
+    <order>id, srcip, dstip</order>
+    <accumulate/>
+</decoder>
+
+<decoder name="openldap-connect_ipv4">
     <parent>openldap</parent>
-    <prematch>ACCEPT</prematch>
-    <regex>^conn=(\d+) fd=\d+ ACCEPT from IP=(\S+):</regex>
-    <order>id, srcip</order>
+    <prematch>ACCEPT from IP=</prematch>
+    <regex>^conn=(\d+) fd=\d+ ACCEPT from IP=(\S+):\d+ \(IP=(\S+):</regex>
+    <order>id, srcip, dstip</order>
     <accumulate/>
 </decoder>
 

etc/decoders/0220-postfix_decoders.xml

@@ -45,6 +45,6 @@
   <use_own_name>true</use_own_name>
   <parent>postfix</parent>
   <prematch>^warning:</prematch>
-  <regex>^warning: (\S+):|warning: Illegal address syntax from unknown[(\S+)]</regex>
+  <regex>^warning: (\S+):|warning: Illegal address syntax from unknown[(\S+)]|warning: hostname \S+ does not resolve to address (\S+): </regex>
   <order>srcip</order>
 </decoder>

etc/decoders/0275-sendmail_decoders.xml

@@ -19,6 +19,17 @@
   from [200.121.73.169] [200.121.73.169] due to pre-greeting traffic
   - sendmail[7818]: j6KKHo2d007818: rejecting commands from sv.e103gng.com [66.62.19.10] due to pre-greeting traffic
  -->
+
+ <!--
+   Sep 29 17:11:02 ramp sendmail[21549]: v8TLB2x7021549: from=<example@email.com>, size=909, class=0, nrcpts=1, msgid=<201709292111.v8TLB1Nj021545@email.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
+
+   Sep 29 17:11:02 ramp sendmail[21549]: v8TLB2x7021549: from=<example@email.com>, size=909, class=0, nrcpts=1, msgid=<201709292111.v8TLB1Nj021545@email.com>, proto=ESMTP, daemon=MTA, relay=[127.0.0.1]
+
+   Sep 29 17:11:02 ramp sendmail[21549]: v8TLB2x7021549: from=<example@email.com>, size=909, class=0, nrcpts=1, msgid=<201709292111.v8TLB1Nj021545@email.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [12001:0db8:::0d0b]
+   
+   Sep 29 17:11:02 ramp sendmail[21549]: v8TLB2x7021549: from=<example@email.com>, size=909, class=0, nrcpts=1, msgid=<201709292111.v8TLB1Nj021545@email.com>, proto=ESMTP, daemon=MTA, relay=[2001:0db8:85a3:0000:0000:8a2e:0370:7334]
+ -->
+
 <decoder name="sendmail-reject">
   <program_name>^sendmail|^sm-mta|^sm-msp-queue</program_name>
 </decoder>
@@ -33,14 +44,14 @@
 <decoder name="sendmail-reject-nodns">
   <parent>sendmail-reject</parent>
   <prematch>relay=[</prematch>
-  <regex offset="after_prematch">^(\S+)]</regex>
+  <regex offset="after_prematch">^(\d+.\d+.\d+.\d+)]|^(\w*:\w*:\w*)]|^(\w*:\w*:\w*:\w*)]|^(\w*:\w*:\w*:\w*:\w*)]|^(\w*:\w*:\w*:\w*:\w*:\w*)]|^(\w*:\w*:\w*:\w*:\w*:\w*:\w*)]|^(\w*:\w*:\w*:\w*:\w*:\w*:\w*:\w*)]</regex>
   <order>srcip</order>
 </decoder>
 
 <decoder name="sendmail-reject-dns">
   <parent>sendmail-reject</parent>
   <prematch>relay=\S+ [</prematch>
-  <regex offset="after_prematch">^(\S+)]</regex>
+  <regex offset="after_prematch">^(\d+.\d+.\d+.\d+)]|^(\w*:\w*:\w*)]|^(\w*:\w*:\w*:\w*)]|^(\w*:\w*:\w*:\w*:\w*)]|^(\w*:\w*:\w*:\w*:\w*:\w*)]|^(\w*:\w*:\w*:\w*:\w*:\w*:\w*)]|^(\w*:\w*:\w*:\w*:\w*:\w*:\w*:\w*)]</regex>
   <order>srcip</order>
 </decoder>
 

etc/decoders/0378-mariadb_decoders.xml

@@ -0,0 +1,73 @@
+<!--
+  -  MariaDB decoders
+  -  Created by Wazuh, Inc. <support@wazuh.com>.
+  -  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
+-->
+
+
+<!--
+  - More log examples would be appreciated
+ -->
+
+<!-- 
+  May 24 11:51:30 mysql09a mysql-server_auditing:  mysql09a.local,ahc_shwb01_t,ahc-web29d.local,849705,0,DISCONNECT,ahc_shwb01_t,,0
+  20170817 16:04:33,ip-172-30-0-38,root,localhost,29,913,READ,company,employees_salaries,
+  2017-09-25 10:25:36 139864032768576 [Note] InnoDB: Highest supported file format is Barracuda.
+-->
+
+<decoder name="mariadb-syslog">
+    <program_name>mysql</program_name>
+</decoder>
+
+<!--
+May 24 11:51:30 mysql09a mysql-server_auditing:  mysql09a.local,ahc_shwb01_t,ahc-web29d.local,849705,0,DISCONNECT,ahc_shwb01_t,,0
+-->
+<decoder name="mariadb-syslog-fields">
+    <parent>mariadb-syslog</parent>
+    <regex> (\.*),(\.*),(\.*),(\.*),(\.*),(\.*),(\.*),(\.*),(\.*)</regex>
+    <order>mariadb.info,mariadb.username,mariadb.host,mariadb.connectionid,mariadb.queryid,mariadb.operation,mariadb.database,mariadb.object,mariadb.retcode</order>
+</decoder>
+
+<!--
+MariaDB Table events
+20170817 16:04:33,ip-172-30-0-38,root,localhost,29,913,READ,company,employees_salaries,
+-->
+
+<decoder name="mariadb-syslog">
+    <prematch>^\d+\s+\S+,ip-</prematch>
+</decoder>
+
+<decoder name="mariadb-syslog-fields-2">
+    <parent>mariadb-syslog</parent>
+    <regex>ip-(\.*),(\.*),(\.*),\.*,\.*,(\.*),(\.*)</regex>
+    <order>mariadb.ip,mariadb.username,mariadb.host,mariadb.action,mariadb.resource</order>
+</decoder>
+
+
+<!--
+MariaDB log_error
+2017-09-25  9:40:07 140509614809664 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
+2017-10-02  0:21:24 139861115417152 [Warning] InnoDB: New log files created, LSN=145690444812
+2017-09-25 10:12:05 139667224206080 [ERROR] mysqld: Table './example' is marked as crashed and should be repaired
+2017-09-25 10:25:05 139665896770304 [Note] Event Scheduler: Purging the queue. 0 events
+-->
+<decoder name="mariadb-syslog">
+    <prematch>^\S+\s+\S+\s+\d+\s+[\w+]\s+InnoDB:</prematch>
+</decoder>
+
+<decoder name="mariadb-syslog">
+    <prematch>^\S+\s+\S+\s+\d+\s+[\w+]\s+mysqld:</prematch>
+</decoder>
+
+<decoder name="mariadb-syslog">
+    <prematch>^\S+\s+\S+\s+\d+\s+[\w+]\s+Event Scheduler:</prematch>
+</decoder>
+
+<decoder name="mariadb-errors">
+    <parent>mariadb-syslog</parent>
+    <regex>([\w+])\s+(\.*)$</regex>
+    <order>mariadb.type,mariadb.log</order>
+</decoder>
+
+
+