Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

if_sid inserts rules at the first level of the tree when it should not. #14785

Open
juliancnn opened this issue Aug 31, 2022 · 0 comments
Open

if_sid inserts rules at the first level of the tree when it should not. #14785

juliancnn opened this issue Aug 31, 2022 · 0 comments
Labels
module/analysis Issues related to the Analysis daemon type/bug Something isn't working

Comments

@juliancnn
Copy link
Member

Wazuh version Component Install type Install method Platform
Any Wazuh-Analyisd Manager Any Linux

Since old versions of Wazuh, at least since v3.13, there is a bug related to the if_sid option. If a space (' ') is left in the label after the id (before </if_sid>), then the rule, besides being added as a child rule, will also be added as a parent rule, being evaluated even if its parent rule has not been added.

To reproduce it, the following decoder and rule can be added:

Decoder

<decoder name="if_sid_test">
    <program_name>if_sid_test</program_name>
    <regex>(\d+.\d+.\d+.\d+)</regex>
    <order>srcip</order>
</decoder>

Rule

<rule id="100001" level="5">
  <if_sid>5716</if_sid>
  <program_name>if_sid_test|ssh</program_name>
  <srcip>1.1.1.1</srcip>
  <description>Test if_sid_test</description>
</rule>

Then the next log should trigger the 100001 rule:

Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2

And the following log should not (and in fact does not) match the 100001 rule:

Dec 10 01:02:02 host if_sid_test[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2

Current output in master/v4.5 and ossec-logtest (v3.13):

2022/08/31 17:24:30 ossec-testrule: INFO: Started (pid: 2059).
ossec-testrule: Type one log per line.

Dec 10 01:02:02 host if_sid_test[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2


**Phase 1: Completed pre-decoding.
       full event: 'Dec 10 01:02:02 host if_sid_test[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2'
       timestamp: 'Dec 10 01:02:02'
       hostname: 'host'
       program_name: 'if_sid_test'
       log: 'Failed none for root from 1.1.1.1 port 1066 ssh2'

**Phase 2: Completed decoding.
       decoder: 'if_sid_test'
       srcip: '1.1.1.1'

**Phase 3: Completed filtering (rules).
       Rule id: '1002'
       Level: '2'
       Description: 'Unknown problem somewhere in the system.'

but if the <if_sid>5716</if_sid> label is changed to <if_sid>5716 </if_sid> (note the space at the end), then the 100001 rule matches when it should not:

2022/08/31 17:30:14 ossec-testrule: INFO: Started (pid: 2069).
ossec-testrule: Type one log per line.

Dec 10 01:02:02 host if_sid_test[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2


**Phase 1: Completed pre-decoding.
       full event: 'Dec 10 01:02:02 host if_sid_test[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2'
       timestamp: 'Dec 10 01:02:02'
       hostname: 'host'
       program_name: 'if_sid_test'
       log: 'Failed none for root from 1.1.1.1 port 1066 ssh2'

**Phase 2: Completed decoding.
       decoder: 'if_sid_test'
       srcip: '1.1.1.1'

**Phase 3: Completed filtering (rules).
       Rule id: '100001'
       Level: '5'
       Description: 'sshd: authentication failed from IP 1.1.1.1.'
**Alert to be generated.

Regards
@juliancnn juliancnn added type/bug Something isn't working module/analysis Issues related to the Analysis daemon labels Aug 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
module/analysis Issues related to the Analysis daemon type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@juliancnn