You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since old versions of Wazuh, at least since v3.13, there is a bug related to the if_sid option. If a space ('') is left in the label after the id (before </if_sid>), then the rule, besides being added as a child rule, will also be added as a parent rule, being evaluated even if its parent rule has not been added.
To reproduce it, the following decoder and rule can be added:
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
And the following log should not (and in fact does not) match the 100001 rule:
Dec 10 01:02:02 host if_sid_test[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
Current output in master/v4.5 and ossec-logtest (v3.13):
2022/08/31 17:24:30 ossec-testrule: INFO: Started (pid: 2059).
ossec-testrule: Type one log per line.
Dec 10 01:02:02 host if_sid_test[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
**Phase 1: Completed pre-decoding.
full event: 'Dec 10 01:02:02 host if_sid_test[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2'
timestamp: 'Dec 10 01:02:02'
hostname: 'host'
program_name: 'if_sid_test'
log: 'Failed none for root from 1.1.1.1 port 1066 ssh2'
**Phase 2: Completed decoding.
decoder: 'if_sid_test'
srcip: '1.1.1.1'
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
but if the <if_sid>5716</if_sid> label is changed to <if_sid>5716 </if_sid> (note the space at the end), then the 100001 rule matches when it should not:
2022/08/31 17:30:14 ossec-testrule: INFO: Started (pid: 2069).
ossec-testrule: Type one log per line.
Dec 10 01:02:02 host if_sid_test[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
**Phase 1: Completed pre-decoding.
full event: 'Dec 10 01:02:02 host if_sid_test[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2'
timestamp: 'Dec 10 01:02:02'
hostname: 'host'
program_name: 'if_sid_test'
log: 'Failed none for root from 1.1.1.1 port 1066 ssh2'
**Phase 2: Completed decoding.
decoder: 'if_sid_test'
srcip: '1.1.1.1'
**Phase 3: Completed filtering (rules).
Rule id: '100001'
Level: '5'
Description: 'sshd: authentication failed from IP 1.1.1.1.'
**Alert to be generated.
Regards
The text was updated successfully, but these errors were encountered:
Since old versions of Wazuh, at least since v3.13, there is a bug related to the if_sid option. If a space ('
') is left in the label after the id (before
</if_sid>
), then the rule, besides being added as a child rule, will also be added as a parent rule, being evaluated even if its parent rule has not been added.To reproduce it, the following decoder and rule can be added:
Decoder
Rule
Then the next log should trigger the 100001 rule:
And the following log should not (and in fact does not) match the 100001 rule:
Current output in master/v4.5 and ossec-logtest (v3.13):
but if the
<if_sid>5716</if_sid>
label is changed to<if_sid>5716 </if_sid>
(note the space at the end), then the 100001 rule matches when it should not:Regards
The text was updated successfully, but these errors were encountered: