integration with OSSIM?

[rnbwkat]

You guys have done amazing work on the upgraded version of OSSEC. I wonder if anyone has thought of doing a guide for integration in the OSSIM? I have used Santiago's guide to actually do this, however, the new rulesets do not fire in this case because the IDs have not been integrated into the OSSIM DB. This would be a great add-on/enhancement. I might be willing to put a PR in as I have done some work on this, but wanted to wait on the final release of the new version.

[santiago-bassett]

Hi Kat,

this may help. If you already installed the RESTful API on the Wazuh manager. You can generate an updated wazuh.sql file, by going to the /var/ossec/api and run the following python script (rules2ossim.py):

#!/usr/bin/env python

from sys import path
path.append('{0}/framework'.format(path[0]))
from wazuh.rule import Rule

#print("file;id;description;level;status;groups;pci;details")
print("DELETE FROM plugin where id = '22000';")
print("DELETE FROM plugin_sid where plugin_id = '22000';")
print("INSERT IGNORE INTO plugin(id, type, name, description) VALUES(22000, 1, \"Wazuh\", \"Wazuh host and endpoint security\");")
print("INSERT IGNORE INTO plugin_sid(plugin_id, sid, category_id, subcategory_id, class_id, reliability, priority, name) VALUES")
for rule in Rule.get_rules(status='enabled', limit=0, sort={"fields":["file"],"order":"asc"})['items']:
#    print("{0};{1};{2};{3};{4};{5};{6};{7}".format(rule.file, rule.id, rule.description, rule.level, rule.status, rule.groups, rule.pci, rule.details))
    print("(22000, %s, 15, 173, NULL, 1, 1, \"Wazuh - %s\")," % (rule.id, rule.description))

Run it this way to remove some unwanted double quotes:

python rules2ossim.py >> wazuh.sql | sed -i -e '5,$s/"//g' -e '5,$s/, Wazuh/, "Wazuh/g' -e '5,$s/),/"),/g' -e '$s/,$/;/' ./wazuh.sql

Then move the wazuh.sql file to the OSSIM box and run:

cat wazuh.sql | ossim-db

Now you should be able to copy ossec-single-line.cfg, rename it as wazuh.cfg and change the plugin_id to 22000 (or whatever you defined in the python script).

[Regirv]

Tell me, after running the script:
python rules2ossim.py >> wazuh.sql | sed -i -e '5,$s/"//g' -e '5,$s/, Wazuh/, "Wazuh/g' -e '5,$s/),/"),/g' -e '$s/,$/;/' ./wazuh.sql

I get the following error:

Traceback (most recent call last):
File "rules2ossim.py", line 12, in
for rule in Rule.get_rules(status='enabled', limit=0, sort={"fields":["file"],"order":"asc"})['items']:
File "/var/ossec/framework/wazuh/rule.py", line 298, in get_rules
return {'items': cut_array(rules, offset, limit), 'totalItems': len(rules)}
File "/var/ossec/framework/wazuh/utils.py", line 104, in cut_array
raise WazuhException(1406)
wazuh.exception.WazuhException: Error 1406 - 0 is not a valid limit.

What is the problem?

[Zenidd]

Hello @Regirv,

first of all, sorry for the late reply.

You must make a couple of modifications on rules2ossim.py and common.py scripts so that they work properly:

• On rules2ossim.py:

  • limit=0 a limit=1000.

• On /var/ossec/framework/wazuh/common.py:

  • database_limit = 500 to database_limit = 5000
  • maximum_database_limit = 1000 to maximum_database_limit = 10000

After this fix, rules2ossim.py should generate an updated wazuh.sql



rules2ossim.py code after limit fix:

#!/usr/bin/env python

from sys import path
path.append('{0}/framework'.format(path[0]))
from wazuh.rule import Rule

print("file;id;description;level;status;groups;pci;details")
print("DELETE FROM plugin where id = '22000';")
print("DELETE FROM plugin_sid where plugin_id = '22000';")
print("INSERT IGNORE INTO plugin(id, type, name, description) VALUES(22000, 1, \"Wazuh\", \"Wazuh host and endpoint security\");")
print("INSERT IGNORE INTO plugin_sid(plugin_id, sid, category_id, subcategory_id, class_id, reliability, priority, name) VALUES")

for rule in Rule.get_rules(status='enabled', limit=10000, sort={"fields":["file"],"order":"asc"})['items']:
#   print("{0};{1};{2};{3};{4};{5};{6};{7}".format(rule.file, rule.id, rule.description, rule.level, rule.status, rule.groups, rule.pci, rule.details))
    print("(22000, %s, 15, 173, NULL, 1, 1, \"Wazuh - %s\")," % (rule.id, rule.description))

rules2ossim.py output example:

(22000, 63613, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Definitions update failed"),
(22000, 63614, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Scan error. Scan has stopped"),
(22000, 63615, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Scan stopped before completion"),
(22000, 63616, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - EICAR test file detected"),
(22000, 63617, 15, 173, NULL, 1, 1, "Wazuh - Multiple Microsoft Antimalware error events"),
(22000, 63618, 15, 173, NULL, 1, 1, "Wazuh - Multiple Microsoft Antimalware warning events"),
(22000, 64100, 15, 173, NULL, 1, 1, "Wazuh - Group of Windows rules for Remote Access"),
(22000, 64101, 15, 173, NULL, 1, 1, "Wazuh - Remote access login failure"),
(22000, 64102, 15, 173, NULL, 1, 1, "Wazuh - Remote access login success"),
(22000, 64103, 15, 173, NULL, 1, 1, "Wazuh - Windows file system full"),
(22000, 64104, 15, 173, NULL, 1, 1, "Wazuh - Group of Windows rules for Terminal Services"),
(22000, 64105, 15, 173, NULL, 1, 1, "Wazuh - TS Gateway login success"),
(22000, 64106, 15, 173, NULL, 1, 1, "Wazuh - Ignore rule 64105: not related to TS Gateway"),
(22000, 64107, 15, 173, NULL, 1, 1, "Wazuh - TS Gateway login failure"),
(22000, 64108, 15, 173, NULL, 1, 1, "Wazuh - TS Gateway user disconnected"),
(22000, 64109, 15, 173, NULL, 1, 1, "Wazuh - Multiple remote access login failures"),

I'm closing this ticket. Please don't hesitate to open another if you need it.



Kind regards,

Juan Pablo Sáez