Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Print ruleset warning messages in wazuh-logtest #10822

Merged
merged 1 commit into from Dec 13, 2021
Merged

Print ruleset warning messages in wazuh-logtest #10822

merged 1 commit into from Dec 13, 2021

Conversation

juliancnn
Copy link
Member

@juliancnn juliancnn commented Nov 12, 2021
edited

Related issue
Closes #10785

Description

This PR print rules warning messages (if they exist) in wazuh-logtest.

Example:

Custom rules that generate warnings

<rule id="100001" level="5" overwrite="yes">
  <match>basic test</match>
  <description>basic test</description>
</rule>
<rule id="100001" level="5" overwrite="yes">
  <if_sid>123</if_sid>
  <match>basic test</match>
  <description>basic test</description>
</rule>
<rule id="100005" level="5">
  <if_sid>123</if_sid>
  <match>basic test</match>
  <description>basic test</description>
</rule>

Wazuh-Logtest Output

╰─#  /var/ossec/framework/python/bin/python3 /root/repos/wazuh/framework/scripts/wazuh-logtest.py 
Starting wazuh-logtest v4.3.0
Type one log per line

Oct 15 21:06:59 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928

** Wazuh-Logtest: WARNING: (7613): Rule ID '100001' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
** Wazuh-Logtest: WARNING: (7605): Invalid use of 'overwrite' option, it is not compatible with 'if_sid', 'if_group' nor 'if_level' attributes. Could not overwrite rule '100001'.
** Wazuh-Logtest: WARNING: (7606): Signature ID '123' was not found. Invalid 'if_sid'. Rule '100005' will be ignored.

**Phase 1: Completed pre-decoding.
        full event: 'Oct 15 21:06:59 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928'
        timestamp: 'Oct 15 21:06:59'
        hostname: 'linux-agent'
        program_name: 'sshd'

**Phase 2: Completed decoding.
        name: 'sshd'
        parent: 'sshd'
        srcip: '18.18.18.18'
        srcport: '48928'
        srcuser: 'blimey'

**Phase 3: Completed filtering (rules).
        id: '5710'
        level: '5'
        description: 'sshd: Attempt to login using a non-existent user'
        groups: '['syslog', 'sshd', 'invalid_login', 'authentication_failed']'
        firedtimes: '1'
        gdpr: '['IV_35.7.d', 'IV_32.2']'
        gpg13: '['7.1']'
        hipaa: '['164.312.b']'
        mail: 'False'
        mitre.id: '['T1110']'
        mitre.tactic: '['Credential Access']'
        mitre.technique: '['Brute Force']'
        nist_800_53: '['AU.14', 'AC.7', 'AU.6']'
        pci_dss: '['10.2.4', '10.2.5', '10.6.1']'
        tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.

Tests

  • pep8 style
  • runtest.py

@juliancnn juliancnn added the type/enhancement New feature or request label Nov 12, 2021
@juliancnn juliancnn self-assigned this Nov 12, 2021
nmkoremblum
nmkoremblum previously approved these changes Nov 12, 2021
View reviewed changes
JcabreraC
JcabreraC previously approved these changes Nov 12, 2021
View reviewed changes
Copy link
Member

@JcabreraC JcabreraC left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM !

@juliancnn juliancnn dismissed stale reviews from JcabreraC and nmkoremblum via 20a8303 November 15, 2021 14:10
@juliancnn juliancnn force-pushed the 10785-shows-warning-msg-logtest-script branch from b9d02ad to 20a8303 Compare November 15, 2021 14:10
nmkoremblum
nmkoremblum approved these changes Nov 15, 2021
View reviewed changes
Copy link
Member

@nmkoremblum nmkoremblum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM :)

JcabreraC
JcabreraC approved these changes Nov 15, 2021
View reviewed changes
Copy link
Member

@JcabreraC JcabreraC left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@vikman90 vikman90 merged commit f4ab39d into master Dec 13, 2021
@vikman90 vikman90 deleted the 10785-shows-warning-msg-logtest-script branch December 13, 2021 13:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JcabreraC JcabreraC JcabreraC approved these changes

@nmkoremblum nmkoremblum nmkoremblum approved these changes

@miguemedina11 miguemedina11 Awaiting requested review from miguemedina11

Assignees

@juliancnn juliancnn

Labels
type/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Wazuh-Logtest does not show startup warnings
4 participants
@juliancnn @JcabreraC @nmkoremblum @vikman90