Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid exceeding the maximum number of fields when loading a rule #17490

Merged
merged 1 commit into from Jun 9, 2023
Merged

Avoid exceeding the maximum number of fields when loading a rule #17490

merged 1 commit into from Jun 9, 2023

Conversation

cborla
Copy link
Member

@cborla cborla commented Jun 7, 2023
edited

Related issue Documentation Testing issue
#15638

Description

The purpose of this code is to prevent analysisd from loading a rule that exceeds the number of fields allowed by configuration, to avoid exceeding the value of the analysisd.decoder_order_size parameter. Avoiding in this way that analysisd breaks when trying to use this rule.

Configuration

Default configuration

internal_options.conf default value:

# Maximum number of fields in a decoder (order tag) [32..1024]
analysisd.decoder_order_size=256

Custom configuration

large rule 
    <rule id="1000001" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml</info>
        <description>First Time Seen Remote Named Pipe - Zeek</description>
        <options>no_full_log</options>
        <group>zeek,smb_files</group>
        <field name="full_log" type="pcre2">(?i)\\\\\\.+\\IPC\$</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)samr</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)lsarpc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)winreg</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netlogon</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)srvsvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)protected_storage</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)wkssvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)browser</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netdfs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)svcctl</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)spoolss</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)ntsvcs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)LSM_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HydraLsPipe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)TermSrv_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)MsFteWds</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)samr</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)lsarpc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)winreg</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netlogon</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)srvsvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)protected_storage</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)wkssvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)browser</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netdfs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)svcctl</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)spoolss</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)ntsvcs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)LSM_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HydraLsPipe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)TermSrv_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)MsFteWds</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)samr</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)lsarpc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)winreg</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netlogon</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)srvsvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)protected_storage</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)wkssvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)browser</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netdfs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)svcctl</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)spoolss</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)ntsvcs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)LSM_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HydraLsPipe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)TermSrv_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)MsFteWds</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)samr</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)lsarpc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)winreg</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netlogon</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)srvsvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)protected_storage</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)wkssvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)browser</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netdfs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)svcctl</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)spoolss</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)ntsvcs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)LSM_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HydraLsPipe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)TermSrv_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)MsFteWds</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)samr</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)lsarpc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)winreg</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netlogon</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)srvsvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)protected_storage</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)wkssvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)browser</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netdfs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)svcctl</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)spoolss</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)ntsvcs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)LSM_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HydraLsPipe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)TermSrv_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)MsFteWds</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)samr</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)lsarpc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)winreg</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netlogon</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)srvsvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)protected_storage</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)wkssvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)browser</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netdfs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)svcctl</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)spoolss</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)ntsvcs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)LSM_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HydraLsPipe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)TermSrv_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)MsFteWds</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)samr</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)lsarpc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)winreg</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netlogon</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)srvsvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)protected_storage</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)wkssvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)browser</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netdfs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)svcctl</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)spoolss</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)ntsvcs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)LSM_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HydraLsPipe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)TermSrv_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)MsFteWds</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)samr</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)lsarpc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)winreg</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netlogon</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)srvsvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)protected_storage</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)wkssvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)browser</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netdfs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)svcctl</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)spoolss</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)ntsvcs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)LSM_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HydraLsPipe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)TermSrv_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)MsFteWds</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)samr</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)lsarpc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)winreg</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netlogon</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)srvsvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)protected_storage</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)wkssvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)browser</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netdfs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)svcctl</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)spoolss</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)ntsvcs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)LSM_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HydraLsPipe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)TermSrv_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)MsFteWds</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)samr</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)lsarpc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)winreg</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netlogon</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)srvsvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)protected_storage</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)wkssvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)browser</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netdfs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)svcctl</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)spoolss</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)ntsvcs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)LSM_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HydraLsPipe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)TermSrv_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)MsFteWds</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)samr</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)lsarpc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)winreg</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netlogon</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)srvsvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)protected_storage</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)wkssvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)browser</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netdfs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)svcctl</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)spoolss</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)ntsvcs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)LSM_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HydraLsPipe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)TermSrv_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)MsFteWds</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)samr</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)lsarpc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)winreg</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netlogon</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)srvsvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)protected_storage</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)wkssvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)browser</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netdfs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)svcctl</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)spoolss</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)ntsvcs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)LSM_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HydraLsPipe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)TermSrv_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)MsFteWds</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)samr</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)lsarpc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)winreg</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netlogon</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)srvsvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)protected_storage</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)wkssvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)browser</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netdfs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)svcctl</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)spoolss</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)ntsvcs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)LSM_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HydraLsPipe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)TermSrv_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)MsFteWds</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)samr</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)lsarpc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)winreg</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netlogon</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)srvsvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)protected_storage</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)wkssvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)browser</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netdfs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)svcctl</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)spoolss</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)ntsvcs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)LSM_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HydraLsPipe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)TermSrv_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)MsFteWds</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)samr</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)lsarpc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)winreg</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netlogon</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)srvsvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)protected_storage</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)wkssvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)browser</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netdfs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)svcctl</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)spoolss</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)ntsvcs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)LSM_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HydraLsPipe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)TermSrv_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)MsFteWds</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)samr</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)lsarpc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)winreg</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netlogon</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)srvsvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)protected_storage</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)wkssvc</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)browser</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)netdfs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)svcctl</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)spoolss</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)ntsvcs</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)LSM_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)HydraLsPipe</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)TermSrv_API_service</field>
        <field name="full_log" negate="yes" type="pcre2">(?i)MsFteWds</field>
    </rule>

Tests

Case 1

  • Parameter analysisd.decoder_order_size=256
  • Custom rule with 255 fields name
$cat /var/ossec/etc/internal_options.conf | grep decoder_order_size
analysisd.decoder_order_size=256

$ cat /var/ossec/etc/rules/sigma_linux_auditd.xml | grep "field name" | wc -l
255

$ /var/ossec/bin/wazuh-control start
Starting Wazuh v4.4.0...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
2023/06/07 18:41:42 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
Started wazuh-modulesd...
Completed.

Case 2

  • Parameter analysisd.decoder_order_size=255
  • Custom rule with 255 fields name
$cat /var/ossec/etc/internal_options.conf | grep decoder_order_size
analysisd.decoder_order_size=255

$ cat /var/ossec/etc/rules/sigma_linux_auditd.xml | grep "field name" | wc -l
255

$ /var/ossec/bin/wazuh-control start
Starting Wazuh v4.4.0...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
2023/06/07 18:41:42 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
Started wazuh-modulesd...
Completed.

Case 3

  • Parameter analysisd.decoder_order_size=254
  • Custom rule with 255 fields name
$cat /var/ossec/etc/internal_options.conf | grep decoder_order_size
analysisd.decoder_order_size=254

$ cat /var/ossec/etc/rules/sigma_linux_auditd.xml | grep "field name" | wc -l
255

$ /var/ossec/bin/wazuh-control start
2023/06/07 18:58:11 wazuh-analysisd: ERROR: Rule 900728 has exceeded the maximum number of allowed fields
2023/06/07 18:58:11 wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'etc/rules/sigma_linux_auditd.xml'.
wazuh-analysisd: Configuration error. Exiting

Case 4

  • Parameter analysisd.decoder_order_size=253
  • Custom rule with 255 fields name
$cat /var/ossec/etc/internal_options.conf | grep decoder_order_size
analysisd.decoder_order_size=253

$ cat /var/ossec/etc/rules/sigma_linux_auditd.xml | grep "field name" | wc -l
255

$ /var/ossec/bin/wazuh-control start
2023/06/07 18:59:08 wazuh-analysisd: ERROR: Rule 900728 has exceeded the maximum number of allowed fields
2023/06/07 18:59:08 wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'etc/rules/sigma_linux_auditd.xml'.
wazuh-analysisd: Configuration error. Exiting

Case 5

  • Parameter analysisd.decoder_order_size=253
  • Custom rule with 250 fields name
$cat /var/ossec/etc/internal_options.conf | grep decoder_order_size
analysisd.decoder_order_size=253

$ cat /var/ossec/etc/rules/sigma_linux_auditd.xml | grep "field name" | wc -l
250

$ /var/ossec/bin/wazuh-control start
Starting Wazuh v4.4.0...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
2023/06/07 18:41:42 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
Started wazuh-modulesd...
Completed.
  • Compilation without warnings in every supported platform
    • Linux
  • Source installation
  • Package installation
  • Source upgrade
  • Package upgrade
  • Review logs syntax and correct language
  • Memory tests for Linux
    • Coverity
    • Valgrind (memcheck and descriptor leaks check)

@cborla cborla requested a review from vikman90 June 7, 2023 21:32
@cborla cborla self-assigned this Jun 7, 2023
@cborla cborla added type/bug Something isn't working module/analysis Issues related to the Analysis daemon impact/low labels Jun 7, 2023
@cborla
Copy link
Member Author

cborla commented Jun 7, 2023
edited

ctest 🟢

ctest 
Test project /wazuh/src/unit_tests/build
        Start   1: test_analysisd_syscheck
  1/161 Test   #1: test_analysisd_syscheck .................................   Passed    0.21 sec
        Start   2: test_cleanevent
  2/161 Test   #2: test_cleanevent .........................................   Passed    0.16 sec
        Start   3: test_dbsync
  3/161 Test   #3: test_dbsync .............................................   Passed    0.18 sec
        Start   4: test_exec
  4/161 Test   #4: test_exec ...............................................   Passed    0.17 sec
        Start   5: test_log
  5/161 Test   #5: test_log ................................................   Passed    0.17 sec
        Start   6: test_labels
  6/161 Test   #6: test_labels .............................................   Passed    0.19 sec
        Start   7: test_mitre
  7/161 Test   #7: test_mitre ..............................................   Passed    0.03 sec
        Start   8: test_rules
  8/161 Test   #8: test_rules ..............................................   Passed    0.20 sec
        Start   9: test_same_different_loop
  9/161 Test   #9: test_same_different_loop ................................   Passed    0.18 sec
        Start  10: test_logtest
 10/161 Test  #10: test_logtest ............................................   Passed    0.12 sec
        Start  11: test_logtest-config
 11/161 Test  #11: test_logtest-config .....................................   Passed    0.02 sec
        Start  12: test_decoder_list
 12/161 Test  #12: test_decoder_list .......................................   Passed    0.04 sec
        Start  13: test_decode-xml
 13/161 Test  #13: test_decode-xml .........................................   Passed    0.18 sec
        Start  14: test_lists_list
 14/161 Test  #14: test_lists_list .........................................   Passed    0.02 sec
        Start  15: test_rule_list
 15/161 Test  #15: test_rule_list ..........................................   Passed    0.05 sec
        Start  16: test_eventinfo_list
 16/161 Test  #16: test_eventinfo_list .....................................   Passed    0.04 sec
        Start  17: test_logmsg
 17/161 Test  #17: test_logmsg .............................................   Passed    0.05 sec
        Start  18: test_decoder_rootcheck
 18/161 Test  #18: test_decoder_rootcheck ..................................   Passed    0.19 sec
        Start  19: test_decoder_syscollector
 19/161 Test  #19: test_decoder_syscollector ...............................   Passed    0.20 sec
        Start  20: test_analysis-state
 20/161 Test  #20: test_analysis-state .....................................   Passed    0.19 sec
        Start  21: test_asyscom
 21/161 Test  #21: test_asyscom ............................................   Passed    0.23 sec
        Start  22: test_limits
 22/161 Test  #22: test_limits .............................................   Passed    0.03 sec
        Start  23: test_manager
 23/161 Test  #23: test_manager ............................................   Passed    0.19 sec
        Start  24: test_secure
 24/161 Test  #24: test_secure .............................................   Passed    0.16 sec
        Start  25: test_netbuffer
 25/161 Test  #25: test_netbuffer ..........................................   Passed    0.15 sec
        Start  26: test_sendmsg
 26/161 Test  #26: test_sendmsg ............................................   Passed    0.17 sec
        Start  27: test_remote-config
 27/161 Test  #27: test_remote-config ......................................   Passed    0.04 sec
        Start  28: test_syslogtcp
 28/161 Test  #28: test_syslogtcp ..........................................   Passed    0.17 sec
        Start  29: test_remote-state
 29/161 Test  #29: test_remote-state .......................................   Passed    0.15 sec
        Start  30: test_remcom
 30/161 Test  #30: test_remcom .............................................   Passed    0.15 sec
        Start  31: test_wdb_integrity
 31/161 Test  #31: test_wdb_integrity ......................................   Passed    0.03 sec
        Start  32: test_wdb_fim
 32/161 Test  #32: test_wdb_fim ............................................   Passed    0.06 sec
        Start  33: test_wdb_parser
 33/161 Test  #33: test_wdb_parser .........................................   Passed    0.09 sec
        Start  34: test_wdb_global_parser
 34/161 Test  #34: test_wdb_global_parser ..................................   Passed    0.09 sec
        Start  35: test_wdb_global
 35/161 Test  #35: test_wdb_global .........................................   Passed    0.23 sec
        Start  36: test_wdb_agents
 36/161 Test  #36: test_wdb_agents .........................................   Passed    0.03 sec
        Start  37: test_wdb_global_helpers
 37/161 Test  #37: test_wdb_global_helpers .................................   Passed    0.08 sec
        Start  38: test_wdb_agents_helpers
 38/161 Test  #38: test_wdb_agents_helpers .................................   Passed    0.07 sec
        Start  39: test_wdb
 39/161 Test  #39: test_wdb ................................................   Passed    0.07 sec
        Start  40: test_wdb_upgrade
 40/161 Test  #40: test_wdb_upgrade ........................................   Passed    0.05 sec
        Start  41: test_wdb_metadata
 41/161 Test  #41: test_wdb_metadata .......................................   Passed    0.02 sec
        Start  42: test_wdb_task_parser
 42/161 Test  #42: test_wdb_task_parser ....................................   Passed    0.09 sec
        Start  43: test_wdb_rootcheck
 43/161 Test  #43: test_wdb_rootcheck ......................................   Passed    0.03 sec
        Start  44: test_wdb_syscollector
 44/161 Test  #44: test_wdb_syscollector ...................................   Passed    0.07 sec
        Start  45: test_wdb_task
 45/161 Test  #45: test_wdb_task ...........................................   Passed    0.02 sec
        Start  46: test_wdb_delta_event
 46/161 Test  #46: test_wdb_delta_event ....................................   Passed    0.04 sec
        Start  47: test_wazuh_db-config
 47/161 Test  #47: test_wazuh_db-config ....................................   Passed    0.06 sec
        Start  48: test_wazuh_db_state
 48/161 Test  #48: test_wazuh_db_state .....................................   Passed    0.03 sec
        Start  49: test_wdb_com
 49/161 Test  #49: test_wdb_com ............................................   Passed    0.04 sec
        Start  50: test_auth_parse
 50/161 Test  #50: test_auth_parse .........................................   Passed    0.08 sec
        Start  51: test_auth_validate
 51/161 Test  #51: test_auth_validate ......................................   Passed    0.07 sec
        Start  52: test_auth_add
 52/161 Test  #52: test_auth_add ...........................................   Passed    0.07 sec
        Start  53: test_ssl
 53/161 Test  #53: test_ssl ................................................   Passed    0.03 sec
        Start  54: test_auth_key_request
 54/161 Test  #54: test_auth_key_request ...................................   Passed    0.08 sec
        Start  55: test_auth
 55/161 Test  #55: test_auth ...............................................   Passed    0.07 sec
        Start  56: test_msgs
 56/161 Test  #56: test_msgs ...............................................   Passed    0.03 sec
        Start  57: test_keys
 57/161 Test  #57: test_keys ...............................................   Passed    0.06 sec
        Start  58: test_sha1_op
 58/161 Test  #58: test_sha1_op ............................................   Passed    0.03 sec
        Start  59: test_blowfish_op
 59/161 Test  #59: test_blowfish_op ........................................   Passed    0.02 sec
        Start  60: test_md5_op
 60/161 Test  #60: test_md5_op .............................................   Passed    0.03 sec
        Start  61: test_md5_sha1_op
 61/161 Test  #61: test_md5_sha1_op ........................................   Passed    0.03 sec
        Start  62: test_md5_sha1_sha256_op
 62/161 Test  #62: test_md5_sha1_sha256_op .................................   Passed    0.04 sec
        Start  63: test_sha256_op
 63/161 Test  #63: test_sha256_op ..........................................   Passed    0.02 sec
        Start  64: test_wm_aws
 64/161 Test  #64: test_wm_aws .............................................   Passed    0.15 sec
        Start  65: test_wm_azure
 65/161 Test  #65: test_wm_azure ...........................................   Passed    0.16 sec
        Start  66: test_wm_ciscat
 66/161 Test  #66: test_wm_ciscat ..........................................   Passed    0.15 sec
        Start  67: test_wm_command
 67/161 Test  #67: test_wm_command .........................................   Passed    0.18 sec
        Start  68: test_wm_database
 68/161 Test  #68: test_wm_database ........................................   Passed    0.07 sec
        Start  69: test_wm_docker
 69/161 Test  #69: test_wm_docker ..........................................   Passed    0.14 sec
        Start  70: test_wm_gcp
 70/161 Test  #70: test_wm_gcp .............................................   Passed    0.25 sec
        Start  71: test_wmodules_gcp
 71/161 Test  #71: test_wmodules_gcp .......................................   Passed    0.16 sec
        Start  72: test_wm_oscap
 72/161 Test  #72: test_wm_oscap ...........................................   Passed    0.14 sec
        Start  73: test_wm_sca
 73/161 Test  #73: test_wm_sca .............................................   Passed    0.14 sec
        Start  74: test_wmodules_scheduling
 74/161 Test  #74: test_wmodules_scheduling ................................   Passed    0.03 sec
        Start  75: test_wm_vuln_detector
 75/161 Test  #75: test_wm_vuln_detector ...................................   Passed    0.23 sec
        Start  76: test_wm_vuln_detector_evr
 76/161 Test  #76: test_wm_vuln_detector_evr ...............................   Passed    0.03 sec
        Start  77: test_wm_vuln_detector_nvd
 77/161 Test  #77: test_wm_vuln_detector_nvd ...............................   Passed    0.18 sec
        Start  78: test_wm_vuln_detector_run_now
 78/161 Test  #78: test_wm_vuln_detector_run_now ...........................   Passed    0.14 sec
        Start  79: test_wm_task_manager
 79/161 Test  #79: test_wm_task_manager ....................................   Passed    0.15 sec
        Start  80: test_wm_task_manager_parsing
 80/161 Test  #80: test_wm_task_manager_parsing ............................   Passed    0.02 sec
        Start  81: test_wm_task_manager_commands
 81/161 Test  #81: test_wm_task_manager_commands ...........................   Passed    0.06 sec
        Start  82: test_wm_agent_upgrade
 82/161 Test  #82: test_wm_agent_upgrade ...................................   Passed    0.03 sec
        Start  83: test_wm_agent_upgrade_manager
 83/161 Test  #83: test_wm_agent_upgrade_manager ...........................   Passed    0.16 sec
        Start  84: test_wm_agent_upgrade_parsing
 84/161 Test  #84: test_wm_agent_upgrade_parsing ...........................   Passed    0.15 sec
        Start  85: test_wm_agent_upgrade_validate
 85/161 Test  #85: test_wm_agent_upgrade_validate ..........................   Passed    0.03 sec
        Start  86: test_wm_agent_upgrade_tasks
 86/161 Test  #86: test_wm_agent_upgrade_tasks .............................   Passed    0.04 sec
        Start  87: test_wm_agent_upgrade_tasks_callbacks
 87/161 Test  #87: test_wm_agent_upgrade_tasks_callbacks ...................   Passed    0.09 sec
        Start  88: test_wm_agent_upgrade_commands
 88/161 Test  #88: test_wm_agent_upgrade_commands ..........................   Passed    0.13 sec
        Start  89: test_wm_agent_upgrade_upgrades
 89/161 Test  #89: test_wm_agent_upgrade_upgrades ..........................   Passed    0.17 sec
        Start  90: test_wmodules
 90/161 Test  #90: test_wmodules ...........................................   Passed    0.14 sec
        Start  91: test_wm_control
 91/161 Test  #91: test_wm_control .........................................   Passed    0.13 sec
        Start  92: test_wm_github
 92/161 Test  #92: test_wm_github ..........................................   Passed    0.16 sec
        Start  93: test_wm_office365
 93/161 Test  #93: test_wm_office365 .......................................   Passed    0.12 sec
        Start  94: test_monitord
 94/161 Test  #94: test_monitord ...........................................   Passed    0.05 sec
        Start  95: test_monitor_actions
 95/161 Test  #95: test_monitor_actions ....................................   Passed    0.11 sec
        Start  96: test_logcollector
 96/161 Test  #96: test_logcollector .......................................   Passed    0.06 sec
        Start  97: test_read_multiline_regex
 97/161 Test  #97: test_read_multiline_regex ...............................   Passed    0.07 sec
        Start  98: test_localfile-config
 98/161 Test  #98: test_localfile-config ...................................   Passed    0.08 sec
        Start  99: test_state
 99/161 Test  #99: test_state ..............................................   Passed    0.03 sec
        Start 100: test_lccom
100/161 Test #100: test_lccom ..............................................   Passed    0.06 sec
        Start 101: test_macos_log
101/161 Test #101: test_macos_log ..........................................   Passed    0.04 sec
        Start 102: test_read_macos
102/161 Test #102: test_read_macos .........................................   Passed    0.07 sec
        Start 103: test_execd
103/161 Test #103: test_execd ..............................................   Passed    0.02 sec
        Start 104: test_get_command_by_name
104/161 Test #104: test_get_command_by_name ................................   Passed    0.02 sec
        Start 105: test_create_db
105/161 Test #105: test_create_db ..........................................   Passed    0.08 sec
        Start 106: test_syscom
106/161 Test #106: test_syscom .............................................   Passed    0.02 sec
        Start 107: test_fim_diff_changes
107/161 Test #107: test_fim_diff_changes ...................................   Passed    0.06 sec
        Start 108: test_run_realtime
108/161 Test #108: test_run_realtime .......................................   Passed    0.06 sec
        Start 109: test_syscheck_config
109/161 Test #109: test_syscheck_config ....................................   Passed    0.09 sec
        Start 110: test_syscheck
110/161 Test #110: test_syscheck ...........................................   Passed    0.02 sec
        Start 111: test_fim_sync
111/161 Test #111: test_fim_sync ...........................................   Passed    0.11 sec
        Start 112: test_run_check
112/161 Test #112: test_run_check ..........................................   Passed    0.11 sec
        Start 113: test_fim_db
113/161 Test #113: test_fim_db .............................................   Passed    0.07 sec
        Start 114: test_fim_db_files
114/161 Test #114: test_fim_db_files .......................................   Passed    0.07 sec
        Start 115: test_audit_healthcheck
115/161 Test #115: test_audit_healthcheck ..................................   Passed    0.06 sec
        Start 116: test_audit_rule_handling
116/161 Test #116: test_audit_rule_handling ................................   Passed    0.07 sec
        Start 117: test_syscheck_audit
117/161 Test #117: test_syscheck_audit .....................................   Passed    0.07 sec
        Start 118: test_audit_parse
118/161 Test #118: test_audit_parse ........................................   Passed    0.08 sec
        Start 119: test_list_op
119/161 Test #119: test_list_op ............................................   Passed    0.05 sec
        Start 120: test_file_op
120/161 Test #120: test_file_op ............................................   Passed    0.04 sec
        Start 121: test_integrity_op
121/161 Test #121: test_integrity_op .......................................   Passed    0.02 sec
        Start 122: test_rbtree_op
122/161 Test #122: test_rbtree_op ..........................................   Passed    0.03 sec
        Start 123: test_validate_op
123/161 Test #123: test_validate_op ........................................   Passed    0.04 sec
        Start 124: test_string_op
124/161 Test #124: test_string_op ..........................................   Passed    0.02 sec
        Start 125: test_expression
125/161 Test #125: test_expression .........................................   Passed    0.04 sec
        Start 126: test_version_op
126/161 Test #126: test_version_op .........................................   Passed    0.04 sec
        Start 127: test_queue_op
127/161 Test #127: test_queue_op ...........................................   Passed    0.03 sec
        Start 128: test_queue_linked_op
128/161 Test #128: test_queue_linked_op ....................................   Passed    0.02 sec
        Start 129: test_agent_op
129/161 Test #129: test_agent_op ...........................................   Passed    0.04 sec
        Start 130: test_enrollment_op
130/161 Test #130: test_enrollment_op ......................................   Passed    0.05 sec
        Start 131: test_time_op
131/161 Test #131: test_time_op ............................................   Passed    0.02 sec
        Start 132: test_buffer_op
132/161 Test #132: test_buffer_op ..........................................   Passed    0.02 sec
        Start 133: test_utf8_op
133/161 Test #133: test_utf8_op ............................................   Passed    0.02 sec
        Start 134: test_log_builder
134/161 Test #134: test_log_builder ........................................   Passed    0.02 sec
        Start 135: test_custom_output_search_replace
135/161 Test #135: test_custom_output_search_replace .......................   Passed    0.02 sec
        Start 136: test_bzip2_op
136/161 Test #136: test_bzip2_op ...........................................   Passed    0.02 sec
        Start 137: test_schedule_scan
137/161 Test #137: test_schedule_scan ......................................   Passed    0.03 sec
        Start 138: test_rootcheck_op
138/161 Test #138: test_rootcheck_op .......................................   Passed    0.04 sec
        Start 139: test_fs_op
139/161 Test #139: test_fs_op ..............................................   Passed    0.03 sec
        Start 140: test_wazuhdb_op
140/161 Test #140: test_wazuhdb_op .........................................   Passed    0.03 sec
        Start 141: test_syscheck_op
141/161 Test #141: test_syscheck_op ........................................   Passed    0.09 sec
        Start 142: test_audit_op
142/161 Test #142: test_audit_op ...........................................   Passed    0.02 sec
        Start 143: test_privsep_op
143/161 Test #143: test_privsep_op .........................................   Passed    0.02 sec
        Start 144: test_mq_op
144/161 Test #144: test_mq_op ..............................................   Passed    0.03 sec
        Start 145: test_remoted_op
145/161 Test #145: test_remoted_op .........................................   Passed    0.04 sec
        Start 146: test_json-queue
146/161 Test #146: test_json-queue .........................................   Passed    0.03 sec
        Start 147: test_bqueue
147/161 Test #147: test_bqueue .............................................   Passed    0.04 sec
        Start 148: test_atomic
148/161 Test #148: test_atomic .............................................   Passed    0.03 sec
        Start 149: test_url
149/161 Test #149: test_url ................................................   Passed    0.03 sec
        Start 150: test_sysinfo_utils
150/161 Test #150: test_sysinfo_utils ......................................   Passed    0.03 sec
        Start 151: test_json_op
151/161 Test #151: test_json_op ............................................   Passed    0.03 sec
        Start 152: test_rwlock_op
152/161 Test #152: test_rwlock_op ..........................................   Passed    1.59 sec
        Start 153: test_os_xml
153/161 Test #153: test_os_xml .............................................   Passed    0.08 sec
        Start 154: test_os_regex
154/161 Test #154: test_os_regex ...........................................   Passed    0.03 sec
        Start 155: test_os_regex_match
155/161 Test #155: test_os_regex_match .....................................   Passed    0.03 sec
        Start 156: test_os_regex_execute
156/161 Test #156: test_os_regex_execute ...................................   Passed    0.06 sec
        Start 157: test_os_zlib
157/161 Test #157: test_os_zlib ............................................   Passed    0.02 sec
        Start 158: test_client-config_validate_ipv6_link_local_interface
158/161 Test #158: test_client-config_validate_ipv6_link_local_interface ...   Passed    0.05 sec
        Start 159: test_os_net
159/161 Test #159: test_os_net .............................................   Passed    0.02 sec
        Start 160: test_fluentd_forwarder
160/161 Test #160: test_fluentd_forwarder ..................................   Passed    0.05 sec
        Start 161: test_active-response
161/161 Test #161: test_active-response ....................................   Passed    0.02 sec

100% tests passed, 0 tests failed out of 161

Total Test time (real) =  14.35 sec

@cborla cborla marked this pull request as ready for review June 7, 2023 22:30
@cborla cborla linked an issue Jun 8, 2023 that may be closed by this pull request
Segmentation fault in Analysisd when rule exceed decoder_order_size #15638
Closed
3 tasks
@cborla cborla force-pushed the 15638-analysisd-avoid-segfault-decoder_order_size branch from 2da488e to 3d753b8 Compare June 8, 2023 22:03
@vikman90 vikman90 changed the base branch from 4.4 to 4.4.5 June 9, 2023 06:17
@vikman90 vikman90 merged commit 7177670 into 4.4.5 Jun 9, 2023
55 checks passed
@vikman90 vikman90 deleted the 15638-analysisd-avoid-segfault-decoder_order_size branch June 9, 2023 06:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vikman90 vikman90 vikman90 approved these changes

Assignees

@cborla cborla

Labels
impact/low module/analysis Issues related to the Analysis daemon type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Segmentation fault in Analysisd when rule exceed decoder_order_size
2 participants
@cborla @vikman90