Wazuh: list option is not work while overwriting an existing rule

Created on 23 May 2019  ·  4Comments  ·  Source: wazuh/wazuh

|Wazuh version|Component|Install type|Install method|Platform|
|---|---|---|---|---|
|wazuh-3.8.2-rev | analysisd | Manager | Sources | CentOS 6.9 |

Hi, guys

I use tag overwrite=”yes” to rewrite a rule (id: 5108), rule cotent is below

<!-- origin -->
  <rule id="5108" level="12">
    <if_sid>5100</if_sid>
    <match>Out of Memory: </match>
    <description>System running out of memory. </description>
    <description>Availability of the system is in risk.</description>
    <group>service_availability,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,</group>
  </rule>

<!-- changed -->
<group name="mygroup,oom,">
  <rule id="5108" level="12" overwrite="yes" ignore="10">
    <if_sid>5100</if_sid>
    <match>Out of Memory: </match>
    <!-- white list NOT WORK -->
    <list field="program_name" lookup="not_match_key">etc/lists/my/oom_white_list</list>
    <description>System running out of memory. </description>
    <!-- description work -->
    <description>Availability of the MY system is in risk.</description>
    <group>service_availability,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,</group>
  </rule>
</group>

As you can see, I added a white list for program_name by using list option, but it didn't work as expect while testing log by ossec-logtest app, however the description is updated(a "MY" is added).

I found that overwriting works at code analysisd/rules_list.c:OS_AddRuleInfo, and ruleinfo->lists is not updated.

/* Update rule info for overwritten ones */
int OS_AddRuleInfo(RuleNode *r_node, RuleInfo *newrule, int sid)
{
    /* If no r_node is given, get first node */
    if (r_node == NULL) {
        r_node = OS_GetFirstRule();
    }

    if (sid == 0) {
        return (0);
    }

    while (r_node) {
        /* Check if the sigid matches */
        if (r_node->ruleinfo->sigid == sid) {
            r_node->ruleinfo->level = newrule->level;
            r_node->ruleinfo->maxsize = newrule->maxsize;
            r_node->ruleinfo->frequency = newrule->frequency;
            r_node->ruleinfo->timeframe = newrule->timeframe;
            r_node->ruleinfo->ignore_time = newrule->ignore_time;

           /* code omitted */

           // should ruleinfo->lists being updated here?
          // r_node->ruleinfo->lists = newrule->lists;  # I add this line and it seems to be nornal now

My question is:
Is this right to add lists overwrite here, or there is other better way to do that?
Thanks in advance!

bug community coranalysisd

All 4 comments

Hi @lo5twind,

The problem here is that program_name is not a field that the list can match.

Let's test a log:

$ /var/ossec/bin/ossec-logtest
May 23 13:10:58 centos sshd[7621]: pam_unix(sshd:session): session opened for user root by (uid=0)

**Phase 1: Completed pre-decoding.
       full event: 'May 23 13:10:58 centos sshd[7621]: pam_unix(sshd:session): session opened for user root by (uid=0)'
       timestamp: 'May 23 13:10:58'
       hostname: 'centos'
       program_name: 'sshd'
       log: 'pam_unix(sshd:session): session opened for user root by (uid=0)'

**Phase 2: Completed decoding.
       decoder: 'pam'
       dstuser: 'root'
       uid: '0'

timestamp, hostname, and program_name are attributes about the input, they are extracted by the pre-decoder.

On the other hand, dstuser and uid are field extracted by the decoders. They can be used in the rules (<field> and <list field="...">).

This is definitely a limitation in the rule matching engine. We should consider allowing these fields in the list. Let me discuss with the team about this.

We will keep you posted. Thank you for letting us know about this issue.
Best regards.

Hi, @vikman90 . Thanks for replying.

Actually attributes like program_name, hostname and so on are working normally in a non-overwriting rule. In another word, if I add directly in the origin rule 5108, it works. Just as the description at https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#list

But if I write my own rule 5108 with overwrite="yes" in another rule file, the option seems doing nothing at all.

Sorry for ignoring these info in the previous issue post.

Hope this can help, thanks!

Hi @lo5twind ,
I have been recreating your environment:


  • This is the version with two rules, original and overwriting one. When using the overwrite label, as you said, the whitelist seems to have no effect (note that for convenience I am using for testing the sshd program).
  <rule id="5501" level="12">
    <if_sid>5500</if_sid>
    <match>session opened for user </match>
    <description>PAM: Login session opened.</description>
    <group>authentication_success,pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2,</group>
  </rule>


<!-- changed -->
  <rule id="5501" level="12" overwrite="yes">
    <if_sid>5500</if_sid>
    <match>session opened for user </match>
    <!-- white list NOT WORK -->
    <list field="program_name" lookup="match_key">etc/lists/my/oom_white_list</list>
    <description>System running out of memory. </description>
    <!-- description work -->
    <description>Availability of the MY system is in risk.</description>
    <group>service_availability,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,</group>
  </rule>

The input May 23 13:10:58 centos sshd[7621]: pam_unix(sshd:session): session opened for user root by (uid=0) should match with my whitelist and there should be no alert but in the further output we can see the alert:


**Phase 1: Completed pre-decoding.
       full event: 'May 23 13:10:58 centos sshd[7621]: pam_unix(sshd:session): session opened for user root by (uid=0)'
       timestamp: 'May 23 13:10:58'
       hostname: 'centos'
       program_name: 'sshd'
       log: 'pam_unix(sshd:session): session opened for user root by (uid=0)'

**Phase 2: Completed decoding.
       decoder: 'pam'
       dstuser: 'root'
       uid: '0'

**Phase 3: Completed filtering (rules).
       Rule id: '5501'
       Level: '12'
       Description: 'System running out of memory. Availability of the MY system is in risk.'
**Alert to be generated.



  • This is the version with the same rule without overwriting. It works as expected and there's no alert.
  <rule id="5501" level="12">
    <if_sid>5500</if_sid>
    <match>session opened for user </match>
    <!-- white list NOT WORK -->
    <list field="program_name" lookup="match_key">etc/lists/my/oom_white_list</list>
    <description>System running out of memory. </description>
    <!-- description work -->
    <description>Availability of the MY system is in risk.</description>
    <group>service_availability,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,</group>
  </rule>

**Phase 1: Completed pre-decoding.
       full event: 'May 23 13:10:58 centos sshd[7621]: pam_unix(sshd:session): session opened for user root by (uid=0)'
       timestamp: 'May 23 13:10:58'
       hostname: 'centos'
       program_name: 'sshd'
       log: 'pam_unix(sshd:session): session opened for user root by (uid=0)'

**Phase 2: Completed decoding.
       decoder: 'pam'
       dstuser: 'root'
       uid: '0'



We are grateful to you for finding this bug and we will take into account the solution you propose. Let's work on it.




Best regards,

Juan Pablo Sáez

@lo5twind we have just merged the fix to this issue into 3.10.

Thank you for reporting this issue. Thanks also to @Zenidd for your hard work!

Cheers.

Was this page helpful?
0 / 5 - 0 ratings