I think I'm just really confused as to what "regex" and "match" are
actually matching against. Given the following log event:
2017 May 24 12:38:16 (ci-runner__development_12.34.56.78) any->rootcheck
File
'/var/lib/docker/volumes/d758587e86d60a53043c93c1f730d6e04acdcb5f7a5a181182cfe0fb754aa293/_data/path/to/some/file.txt'
is owned by root and has written permissions to anyone.
This rule successfully ignores it:
<rule id="100510" level="0">
<if_sid>510</if_sid>
<regex>/var/lib/docker/volumes/\S+/_data</regex>
<description>Ignore this rule</description>
<group>rootcheck,</group>
</rule>
But this one doesn't:
<rule id="100510" level="0">
<if_sid>510</if_sid>
<regex>is owned by root and has written permissions to anyone</regex>
<description>Ignore this rule</description>
<group>rootcheck,</group>
</rule>
What string does regex match against? The docs say "Any regex to match
against the log event"; that should include more than just the file path,
right?
Cheers,
Gert
On Wednesday, May 24, 2017 at 1:02:24 PM UTC+12, Gert Verhoog wrote:
>
> Unfortunately, it's still not working, and I'm not sure what else I can
> try... This is what I'm doing:
>
> The log entries that I want to ignore all look like this (from
> archives.log):
>
> 2017 May 24 12:38:16 (ci-runner__development_12.34.56.78) any->rootcheck
> File
> '/var/lib/docker/volumes/d758587e86d60a53043c93c1f730d6e04acdcb5f7a5a181182cfe0fb754aa293/_data/path/to/some/file.txt'
>
> is owned by root and has written permissions to anyone.
>
> Inspired by rule 511 from the wazuh ruleset
> <https://github.com/wazuh/wazuh-ruleset/blob/f1e1e46e51faefbe75c79052d63437cc3c1a02b4/rules/0015-ossec_rules.xml#L63>,
>
> I have the following rule in /var/ossec/etc/rules/local_rules.xml:
>
> <rule id="100510" level="0">
> <if_sid>510</if_sid>
> <regex>is owned by root and has written permissions to anyone</regex>
> <description>Ignore this rule</description>
> <group>rootcheck,</group>
> </rule>
>
> After editing the local rules file, I execute a
> "/var/ossec/bin/ossec-control restart" on the server, and after that also
> on the client. I wait for rootcheck to execute, which generates many
> entries such as the one above in the archives.log. Unfortunately, they
> still show up as a level 7 event in the kibana dashboard:
>
> rule.id:510 agent.name:ci-runner__development_12.34.56.78 agent.id:009
> manager.name:ec2-11-22-33-44.ap-southeast-2.compute.amazonaws.comrule.
> firedtimes:1,700 rule.level:7 rule.description:Host-based anomaly
> detection event (rootcheck). rule.groups:ossec, rootcheck source:decoder.
> name:rootcheck title:File is owned by root and has written permissions to
> anyone. full_log:File
> '/var/lib/docker/volumes/d758587e86d60a53043c93c1f730d6e04acdcb5f7a5a181182cfe0fb754aa293/_data/path/to/some/file.txt'
>
> is owned by root and has written permissions to anyone. @timestamp:May
> 24th 2017, 12:38:16.000 file:/var/lib/docker/volumes/
> d758587e86d60a53043c93c1f730d6e04acdcb5f7a5a181182cfe0fb754aa293/_data/
> path/to/some/file.txt host:ec2-11-22-33-44.ap-southeast-2.compute.
> amazonaws.com location:rootcheck
>
>
> Unfortunately, we can't just change the permissions of these without
> breaking our CI. I'm not very concerned about the world-writable files
> under /var/lib/docker/volumes, since only root can traverse this path
> anyway, so I would love to just ignore them, as they are about 90% of what
> shows up in the dashboards, so it drowns out other events.
>
> Do you have any ideas what I could try next?
>
> Many thanks for your help so far!
>
>
> On Tuesday, May 23, 2017 at 1:35:58 AM UTC+12, Jesus Linares wrote:
>>
>> You can't use ossec-logtest for rootcheck events. For example, if I get
>> the full_log of a real alert: "File
>> '/usr/local/nsis/nsis-3.0b2-src/Contrib/Language files/Valencian.nlf' is
>> owned by root and has written permissions to anyone." and I paste it in
>> logtest:
>>
>> *Phase 1: Completed pre-decoding.
>> full event: 'File '/usr/local/nsis/nsis-3.0b2-src/Contrib/Language
>> files/Valencian.nlf' is owned by root and has written permissions to
>> anyone.'
>> hostname: 'ip-10-0-0-10'
>> program_name: '(null)'
>> log: 'File '/usr/local/nsis/nsis-3.0b2-src/Contrib/Language files/
>> Valencian.nlf' is owned by root and has written permissions to anyone.'
>>
>>
>> **Phase 2: Completed decoding.
>> No decoder matched.
>>
>>
>> So, ossec-logtest doesn't show anything, but the alert is properly
>> generated. This is due to rootcheck has decoders at c-level.
>>
>> Your rule looks right, just restart OSSEC and test it manually.
>> Sometimes, OSSEC has problems with \.* so if that part doesn't have spaces,
>> it is better to use \S*.
>>
>> Let me know if it works.
>> Regards.
>>
>>
>> On Saturday, May 20, 2017 at 3:04:44 AM UTC+2, dan (ddpbsd) wrote:
>>>
>>> On Thu, May 18, 2017 at 4:51 PM, Gert Verhoog <ge...@montoux.com>
>>> wrote:
>>> > Hi Jesus,
>>> >
>>> > I'm having the same problem, and the triggering of this rule causes so
>>> much
>>> > noise that it's drowning out other alerts. I have added a rule like
>>> you
>>> > suggested to my local rules:
>>> >
>>> > <rule id="100510" level="0" frequency="0" timeframe="45"
>>> ignore="600">
>>> > <if_matched_sid>510</if_matched_sid>
>>> > <regex>/var/lib/docker/volumes/\.*/_data/\.* is owned by root and
>>> has
>>> > written permissions to anyone</regex>
>>> > <description>Ignore rootcheck warning on world-writable docker
>>> > volumes</description>
>>> > </rule>
>>> >
>>> > But it doesn't seem to have an effect. I've played with the regex,
>>> > simplifying it and even deleting it altogether, but I still can't seem
>>> to
>>> > get it working. Logtest shows the following output:
>>> >
>>> >
>>> > File
>>> >
>>> '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot'
>>>
>>>
>>> > is owned by root and has written permissions to anyone.
>>> >
>>>
>>> Is this the log message you get from the agent? You can turn on the
>>> logall option and check archives.log for the exact message from the
>>> agent.
>>>
>>> >
>>> > **Phase 1: Completed pre-decoding.
>>> >
>>> >
>>> > full event: 'File
>>> >
>>> '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot'
>>>
>>>
>>> > is owned by root and has written permissions to anyone.'
>>> >
>>> >
>>> > hostname: 'ec2-12-34-56-78'
>>> >
>>> >
>>> > program_name: '(null)'
>>> >
>>> >
>>> > log: 'File
>>> >
>>> '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot'
>>>
>>>
>>> > is owned by root and has written permissions to anyone.'
>>> >
>>> >
>>> >
>>> >
>>> > **Phase 2: Completed decoding.
>>> >
>>> >
>>> > No decoder matched.
>>> >
>>> >
>>> >
>>> > I'm fairly new to OSSEC and Wazuh, so I may be missing something. Is
>>> there
>>> > anything obvious that I'm doing wrong?
>>> >
>>> > Cheers!
>>> > Gert
>>> >
>>> >
>>> >
>>> > On Wednesday, April 19, 2017 at 12:14:28 AM UTC+12, Jesus Linares
>>> wrote:
>>> >>
>>> >> Hi Rob,
>>> >>
>>> >> you need to add the conditions to trigger that rule only for your
>>> specific
>>> >> files. Use match or regex:
>>> >>
>>> >> <rule id="70908" level="0" frequency="0" timeframe="45" ignore="600">
>>> >> <if_matched_sid>510</if_matched_sid>
>>> >> <!--
>>> >> contitions:
>>> >> option 1:
>>> >> <match>YOUR_FILE1|YOUR_FILE2|...</match>
>>> >> option 2:
>>> >> <regex>YOUR_FILE\.+</regex>
>>> >> -->
>>> >> <description>Ignore rule 510 for 600 seconds for some
>>> >> files.</description>
>>> >> </rule>
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> an
>>> > email to ossec-list+...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
