WAZUH/OSSEC - overwriting rules doesn't seem to work

Question

I'm trying to overwrite a rule as per documentation, like this

https://documentation.wazuh.com/3.12/learning-wazuh/replace-stock-rule.html

So I've copied one rule to local_rules.xml, created my own group (prior to that also tried to put it within the rule's original group tag), but it seems to be completely ignoring it:

This is what I've put in local_rules.xml:

<group name="istvan">
    <rule frequency="8" id="31533" level="9" overwrite="yes" timeframe="20">
        <if_matched_sid>31530</if_matched_sid>
        <same_source_ip/>
        <description>High amount of POST requests in a small period of time (likely bot).</description>
        <group>pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,</group>
    </rule>
</group>

I've only changed the level to 9 and added the overwrite="yes" tag. The idea is that it doesn't send me this alerts (as my treshold is set to level 10+), save, restart, but it's completely ignoring it, and I'm stil getting those alerts with level 10 tag.

Frankly, I'm starting to be clueless why is it happening.

Any ideas?

Thanks.

score 0 · Answer 1 · answered May 26 '20 at 09:33

A good way to test the expected behaviour would be using /var/ossec/bin/ossec-logtest as mentioned in that doc.

To elaborate i will take the example of that doc :

I will overwrite the rule 5716 : https://github.com/wazuh/wazuh-ruleset/blob/317052199f751e5ea936730710b71b27fdfe2914/rules/0095-sshd_rules.xml#L121, as below :

[root@localhost vagrant]# egrep -iE "ssh" /var/ossec/etc/rules/local_rules.xml -B 4 -A 3

<rule id="5716" overwrite="yes" level="9">
  <if_sid>5700</if_sid>
  <match>^Failed|^error: PAM: Authentication</match>
  <description>sshd: authentication failed.</description>
  <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
</rule>

The logs can be tested without having to restart the Wazuh manager, Opening /var/ossec/bin/ossec-logtest then pasting my log :

2020/05/26 09:03:00 ossec-testrule: INFO: Started (pid: 9849).
ossec-testrule: Type one log per line.

Oct 23 17:27:17 agent sshd[8221]: Failed password for root from ::1 port 60164 ssh2


**Phase 1: Completed pre-decoding.
      full event: 'Oct 23 17:27:17 agent sshd[8221]: Failed password for root from ::1 port 60164 ssh2'
      timestamp: 'Oct 23 17:27:17'
      hostname: 'agent'
      program_name: 'sshd'
      log: 'Failed password for root from ::1 port 60164 ssh2'

**Phase 2: Completed decoding.
      decoder: 'sshd'
      dstuser: 'root'
      srcip: '::1'
      srcport: '60164'

**Phase 3: Completed filtering (rules).
      Rule id: '5716'
      Level: '9'
      Description: 'sshd: authentication failed.'

As expected the level has been overwriting which was initially 5. Although in your case, you will have to paste the log 8 times in timeframe lower than 20 s to be able to trigger that rule.

If you can share the logs triggering that alert, i can test with it.

On the other hand, you can create a sibling rule to simply ignore your rule 31533, something similar to below :

<rule id="100010" level="2">
   <if_sid>31533</if_sid>
   <description>Ignore rule 31533</description>
 </rule>

Make sure to restart the Wazuh manager afterward to apply the change.

You can find more information about customizing rules/decoders here : https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

Hope this helps,

I had an issue to trigger the rule, but now as you suggested, I triggered it by pasting the log 8 times in a row. But I still seem to get the sam old 31533 rule, the one in local seems to be completely ignored (which is apparently the source of my problems. I'm not sure why is OSSEC ignoring it — Istvan Prosinger, Jun 01 '20 at 14:49
Hm, made several tests, it seems to be completely ignoring local_rules.xml. The permissions seem to be fine though. Even the example one (5716) — Istvan Prosinger, Jun 01 '20 at 15:23
Even tried your rules. It's definitely not processing local_rules.xml — Istvan Prosinger, Jun 01 '20 at 16:26
Hello @IstvanProsinger That's not default configuration but do you happen to have `rule_exclude`, you might check that with `grep -i 'rule_exclude' /var/ossec/etc/ossec.conf`. More information that might be relevant about my setup : ``` ``` — ELWALI, Jun 03 '20 at 07:53
Sorry i was not able to finish my previous response. More information that might be relevant about my setup : Wazuh manager version : 3.12.3 Permissions and owner of my local rules : ``` [root@localhost vagrant]# ls -ll /var/ossec/etc/rules/ total 32 -rw-rw----. 1 ossec ossec 1461 May 28 11:54 local_rules.xml ``` Maybe if you share more information, i can be more of help. https://wazuh.com/community/join-us-on-slack/ highly recommended for prompter help/responses. — ELWALI, Jun 03 '20 at 08:01
Thenks for the reply. I got some exclusions, due to past experimentation, but I don't see how would it affect the case (except that it's not working either): 0215-policy_rules.xml 31151 — Istvan Prosinger, Jun 10 '20 at 13:11
but is there a line where the local_rules.xml should be included into config? I can't find that eirher — Istvan Prosinger, Jun 10 '20 at 13:11

score 0 · Accepted Answer · answered Jun 17 '20 at 09:15

After finally talking to the developers, it turns out that it was indeed ignoring local_rules.xml. I had a strage exclusion of one rule (probably a problematic syntax, although it did't report an error)

      "rule_exclude": [
     "31151"

When I removed it, it started working as described in the user's guide.

WAZUH/OSSEC - overwriting rules doesn't seem to work

2 Answers2