0

I am struggling to write a custom wazuh rule in order to send alert when specific commands are written (powershell and bash).

Can anyone help me?

Thanks in advance!

Toto
  • 89,455
  • 62
  • 89
  • 125
user16540540
  • 1
  • 2

1 Answers1

0

Linux systems have a powerful auditing facility called auditd which can give a very detailed accounting of actions and changes in a system, but by default, no auditd rules are active so we tend to miss out on this detailed history.

Let’s follow the next steps to create the custom rule:

  1. Having already sudo-ed to root on our linux-agent machine, append the following audit rules to /etc/audit/rules.d/audit.rules
echo "-a exit,always -F auid=1000 -F egid!=994 -F auid!=-1 -F arch=b32 -S execve -k audit-wazuh-c" >> /etc/audit/rules.d/audit.rules
echo "-a exit,always -F auid=1000 -F egid!=994 -F auid!=-1 -F arch=b64 -S execve -k audit-wazuh-c" >> /etc/audit/rules.d/audit.rules

Where auid=1000 represents the user ID. If unsure, you may verify this value by running: grep centos /etc/passwd (replacing centos if you have a different user name).

  1. Reload the rules and confirm they are in place:
auditctl -R /etc/audit/rules.d/audit.rules
auditctl -l

Now, we are going to create a list of command that Wazuh will watch for:

  1. On wazuh-manager, create /var/ossec/etc/lists/suspicious-programs with this content:
ncat:
nc:
tcpdump:
ping:
  1. On wazuh-manager, add this to the <ruleset> section of ossec configuration in /var/ossec/etc/ossec.conf:
<ruleset>
 <list>etc/lists/suspicious-programs</list>
  1. Now let’s add a new rule that uses this list as part of its criteria to do so add the following to /var/ossec/etc/rules/local_rules.xml on the Wazuh Manager.
<group name="audit">
  <rule id="100200" level="8">
      <if_sid>80792</if_sid>
      <list field="audit.command" lookup="match_key">etc/lists/suspicious-programs</list>
      <description>Audit: Suspicious Command: $(audit.exe)</description>
      <group>audit_command,</group>
  </rule>
</group>
  1. Compile the CDB list (if your version is inferior to v3.11.0):
/var/ossec/bin/ossec-makelists
  1. Restart the Wazuh manager

Now if you run, for example, tcpdump –-version the rule 100200 will match and an alert will be triggered.

You can see more info here.

Julia Magán
  • 1