I have been trying to get started with writing custom rules for wazuh and cannot seem to get my rules to fire.
in ossec.conf i have both the default ruleset path and the user defined path set to etc/rules
<rule_dir>etc/rules</rule_dir>
And in /var/ossec/ect/rules/ I have 4 .xml files:
Base_rules.xml
<group name="base">
<rule id="1" level="0" noalert="1">
<decoded_as>windows_eventchannel</decoded_as>
<description>Generic template for all windows eventchannel rules.</description>
</rule>
Base_windows_rules.xml:
<group name="windows">
<rule id="18100" level="1">
<if_sid>1</if_sid>
<category>windows</category>
<description>Group of windows rules.</description>
</rule>
</group>
Base_sysmon_rules.xml:
<group name="sysmon">
<rule id="184665" level="1">
<if_sid>18100</if_sid>
<match>Microsoft-Windows-Sysmon/Operational: INFORMATION(1)</match>
<description>Sysmon - Event 1</description>
<group>sysmon_event1,</group>
</rule>
</group>
Sysmon_EID1_rules.xml:
<group name="sysmon_event1,">
<rule id="100100" level="3">
<if_sid>184665</if_sid>
<description>Sysmon - Event 1: Process creation $(win.eventdata.description)</description>
</rule>
<rule id="100101" level="3">
<if_sid>100100</if_sid>
<field name="win.eventdata.image">\.*powershell\.*</field>
<description>Sysmon - PowerShell prompt execution</description>
</rule>
<rule id="100102" level="10">
<if_sid>100101</if_sid>
<field name="win.eventdata.parentImage">\.*explorer\.*</field>
<description>Sysmon - PowerShell execution - explorer parent</description>
</rule>
</group>
I have the logs sent to elasticsearch, where anything under rule level 7 goes only to log index and over 7 goes to HIDS as well.
The logs are sent to elastic just fine, but they are not hitting any rules.
If I run wazuh-logtest-legacy -v, I get warnings such as
2023/04/13 21:22:44 wazuh-testrule: WARNING: (7617): Signature ID '18100' was not found and will be ignored in the 'if_sid' option of rule '184665'.
2023/04/13 21:22:44 wazuh-testrule: WARNING: (7619): Empty 'if_sid' value. Rule '184665' will be ignored.
It prints these warnings for all of the rules.
And if I run either the wazuh-logtest or wazuh-logtest-legacy with the followin event:
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-04-13T18:03:12.632547300Z","eventRecordID":"34822","processID":"3524","threadID":"4652","channel":"Microsoft-Windows-Sysmon/Operational","computer":"DC01.homelab.local","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: -\r\nUtcTime: 2023-04-13 18:03:12.611\r\nProcessGuid: {f76e45db-43e0-6438-6901-000000002900}\r\nProcessId: 4852\r\nImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nFileVersion: 10.0.17763.1 (WinBuild.160101.0800)\r\nDescription: Windows PowerShell\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: PowerShell.EXE\r\nCommandLine: \"PowerShell.exe\" -noexit -command Set-Location -literalPath 'C:\\Users\\da_user.name\\Desktop\\Tools'\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: HOMELAB\\da_user.name\r\nLogonGuid: {f76e45db-15f9-6438-2560-0c0000000000}\r\nLogonId: 0xC6025\r\nTerminalSessionId: 2\r\nIntegrityLevel: Medium\r\nHashes: MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F\r\nParentProcessGuid: {f76e45db-15fb-6438-be00-000000002900}\r\nParentProcessId: 2204\r\nParentImage: C:\\Windows\\explorer.exe\r\nParentCommandLine: C:\\Windows\\Explorer.EXE\r\nParentUser: HOMELAB\\da_user.name\""},"eventdata":{"utcTime":"2023-04-13 18:03:12.611","processGuid":"{f76e45db-43e0-6438-6901-000000002900}","processId":"4852","image":"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe","fileVersion":"10.0.17763.1 (WinBuild.160101.0800)","description":"Windows PowerShell","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"PowerShell.EXE","commandLine":"\\\"PowerShell.exe\\\" -noexit -command Set-Location -literalPath 'C:\\\\Users\\\\da_user.name\\\\Desktop\\\\Tools'","currentDirectory":"C:\\\\Windows\\\\system32\\\\","user":"HOMELAB\\\\da_user.name","logonGuid":"{f76e45db-15f9-6438-2560-0c0000000000}","logonId":"0xc6025","terminalSessionId":"2","integrityLevel":"Medium","hashes":"MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F","parentProcessGuid":"{f76e45db-15fb-6438-be00-000000002900}","parentProcessId":"2204","parentImage":"C:\\\\Windows\\\\explorer.exe","parentCommandLine":"C:\\\\Windows\\\\Explorer.EXE","parentUser":"HOMELAB\\\\da_user.name"}}}
Output is as follows:
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-04-13T18:03:12.632547300Z","eventRecordID":"34822","processID":"3524","threadID":"4652","channel":"Microsoft-Windows-Sysmon/Operational","computer":"DC01.homelab.local","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: -\r\nUtcTime: 2023-04-13 18:03:12.611\r\nProcessGuid: {f76e45db-43e0-6438-6901-000000002900}\r\nProcessId: 4852\r\nImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nFileVersion: 10.0.17763.1 (WinBuild.160101.0800)\r\nDescription: Windows PowerShell\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: PowerShell.EXE\r\nCommandLine: \"PowerShell.exe\" -noexit -command Set-Location -literalPath 'C:\\Users\\da_user.name\\Desktop\\Tools'\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: HOMELAB\\da_user.name\r\nLogonGuid: {f76e45db-15f9-6438-2560-0c0000000000}\r\nLogonId: 0xC6025\r\nTerminalSessionId: 2\r\nIntegrityLevel: Medium\r\nHashes: MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F\r\nParentProcessGuid: {f76e45db-15fb-6438-be00-000000002900}\r\nParentProcessId: 2204\r\nParentImage: C:\\Windows\\explorer.exe\r\nParentCommandLine: C:\\Windows\\Explorer.EXE\r\nParentUser: HOMELAB\\da_user.name\""},"eventdata":{"utcTime":"2023-04-13 18:03:12.611","processGuid":"{f76e45db-43e0-6438-6901-000000002900}","processId":"4852","image":"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe","fileVersion":"10.0.17763.1 (WinBuild.160101.0800)","description":"Windows PowerShell","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"PowerShell.EXE","commandLine":"\\\"PowerShell.exe\\\" -noexit -command Set-Location -literalPath 'C:\\\\Users\\\\da_user.name\\\\Desktop\\\\Tools'","currentDirectory":"C:\\\\Windows\\\\system32\\\\","user":"HOMELAB\\\\da_user.name","logonGuid":"{f76e45db-15f9-6438-2560-0c0000000000}","logonId":"0xc6025","terminalSessionId":"2","integrityLevel":"Medium","hashes":"MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F","parentProcessGuid":"{f76e45db-15fb-6438-be00-000000002900}","parentProcessId":"2204","parentImage":"C:\\\\Windows\\\\explorer.exe","parentCommandLine":"C:\\\\Windows\\\\Explorer.EXE","parentUser":"HOMELAB\\\\da_user.name"}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.commandLine: '\"PowerShell.exe\" -noexit -command Set-Location -literalPath 'C:\\Users\\da_user.name\\Desktop\\Tools''
win.eventdata.company: 'Microsoft Corporation'
win.eventdata.currentDirectory: 'C:\\Windows\\system32\\'
win.eventdata.description: 'Windows PowerShell'
win.eventdata.fileVersion: '10.0.17763.1 (WinBuild.160101.0800)'
win.eventdata.hashes: 'MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F'
win.eventdata.image: 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'
win.eventdata.integrityLevel: 'Medium'
win.eventdata.logonGuid: '{f76e45db-15f9-6438-2560-0c0000000000}'
win.eventdata.logonId: '0xc6025'
win.eventdata.originalFileName: 'PowerShell.EXE'
win.eventdata.parentCommandLine: 'C:\\Windows\\Explorer.EXE'
win.eventdata.parentImage: 'C:\\Windows\\explorer.exe'
win.eventdata.parentProcessGuid: '{f76e45db-15fb-6438-be00-000000002900}'
win.eventdata.parentProcessId: '2204'
win.eventdata.parentUser: 'HOMELAB\\da_user.name'
win.eventdata.processGuid: '{f76e45db-43e0-6438-6901-000000002900}'
win.eventdata.processId: '4852'
win.eventdata.product: 'Microsoft® Windows® Operating System'
win.eventdata.terminalSessionId: '2'
win.eventdata.user: 'HOMELAB\\da_user.name'
win.eventdata.utcTime: '2023-04-13 18:03:12.611'
win.system.channel: 'Microsoft-Windows-Sysmon/Operational'
win.system.computer: 'DC01.homelab.local'
win.system.eventID: '1'
win.system.eventRecordID: '34822'
win.system.keywords: '0x8000000000000000'
win.system.level: '4'
win.system.message: '"Process Create:
RuleName: -
UtcTime: 2023-04-13 18:03:12.611
ProcessGuid: {f76e45db-43e0-6438-6901-000000002900}
ProcessId: 4852
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.17763.1 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\da_user.name\Desktop\Tools'
CurrentDirectory: C:\Windows\system32\
User: HOMELAB\da_user.name
LogonGuid: {f76e45db-15f9-6438-2560-0c0000000000}
LogonId: 0xC6025
TerminalSessionId: 2
IntegrityLevel: Medium
Hashes: MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F
ParentProcessGuid: {f76e45db-15fb-6438-be00-000000002900}
ParentProcessId: 2204
ParentImage: C:\Windows\explorer.exe
ParentCommandLine: C:\Windows\Explorer.EXE
ParentUser: HOMELAB\da_user.name"'
win.system.opcode: '0'
win.system.processID: '3524'
win.system.providerGuid: '{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
win.system.providerName: 'Microsoft-Windows-Sysmon'
win.system.severityValue: 'INFORMATION'
win.system.systemTime: '2023-04-13T18:03:12.632547300Z'
win.system.task: '1'
win.system.threadID: '4652'
win.system.version: '5'
**Rule debugging:
Trying rule: 1 - Generic template for all windows eventchannel rules.
Why is it not hitting the event channel rule? Is the decoders name json? If so, Why is decoder.name in kibana/elasticsearch windows_eventchannel and how do I match only windows eventchannel log events with a rule?
Windows event logs are not supported by the logtest tool. However, you can work around this issue changing the base windows rule
60000. In the rule file0575-win-base_rules.xml, change the rule id 60000, removing the category tag and changing the decoded_as tag value for json.It should look like this:
Now you can test your custom rules using logtest (Use
/var/ossec/bin/wazuh-logtestinstead of/var/ossec/bin/wazuh-logtest-legacy)In addition, wazuh already includes Sysmon rules. For the provided event, Wazuh should trigger rule
61603with level 0:Taking that into account, and using default rules, you can provide almost the same functionality with only your last two rules (Sysmon_EID1_rules file):
Remember to reset the original Windows rule once you have ended your testing.