Detecting threats using inventory data

| by Pablo Navarro | Wazuh 3.9
Post icon

Wazuh detects threats and intruders in your system, undesired software, or incorrect parameters on a process. Learn how to create custom rules based on the system information of Wazuh agents.

In this article, we discuss a new feature added in version 3.9.0, that allows us to create rules based on the system information of Wazuh agents.

Before starting, we shall keep in mind that Syscollector is a Wazuh module that gathers the most relevant information from the monitored system. The module has different scans: Hardware, Operating System, Network Interfaces, Packages, Ports and Processes. Each scan retrieves a list of fields with the read data which is stored in databases. The list of fields and more information about the module is available in our documentation.

Before version 3.9.0, it was impossible to interact with the information because it was read-only. Now the inventory data can be used in the rules to trigger an alert when an expected value is extracted and to enrich the alert description with the fields of the event as well.

How to use decoded fields in the Wazuh ruleset

Here we have an example of a Syscollector event, extracted from the archives.log file of the manager. In there, we can see the fields related to a network interface from a network scan.

2019 Jun 14 16:30:18 pablo-work->syscollector 
{"type":"network","ID":834291887,"timestamp":"2019/06/14 16:30:18","iface":{"name":"docker0","type":"ethernet","state":"down","MAC":"02:42:00:e8:60:9c","tx_packets":0,"rx_packets":0,"tx_bytes":0,"rx_bytes":0,"tx_errors":0,"rx_errors":0,"tx_dropped":0,"rx_dropped":0,"MTU":1500,"IPv4":{"address":["172.17.0.1"],"netmask":["255.255.0.0"],"broadcast":["172.17.255.255"],"gateway":"unknown","DHCP":"enabled"}}}

When an event is received, it is decoded and the fields are extracted. When this event is related to Syscollector, those fields contain the scan information.

For example, let’s suppose my agents have docker images running, and these images shouldn’t have a network connection. I could write a rule that alerts me when a docker network interface is up:

<rule id="223" level="10">
 <if_sid>221</if_sid>
 <decoded_as>syscollector</decoded_as>
 <field name="netinfo.iface.name">^docker\d*{{code:1:}}</field>
 <field name="netinfo.iface.state">^up{{code:1:}}</field>
 <description>A Docker network interface has been detected: $(netinfo.iface.name)</description>
</rule>

With the new rule added, the manager will display an alert each time a network interface of docker is running:

Wazuh alert when a network interface thread is detected in a docker container

This was a very basic example. Now, we are going to see how this capability can help us in a more complex and real case.

Detecting undesirable connections to Wazuh manager

The port scan of Syscollector gives us information about the status of the ports of the monitored host, what type of connection they are using. If the port is TCP, the scan can tell us the IP of the connected client.

For example, we have a Wazuh manager running in TCP mode. The connections are made through port 1514, and we have a list of expected IP addresses that could be connected to the manager. In this case, we are going to generate an alert when an unexpected IP is connected to the Wazuh manager.

Configuration of the environment

Our first step is going to be the creation of a CDB list with the expected IP addresses that are allowed to be connected to the manager:

/var/ossec/etc/lists/allowed_ips

192.168.0.74:allow10.0.0.:allow

Once it is done, we need to add the CDB list to the ossec.conf and configure the port scan of Syscollector to detect all the established connections:

<ruleset>
    <list>etc/lists/allowed_ips</list>
</ruleset>

<wodle name="syscollector">
   <ports all="yes">yes</ports>
</wodle>

The final step is to write the rule that matches with port 1514 and search the remote address in the list we just created:

<rule id="224" level="12">
  <if_sid>221</if_sid>
  <field name="port.local_port">^1514{{code:4:}}</field>
  <field name="port.state">^established{{code:4:}}</field>
  <list field="port.remote_ip" lookup="not_address_match_key">etc/lists/allowed_ips</list>
  <description>An unexpected IP has been connected to the Wazuh manager</description>
</rule>

Detecting the intruder

With this environment setup, we will receive an alert each time a connection is made to port 1514 from an IP that is different than 192.168.0.74 or 10.0.0.x.

Wazuh alert for the detected intruder or threats

Conclusion

This feature can increase the utility of Syscollector giving more possibilities to the recollected information. We could use it to detect undesired software, threats, errors in network interfaces, incorrect parameters on a process and lots of possibilities in order to detect anomalous situations in the monitored agents.

Don’t hesitate to ask any questions about how detect threats and intruders or share your use cases for this feature in our social media, mailing list or Slack community.