{"id":172,"date":"2008-07-04T22:07:00","date_gmt":"2008-07-04T22:07:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=172"},"modified":"2020-07-02T22:08:36","modified_gmt":"2020-07-02T22:08:36","slug":"testing-ossec-rules","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2008\/07\/testing-ossec-rules\/","title":{"rendered":"Testing OSSEC rules"},"content":{"rendered":"\n<p>When you are troubleshooting&nbsp;<a href=\"http:\/\/www.ossec.net\/\">OSSEC<\/a>&nbsp;or trying to write new rules\/decoders, the first problem most people have is how to test them. In the past, it would require manually restarting or creating a testing installation for it, but as from the latest CVS snapshot, we built a tool to simplify this task (ossec-testrule).<\/p>\n\n\n\n<p>First, grab the latest CVS snapshot and compile it (it will be included on v1.6 and above):<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p># wget http:\/\/www.ossec.net\/files\/snapshots\/ossec-hids-080704.tar.gz<br># tar -zxvf ossec-hids-080704.tar.gz<br># cd ossec-hids-080704\/src\/<br># make clean<br># make libs<br># cd analysisd<br># make logtest<\/p><\/blockquote>\n\n\n\n<p>The tool&nbsp;<em>ossec-logtest<\/em>&nbsp;will be created on the current directory and we can start using it. The way it works is that it will read the current rules\/decoder (from \/var\/ossec ) and accept any log from stdin:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p><strong># .\/ossec-logtest<\/strong><br>2008\/07\/04 09:57:28 ossec-testrule: INFO: Started (pid: 12683).<br>ossec-testrule: Type one log per line.<\/p><p><strong>Jul 4 09:42:16 enigma sshd[11990]: Accepted password for dcid from 192.168.2.10 port 35259 ssh2<\/strong><\/p><p>**Phase 1: Completed pre-decoding.<br>full event: \u2018Jul 4 09:42:16 enigma sshd[11990]: Accepted password for dcid from 192.168.2.10 port 35259 ssh2\u2032<br>hostname: \u2018enigma\u2019<br>program_name: \u2018sshd\u2019<br>log: \u2018Accepted password for dcid from 192.168.2.10 port 35259 ssh2\u2032<\/p><p>**Phase 2: Completed decoding.<br>decoder: \u2018sshd\u2019<br>dstuser: \u2018dcid\u2019<br>srcip: \u2019192.168.2.10\u2032<\/p><p>**Phase 3: Completed filtering (rules).<br>Rule id: \u201910100\u2032<br>Level: \u20194\u2032<br>Description: \u2018First time user logged in.\u2019<br>**Alert to be generated.<\/p><\/blockquote>\n\n\n\n<p>So, in the above example, we provided an authentication success log and&nbsp;<em>ossec-testrule<\/em>&nbsp;showed us how it would be decoded, what information was extracted and which rule fired. In the next example, we can see how it would extract a user logoff message from Windows:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p><strong>WinEvtLog: Security: AUDIT_SUCCESS(538): Security: lac: OSSEC-HM: OSSEC-HM: User Logoff: User Name: lac Domain: OSSEC-HM Logon ID: (0\u00d70,0xF784D5) Logon Type: 2<\/strong><\/p><p>**Phase 1: Completed pre-decoding.<br>full event: \u2018WinEvtLog: Security: AUDIT_SUCCESS(538): Security: lac: OSSEC-HM: OSSEC-HM: User Logoff: User Name: lac Domain: OSSEC-HM Logon ID: (0\u00d70,0xF784D5) Logon Type: 2\u2032<br>hostname: \u2018enigma\u2019<br>program_name: \u2018(null)\u2019<br>log: \u2018WinEvtLog: Security: AUDIT_SUCCESS(538): Security: lac: OSSEC-HM: OSSEC-HM: User Logoff: User Name: lac Domain: OSSEC-HM Logon ID: (0\u00d70,0xF784D5) Logon Type: 2\u2032<\/p><p>**Phase 2: Completed decoding.<br>decoder: \u2018windows\u2019<br>status: \u2018AUDIT_SUCCESS\u2019<br>id: \u2019538\u2032<br>extra_data: \u2018Security\u2019<br>dstuser: \u2018lac\u2019<br>system_name: \u2018OSSEC-HM\u2019<\/p><p>**Phase 3: Completed filtering (rules).<br>Rule id: \u201918149\u2032<br>Level: \u20193\u2032<br>Description: \u2018Windows User Logoff.\u2019<br>**Alert to be generated.<\/p><\/blockquote>\n\n\n\n<p>In addition to this information, you can run&nbsp;<strong>ossec-testrule<\/strong>&nbsp;with the&nbsp;<strong>-f<\/strong>&nbsp;flag to get full information on the rule path that the log is following:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>#&nbsp;<strong>.\/ossec-logtest -f<\/strong><br>2008\/07\/04 10:05:43 ossec-testrule: INFO: Started (pid: 23007).<br>ossec-testrule: Type one log per line.<\/p><p><strong>Jul 4 10:05:30 enigma sshd[27588]: Failed password for invalid user test2 from 127.0.0.1 port 19130 ssh2<\/strong><\/p><p>**Phase 1: Completed pre-decoding.<br>full event: \u2018Jul 4 10:05:30 enigma sshd[27588]: Failed password for invalid user test2 from 127.0.0.1 port 19130 ssh2\u2032<br>hostname: \u2018enigma\u2019<br>program_name: \u2018sshd\u2019<br>log: \u2018Failed password for invalid user test2 from 127.0.0.1 port 19130 ssh2\u2032<\/p><p>**Phase 2: Completed decoding.<br>decoder: \u2018sshd\u2019<br>srcip: \u2019127.0.0.1\u2032<\/p><p><strong><em>**Rule debugging:<br>Trying rule: 1 \u2013 Generic template for all syslog rules.<br>*Rule 1 matched.<br>*Trying child rules.<br>Trying rule: 5500 \u2013 Grouping of the pam_unix rules.<br>Trying rule: 5700 \u2013 SSHD messages grouped.<br>*Rule 5700 matched.<br>*Trying child rules.<br>Trying rule: 5709 \u2013 Useless SSHD message without an user\/ip.<br>Trying rule: 5711 \u2013 Useless SSHD message without a user\/ip.<br>Trying rule: 5707 \u2013 OpenSSH challenge-response exploit.<br>Trying rule: 5701 \u2013 Possible attack on the ssh server (or version gathering).<br>Trying rule: 5706 \u2013 SSH insecure connection attempt (scan).<br>Trying rule: 5713 \u2013 Corrupted bytes on SSHD.<br>Trying rule: 5702 \u2013 Reverse lookup error (bad ISP or attack).<br>Trying rule: 5710 \u2013 Attempt to login using a non-existent user<br>*Rule 5710 matched.<br>*Trying child rules.<br>Trying rule: 5712 \u2013 SSHD brute force trying to get access to the system.<br><\/em><\/strong><br>**Phase 3: Completed filtering (rules).<br>Rule id: \u20195710\u2032<br>Level: \u20195\u2032<br>Description: \u2018Attempt to login using a non-existent user\u2019<br>**Alert to be generated.<\/p><\/blockquote>\n\n\n\n<p>As you can see, it show us all the rules that were tried and if it matched or not.<\/p>\n\n\n\n<p>Hope this little tool can be helpful. Feedback is welcome, as always.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When you are troubleshooting&nbsp;OSSEC&nbsp;or trying to write new rules\/decoders, the first problem most people have is how to test them. In the past, it would require manually restarting or creating a testing installation for it, but as from the latest CVS snapshot, we built a tool to simplify this task (ossec-testrule). First, grab the latest [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5,4],"tags":[10],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/172"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=172"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/172\/revisions"}],"predecessor-version":[{"id":173,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/172\/revisions\/173"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=172"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=172"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=172"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}