Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test decoders before matching rules #3446

Merged
merged 15 commits into from
Nov 4, 2021

Conversation

sortiz1191
Copy link
Contributor

@sortiz1191 sortiz1191 commented Jul 7, 2021

Hi team!
This PR adds a feature to check decoders and rulesets using logtest.

To test it:

  1. Go to Management/Decoders
  • Given the browser is logged in the Wazuh kibana app
  • When the browser enters Management/Decoders
  • Then Decoders Sections will be displayed

Prerequisite 1: command: Apr 28 13:43:51 localhost local_decoder_example: test

  1. Test a decoder
  • Given the browser is at Decoder section
  • When the user navigate to custom decoder -> Add new decoder file -> Decoder test
  • And the user paste Prerequisite 1 and click in test
  • Then Decoders Test Section will not display an error

Tests:

The cases in focus are:

  • a log sample that matches a decoder but that matches no rule
  • a log sample that matches a rule that is level 0 (which always suppresses alerts)
  • a log sample that matches a rule that is level 1 or 2 (which generally is not logged due to default setting <log_alert_level>3</log_alert_level> in ossec.conf )

All of the above cases should produce the same output in the web interface as they currently output when wazuh-logtest is run from the command line.

Here is an example of the second item. It only matches top level parent rule 5700 which is level 0.

Starting wazuh-logtest v4.2.4
Type one log per line
Nov  5 10:20:01 my-server sshd[529099]: this will get decoded but only match a level 0 rule

**Phase 1: Completed pre-decoding.
        full event: 'Nov  5 10:20:01 my-server sshd[529099]: this will get decoded but only match a level 0 rule'
        timestamp: 'Nov  5 10:20:01'
        hostname: 'my-server'
        program_name: 'sshd'
**Phase 2: Completed decoding.
        name: 'sshd' 

As to the first item in my list, I am assuming this is already present in local_decoder.xml

<decoder name="local_decoder_example">
    <program_name>local_decoder_example</program_name>
</decoder>

And here an example of a non-rule-matching sample that matches a decoder

2021/11/05 10:36:19 wazuh-testrule: INFO: Started (pid: 2391674).
Since Wazuh v4.1.0 this binary is deprecated. Use wazuh-logtest instead
wazuh-testrule: Type one log per line.
Nov  5 10:20:01 my-server local_decoder_example[12345]: this will get decoded but match no rule at all

**Phase 1: Completed pre-decoding.
       full event: 'Nov  5 10:20:01 my-server local_decoder_example[12345]: this will get decoded but match no rule at all'
       timestamp: 'Nov  5 10:20:01'
       hostname: 'my-server'
       program_name: 'local_decoder_example'
       log: 'this will get decoded but match no rule at all'
**Phase 2: Completed decoding.
       decoder: 'local_decoder_example'

Lastly an example of a level 2 rule that would normally not be logged:

  <rule id="5753" level="2">
    <if_sid>5750</if_sid>
    <match>no matching cipher found</match>
    <description>sshd: could not negotiate with client, no matching cipher.</description>
  </rule>

Here that one goes:

Starting wazuh-logtest v4.2.4
Type one log per line
Nov  5 10:20:01 my-server sshd[12345]: fatal: no matching cipher found

**Phase 1: Completed pre-decoding.
        full event: 'Nov  5 10:20:01 my-server sshd[12345]: fatal: no matching cipher found'
        timestamp: 'Nov  5 10:20:01'
        hostname: 'my-server'
        program_name: 'sshd'
**Phase 2: Completed decoding.
        name: 'sshd'
**Phase 3: Completed filtering (rules).
        id: '5753'
        level: '2'
        description: 'sshd: could not negotiate with client, no matching cipher.'
        groups: '['syslog', 'sshd']'
        firedtimes: '1'
        mail: 'False' 

Related issue: #3348

@sortiz1191 sortiz1191 requested a review from a team July 7, 2021 11:52
@sortiz1191 sortiz1191 self-assigned this Jul 7, 2021
Copy link
Member

@mpRegalado mpRegalado left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You accidentally branched from e4399fe and so the changes on the feature/3391_office365_module_navigation branch are included in this PR.
You should probably rebase it.

@Desvelao
Copy link
Member

Desvelao commented Jul 8, 2021

issue: There are changes related to the Office 365 module. We should remove these changes to the PR.

nitpick: Add the change to the changelog

gabiwassan and others added 11 commits July 8, 2021 13:22
* refactor(error-orchestrator): Changed all context value of all try-catch implementations

* docs(error-orchestrator): Updated changelog.
* Implement try catch groups

* Add test

* test(groups): Added simple snapshot test.

* Add changelog

* Change context

* Change title

Co-authored-by: gabiwassan <[email protected]>
* refactor(error-orchestrator): Changed all context value of all try-catch implementations

* docs(error-orchestrator): Updated changelog.
* Implement try catch groups

* Add test

* test(groups): Added simple snapshot test.

* Add changelog

* Change context

* Change title

Co-authored-by: gabiwassan <[email protected]>
* refactor(error-orchestrator): Changed all context value of all try-catch implementations

* docs(error-orchestrator): Updated changelog.
* Implement try catch groups

* Add test

* test(groups): Added simple snapshot test.

* Add changelog

* Change context

* Change title

Co-authored-by: gabiwassan <[email protected]>
* refactor(error-orchestrator): Changed all context value of all try-catch implementations

* docs(error-orchestrator): Updated changelog.
@sortiz1191 sortiz1191 force-pushed the feature/3348-test_decoders_before_matching_rules branch from 40eca7d to 3db17b0 Compare July 8, 2021 11:27
Copy link
Member

@mpRegalado mpRegalado left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CR: LGTM: ✔️

@Desvelao
Copy link
Member

Changes

  • Add change to the changelog

@Desvelao Desvelao added the type/enhancement Enhancement issue label Jul 20, 2021
Copy link
Member

@Desvelao Desvelao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

review:
Code Review ✅

@github-actions
Copy link
Contributor

Jest Test Coverage % values
Statements 3.12% ( 1109 / 35600 )
Branches 1.16% ( 324 / 27965 )
Functions 2.02% ( 174 / 8632 )
Lines 3.15% ( 1071 / 34018 )

@frankeros frankeros merged commit 239e4fb into 4.3-7.10 Nov 4, 2021
@frankeros frankeros deleted the feature/3348-test_decoders_before_matching_rules branch November 4, 2021 18:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type/enhancement Enhancement issue
Projects
None yet
Development

Successfully merging this pull request may close these issues.

When creating decoders it is very useful to be able to first test decoders before creating any matching rules.
8 participants