From 7194025666e64ee4895765bc66b6daebfd88acd9 Mon Sep 17 00:00:00 2001
From: Mauro Malara <mauro.malara@wazuh.com>
Date: Thu, 1 Sep 2022 12:21:14 -0300
Subject: [PATCH 1/2] fix(#3208): fix hydra installation and add new role to
 search for alerts.

---
 .../manage_alerts/tasks/search_alert.yaml     | 12 +++++++++++
 tests/end_to_end/data/env_requirements.json   |  3 ++-
 .../data/playbooks/configuration.yaml         |  4 ++--
 .../data/playbooks/generate_events.yaml       | 20 +++++++++++--------
 .../test_cases/cases_brute_force_rdp.yaml     |  4 ++++
 .../data/playbooks/generate_events.yaml       | 19 +++++++++++++-----
 .../test_cases/cases_brute_force_ssh.yaml     |  4 ++++
 7 files changed, 50 insertions(+), 16 deletions(-)
 create mode 100644 tests/end_to_end/data/ansible_roles/manage_alerts/tasks/search_alert.yaml

diff --git a/tests/end_to_end/data/ansible_roles/manage_alerts/tasks/search_alert.yaml b/tests/end_to_end/data/ansible_roles/manage_alerts/tasks/search_alert.yaml
new file mode 100644
index 0000000000..f3e75c6501
--- /dev/null
+++ b/tests/end_to_end/data/ansible_roles/manage_alerts/tasks/search_alert.yaml
@@ -0,0 +1,12 @@
+- name: Search alert in alerts log
+  become: true
+  lineinfile:
+    path: /var/ossec/logs/alerts/alerts.json
+    regexp: "{{ custom_regex }}"
+    state: absent
+  check_mode: true
+  changed_when: false
+  register: alert
+  until: alert.found != 0
+  retries: "{{ attempts }}"
+  delay: "{{ time_btw_attempts }}"
diff --git a/tests/end_to_end/data/env_requirements.json b/tests/end_to_end/data/env_requirements.json
index ad9baf33cc..a07f0b986f 100644
--- a/tests/end_to_end/data/env_requirements.json
+++ b/tests/end_to_end/data/env_requirements.json
@@ -47,7 +47,8 @@
         "agent": {
             "instances": 2,
             "distros": [
-                "Windows"
+                "Windows",
+                "Ubuntu"
             ]
         }
     },
diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml
index c37d81d4d0..ea4555f90f 100644
--- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml
+++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml
@@ -1,10 +1,10 @@
 - name: Configure local environment
-  hosts: localhost
+  hosts: ubuntu-agent
   become: true
   tasks:
 
     # Install hydra to attempt the RDP brute force attack
     - name: Install hydra
       package:
-        name: hydra
+        name: hydra=9.2-1ubuntu1
         state: present
diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml
index 238b3dd35b..61e176d6bd 100644
--- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml
+++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml
@@ -8,7 +8,7 @@
         tasks_from: truncate_alert_json.yaml
 
 - name: Generate events
-  hosts: localhost
+  hosts: ubuntu-agent
   tasks:
 
     - name: Attempt a RDP brute force attack
@@ -22,18 +22,22 @@
         - test_user
         - test_user
         - test_user
-      register: result
-      failed_when:
-        - "'0 valid password found' not in result.stdout"
-
-    - name: Wait for alert
-      wait_for:
-        timeout: 5
 
 - name: Get alerts file
   hosts: managers
   tasks:
 
+    - name: Search alert in alerts log
+      include_role:
+        name: manage_alerts
+        tasks_from: search_alert.yaml
+      vars:
+        ts: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+
+        custom_regex: "{\"timestamp\":\"{{ ts }}\",\"rule\":{\"level\":{{ rule_level }},\
+          \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*"
+        attempts: 15
+        time_btw_attempts: 2
+
     - name: Get alert json
       include_role:
         name: manage_alerts
diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml
index 0d2bfb9feb..bf6eaace89 100644
--- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml
+++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml
@@ -7,3 +7,7 @@
     rule.description: Multiple Windows logon failures.
     extra:
       mitre_technique: Brute Force
+    extra_vars:
+      rule_id: 60204
+      rule_level: 10
+      rule_description: Multiple Windows logon failures.
diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml
index eaa2e16655..9311246dc5 100644
--- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml
+++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml
@@ -19,7 +19,7 @@
         responses:
           (.*)continue connecting(.*): 'yes'
           (?i)password: 1
-        timeout: 5
+        timeout: 15
       loop:
         - test_user
         - test_user
@@ -33,14 +33,23 @@
       failed_when:
         - "'Permission denied' not in result.stdout"
 
-    - name: Wait for alert
-      wait_for:
-        timeout: 5
-
 - name: Get alerts file
   hosts: managers
+  vars:
+    ts:
   tasks:
 
+    - name: Search alert in alerts log
+      include_role:
+        name: manage_alerts
+        tasks_from: search_alert.yaml
+      vars:
+        ts: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+
+        custom_regex: "{\"timestamp\":\"{{ ts }}\",\"rule\":{\"level\":{{ rule_level }},\
+          \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*"
+        attempts: 15
+        time_btw_attempts: 2
+
     - name: Get alert json
       include_role:
         name: manage_alerts
diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml
index d58f3ff6dd..73288d7db7 100644
--- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml
+++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml
@@ -7,3 +7,7 @@
     rule.description: "sshd: brute force trying to get access to the system. Non existent user."
     extra:
       mitre_technique: Brute Force
+    extra_vars:
+      rule_id: 5712
+      rule_level: 10
+      rule_description: "sshd: brute force trying to get access to the system. Non existent user."

From 4cebf5da1bd817c56098b4774e183b959496bc1c Mon Sep 17 00:00:00 2001
From: Mauro Malara <mauro.malara@wazuh.com>
Date: Thu, 1 Sep 2022 12:54:31 -0300
Subject: [PATCH 2/2] fix(#3208): fix timestamp variable in Ansible playbook.

---
 .../data/playbooks/generate_events.yaml                     | 4 ++--
 .../data/playbooks/generate_events.yaml                     | 6 ++----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml
index 61e176d6bd..58efbc98d7 100644
--- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml
+++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml
@@ -32,8 +32,8 @@
         name: manage_alerts
         tasks_from: search_alert.yaml
       vars:
-        ts: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+
-        custom_regex: "{\"timestamp\":\"{{ ts }}\",\"rule\":{\"level\":{{ rule_level }},\
+        timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+
+        custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\
           \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*"
         attempts: 15
         time_btw_attempts: 2
diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml
index 9311246dc5..4906146562 100644
--- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml
+++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml
@@ -35,8 +35,6 @@
 
 - name: Get alerts file
   hosts: managers
-  vars:
-    ts:
   tasks:
 
     - name: Search alert in alerts log
@@ -44,8 +42,8 @@
         name: manage_alerts
         tasks_from: search_alert.yaml
       vars:
-        ts: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+
-        custom_regex: "{\"timestamp\":\"{{ ts }}\",\"rule\":{\"level\":{{ rule_level }},\
+        timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+
+        custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\
           \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*"
         attempts: 15
         time_btw_attempts: 2