Merge pull request #3235 from wazuh/3208-fix-e2e-test-rdp

E2E tests: Fix Brute Force tests
wazuh · Sep 1, 2022 · d73f9df · d73f9df
2 parents 537cc41 + 4cebf5d
commit d73f9df
Show file tree

Hide file tree

Showing 7 changed files with 48 additions and 16 deletions.
diff --git a/tests/end_to_end/data/ansible_roles/manage_alerts/tasks/search_alert.yaml b/tests/end_to_end/data/ansible_roles/manage_alerts/tasks/search_alert.yaml
@@ -0,0 +1,12 @@
+- name: Search alert in alerts log
+  become: true
+  lineinfile:
+    path: /var/ossec/logs/alerts/alerts.json
+    regexp: "{{ custom_regex }}"
+    state: absent
+  check_mode: true
+  changed_when: false
+  register: alert
+  until: alert.found != 0
+  retries: "{{ attempts }}"
+  delay: "{{ time_btw_attempts }}"
diff --git a/tests/end_to_end/data/env_requirements.json b/tests/end_to_end/data/env_requirements.json
@@ -47,7 +47,8 @@
         "agent": {
             "instances": 1,
             "distros": [
-                "Windows"
+                "Windows",
+                "Ubuntu"
             ]
         }
     },

diff --git a/.../test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml b/.../test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml
@@ -1,10 +1,10 @@
 - name: Configure local environment
-  hosts: localhost
+  hosts: ubuntu-agent
   become: true
   tasks:
 
     # Install hydra to attempt the RDP brute force attack
     - name: Install hydra
       package:
-        name: hydra
+        name: hydra=9.2-1ubuntu1
         state: present
diff --git a/...est_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/...est_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml
@@ -8,7 +8,7 @@
         tasks_from: truncate_alert_json.yaml
 
 - name: Generate events
-  hosts: localhost
+  hosts: ubuntu-agent
   tasks:
 
     - name: Attempt a RDP brute force attack
@@ -22,18 +22,22 @@
         - test_user
         - test_user
         - test_user
-      register: result
-      failed_when:
-        - "'0 valid password found' not in result.stdout"
-
-    - name: Wait for alert
-      wait_for:
-        timeout: 5
 
 - name: Get alerts file
   hosts: managers
   tasks:
 
+    - name: Search alert in alerts log
+      include_role:
+        name: manage_alerts
+        tasks_from: search_alert.yaml
+      vars:
+        timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+
+        custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\
+          \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*"
+        attempts: 15
+        time_btw_attempts: 2
+
     - name: Get alert json
       include_role:
         name: manage_alerts

diff --git a/...ic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml b/...ic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml
@@ -7,3 +7,7 @@
     rule.description: Multiple Windows logon failures.
     extra:
       mitre_technique: Brute Force
+    extra_vars:
+      rule_id: 60204
+      rule_level: 10
+      rule_description: Multiple Windows logon failures.
diff --git a/...est_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml b/...est_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml
@@ -19,7 +19,7 @@
         responses:
           (.*)continue connecting(.*): 'yes'
           (?i)password: 1
-        timeout: 5
+        timeout: 15
       loop:
         - test_user
         - test_user
@@ -33,14 +33,21 @@
       failed_when:
         - "'Permission denied' not in result.stdout"
 
-    - name: Wait for alert
-      wait_for:
-        timeout: 5
-
 - name: Get alerts file
   hosts: managers
   tasks:
 
+    - name: Search alert in alerts log
+      include_role:
+        name: manage_alerts
+        tasks_from: search_alert.yaml
+      vars:
+        timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+
+        custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\
+          \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*"
+        attempts: 15
+        time_btw_attempts: 2
+
     - name: Get alert json
       include_role:
         name: manage_alerts

diff --git a/...ic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml b/...ic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml
@@ -7,3 +7,7 @@
     rule.description: "sshd: brute force trying to get access to the system. Non existent user."
     extra:
       mitre_technique: Brute Force
+    extra_vars:
+      rule_id: 5712
+      rule_level: 10
+      rule_description: "sshd: brute force trying to get access to the system. Non existent user."