No alerts on S.O. 2.4.10

[ricamz]

Version

2.4.10

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

1TB

Storage for /nsm

1TB

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Dear Support.

I installed the new 2.4.10 from scratch, loosing all information from the 2.3.160 (or 2.3.260 don't remember well) but it's ok.

My environment is still purely on agents - previously wazuh and now elastic agent.

One thing I notice is that I don't have any alerts, and in the previous version, wthout doing anything I had plenty of them. For example, user creation, web server error codes, web attacks, SSH authentication failures, etc.

I notice that I don't have any playbook active and starting to activate some playbooks, but can't find all the alerts of the previous version and it is tedious to activate one playbook at a time.

is there a way of importing and activating all the active playbooks of the 2.3.x S.O. version?

Regards

Ricardo

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[ricamz]

Adding to my previous post, all my hosts are Linux based and I cretead a new policy for adding nginx integration to some of our servers.

But I notice that all the playbooks are windows related. Are there playbooks related to Linux?

I have the default integrations on two servers (endpointd initial with osquery manager, elastic defend , system and windows integrations) and the elastic-defend, nginx, osquery manager and system integration on another policy with two servers assigned.

Regards

Ricardo

[ricamz]

Hi. Again another update.

With the help of: https://docs.securityonion.net/en/2.4/playbook.html I have included other rulesets like this:

But nothing has happened. So I issued a sudo so-playbook-reset and now I don't have any playbook.

But on playbook.log I have the following error:

App 115 output: I, [2023-09-11T11:48:28.855365 #115] INFO -- : Current user: anonymous
App 115 output: I, [2023-09-11T11:48:28.863073 #115] INFO -- : Filter chain halted as :find_optional_project rendered or redirected
App 115 output: I, [2023-09-11T11:48:28.863300 #115] INFO -- : Completed 401 Unauthorized in 13ms (ActiveRecord: 4.4ms)

When trying to:

App 115 output: I, [2023-09-11T11:48:28.846207 #115] INFO -- : Started POST "/playbook/issues.json" for 172.17.1.1 at 2023-09-11 11:48:28 +0000

Really don't know what to do.

Regards

RS

[ricamz]

Don't know if this log (playbook.log) is important:

App 114 output: I, [2023-09-11T14:26:57.449593 #114] INFO -- : Started POST "/playbook/issues.json" for 172.17.1.1 at 2023-09-11 14:26:57 +0000
App 114 output: I, [2023-09-11T14:26:57.453021 #114] INFO -- : Processing by IssuesController#create as JSON
App 114 output: I, [2023-09-11T14:26:57.453604 #114] INFO -- : Parameters: {"issue"=>{"subject"=>"Suspicious IIS Module Registration", "project_id"=>1, "status_id"=>"2", "tracker"=>"Play", "custom_fields"=>[{"id"=>1, "name"=>"Title", "value"=>"Suspicious IIS Module Registration"}, {"id"=>13, "name"=>"Playbook", "value"=>"community"}, {"id"=>6, "name"=>"ElastAlert Config", "value"=>"{{collapse(View ElastAlert Config)\n

<code class="yaml">\n\nany where (((process.command_line : "* /I*" and process.command_line : "gacutil") or (process.command_line : "* system.enterpriseservices.internal.publish*" and process.executable : "\\powershell.exe") or process.command_line : "appcmd.exe add module") and process.parent.executable : "\\w3wp.exe")\n

\n}}"}, {"id"=>10, "name"=>"Level", "value"=>"high"}, {"id"=>20, "name"=>"Product", "value"=>"windows"}, {"id"=>3, "name"=>"Objective", "value"=>"Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors"}, {"id"=>2, "name"=>"Author", "value"=>"Florian Roth (Nextron Systems), Microsoft (idea)"}, {"id"=>8, "name"=>"References", "value"=>"https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/"}, {"id"=>5, "name"=>"Analysis", "value"=>"False Positives\nAdministrative activity"}, {"id"=>11, "name"=>"PlayID", "value"=>"9c526e493"}, {"id"=>15, "name"=>"Tags", "value"=>["T1505"]}, {"id"=>12, "name"=>"Rule ID", "value"=>"043c4b8b-3a54-4780-9682-081cb6b8185c"}, {"id"=>9, "name"=>"Sigma", "value"=>"{{collapse(View Sigma)\n

<code class="yaml">\n\ntitle: Suspicious IIS Module Registration\nid: 043c4b8b-3a54-4780-9682-081cb6b8185c\nstatus: test\ndescription: Detects a suspicious IIS module registration as described in Microsoft\n  threat report on IIS backdoors\nreferences:\n- https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/\nauthor: Florian Roth (Nextron Systems), Microsoft (idea)\ndate: 2022/08/04\nmodified: 2023/01/23\ntags:\n- attack.persistence\n- attack.t1505.004\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection_parent:\n    ParentImage|endswith: \w3wp.exe\n  selection_cli_1:\n    CommandLine|contains: appcmd.exe add module\n  selection_cli_2:\n    CommandLine|contains: ' system.enterpriseservices.internal.publish'\n    Image|endswith: \powershell.exe\n  selection_cli_3:\n    CommandLine|contains|all:\n    - gacutil\n    - ' /I'\n  condition: selection_parent and 1 of selection_cli_*\nfalsepositives:\n- Administrative activity\nlevel: high\n\n

\n}}"}, {"id"=>18, "name"=>"Ruleset", "value"=>"windows"}, {"id"=>19, "name"=>"Group", "value"=>"process_creation"}, {"id"=>26, "name"=>"License", "value"=>"DRL-1.0"}, {"id"=>28, "name"=>"Sigma URL", "value"=>"https://github.com/Security-Onion-Solutions/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml"}, {"id"=>27, "name"=>"Sigma File", "value"=>"/SOCtopus/sigma/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml"}]}}
App 114 output: I, [2023-09-11T14:26:57.459314 #114] INFO -- : Current user: anonymous
App 114 output: I, [2023-09-11T14:26:57.465233 #114] INFO -- : Filter chain halted as :find_optional_project rendered or redirected
App 114 output: I, [2023-09-11T14:26:57.465475 #114] INFO -- : Completed 401 Unauthorized in 12ms (ActiveRecord: 3.3ms)

But here it is.

Regards

Ricardo

[Acewiza]

Last time I wasn't seeing alerts it was because the monitor interface ethernet jack was not plugged all the way in.

[ricamz]

Thanks @Acewiza but it is a virtual machine.

And this is alerts related to HIDS (Elastic Agent) not network.

Also I receive the events from Elastic Agent, but no alerts are generated.

[Acewiza]

Yeah, I probably shoulda read the writeup more carefully. I get lost in the gobbldygook sometimes. ;-(

[kgoode517]

I have noticed the same behavior with alerts and this was one of the key reasons I switched back down to 2.3. Did adding playbooks ever add alerting for you?

[ricamz]

Hi @kgoode517 .

To be honest I haven't added any playbooks because I tried to install the linux ones and never came because of the error above.

I also switched back to 2.3 with the wazuh agents. If I don't know the solution for this, maybe I try the wazuh server, in order to have upgrades going.

RS

[defensivedepth]

@kgoode517 Have you created a Discussion for what you are seeing?

[kgoode517]

Hi Josh no I did not create a discussion for this particular issue as I had several other issues when using 2.4.10 and thus I had gone back to using the latest 2.3. For one it appears the tools links are in an experimential state the option to edit it in the SOC console is hidden under the advanced tab and it does not work as it does in 2.3. If i attempt to use the same syntax for the tools.json it errors out. I also had issue with editing and allowing firewall rules and then having to manually edit the iptables afterwards. As we previously discussed I would likely run into issues with running beats and logs not being parsed correctly and I have decided to use the old wazuh agents for now for my arm/arm64 clients that need them. Although it seems nice to be able add multiple rule sets such as Snort rules without alerts it is difficult to tell if this is actually working or not. When using elastic agent on arm64 clients it appeared to just stay in unhealthy states after having to hand roll a configuration. Lastely creating a 2.4 instance did not resolve my issue of pfsense logs not being properly ingested and reflected in my dashboard/hunt interfaces. Doug is kindly assisting me with troubleshooting this in 11335

[defensivedepth]

@ricamz Is there a specific Play that you are expecting an alert for? If you post the Title or GUID, we can troubleshoot more effectively.

I am also looking into the other issue you are seeing about rulesets.

[ricamz]

Hi @defensivedepth .

I am used to what happened in 2.3.260 when the alerts from Wazuh appeared automatically in the Alerts tab in Security Onion interface. When I installed the Elastic Agent no alert came, although there were several events.

For example: I receive alerts of "Web server 400 error code" which are useful to inform the developers that something is wrong with their application (there are errors normally related with http status 401).

But with the elastic agent no alert were being generated. But I saw the events (log lines of 400 errors) on hunt.

I don't know if this is the intended behaviour: No event from Elastic Agent will generate an alert and only those which are selected by the playbooks will generate an alert.

But because of the playbook errors I couldn't use it. So I reverted back to the 2.3.260 version.

Regards

RS

[ricamz]

I had the following rules generating alerts (rule.uuid):

31101
31301
31120
5501
5502
5715
31151
1002
31122
5104
5402
1007
591
516
533
19007
550
19008
554
510

for example.

RS

[TOoSmOotH]

Are those the play IDs or the Wazuh rule uuids?

[ricamz]

Wazuh rule uuid.

I never configured the play rules and I got alerts.

[TOoSmOotH]

That is because Wazuh has built in rules in which we send as alerts in 2.3. Elastic agent does not have any rules built in so plays will need to be created for specific things you want to be alerted on.

[ricamz]

Does that means that all the rules that Wazuh alerted on, have to be created manually in plays?

I thought that there were a group of pre-built plays for linux, web server, etc.

I tried to enable those, but it gave me the errors indicated above.

RS

[8bitjoe]

The alerting system for elastic agent is based on playbooks entirely, however there doesn't seem to be much documentation for it at the moment. i asked a very similar question before in this case #10556

[ricamz]

Any developments on these issues ?

[defensivedepth]

@ricamz @8bitjoe @kgoode517 We are working on some detailed examples of how to do this. We will get them posted once we are past our conference (Security Onion Con this week, hope to see you there!)

[ricamz]

Thank you. Unfortunately I live a little bit far .. in the southern african continent. So will wait. Have a great conference.

[ricamz]

Hi @defensivedepth. Is the documentation available on how to import the playbook linux rules?

[ricamz]

Hi @defensivedepth . Do you already have the detailed examples on how to create playbooks for elastic agents rules?