No alerts generated

[netsecninja]

I just reinstalled 2.3.2 from the ISO last night, and there has been no HID or NID alerts generated since then in the hunt interface. I only did minimal tuning today for some malfunctioning Talos rules that had fired a ton of FPs (see post here), but even ossec on the SO host isn't showing any activity, which there's usually something!

Kibana is showing syslog incoming, so there's data there. And there's tons of PCAPs in /nsm/pcap. Running so-status shows all services OK. I have no idea where to even start to troubleshoot this. Ideas?

Additional details:

• ISO, standalone install
• salt-call state.highstate reports no failed or errors

[weslambert]

I'd ensure Wazuh and Suricata logs don't show errors. Also, does Kibana show any of this data? Are you able to perform a manual search of event.dataset:alert and get results back?

…

On Thu, Oct 29, 2020 at 5:35 PM netsecninja ***@***.***> wrote: I just reinstalled 2.3.2 from the ISO last night, and there has been no HID or NID alerts generated since then in the hunt interface. I only did minimal tuning today for some malfunctioning Talos rules that had fired a ton of FPs (see post here <#1727>), but even ossec on the SO host isn't showing any activity, which there's usually something! Kibana is showing syslog incoming, so there's data there. And there's tons of PCAPs in /nsm/pcap. Running so-status shows all services OK. I have no idea where to even start to troubleshoot this. Ideas? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1742>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEAM3KFR23Y67SMNX7TQRNTSNHN3HANCNFSM4TEIV4FA> .

-- https://twitter.com/therealwlambert https://securityonion.net/

[netsecninja]

Thanks Wes. Here's what I found.

In /opt/so/log/suricata/suricata.log, there were some errors, I copied one of each of the different types I noticed. Perhaps this is a Suricata issue parsing Snort sigs? I am using the Talos ruleset.
<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download"; flow:to_client,established; file_data; content:"filename="; http_header; content:".exe"; within:4; distance:24; pcre:"/filename\=[a-z0-9]{24}\.exe/H"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26891; rev:3;)" from file /etc/suricata/rules/all.rules at line 6049

<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content

<Error> - [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "(" cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.(.detection-enabled

At the end, this appears to show there are rules in use and it's running:

29/10/2020 -- 14:02:36 - <Info> - 1 rule files processed. 9762 rules successfully loaded, 461 rules failed
29/10/2020 -- 14:02:36 - <Info> - Threshold config parsed: 0 rule(s) found
29/10/2020 -- 14:02:36 - <Info> - 9766 signatures processed. 0 are IP-only rules, 1527 are inspecting packet payload, 2195 inspect application layer, 0 are decoder event only
29/10/2020 -- 14:02:36 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28582 and 3 other sigs
29/10/2020 -- 14:02:36 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.swf|file.ole' is checked but not set. Checked in 25676 and 1 other sigs
29/10/2020 -- 14:02:36 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.class|file.jar' is checked but not set. Checked in 31540 and 1 other sigs
29/10/2020 -- 14:02:36 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.tiff|file.doc' is checked but not set. Checked in 28464 and 1 other sigs
29/10/2020 -- 14:02:36 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.rtf|file.ole' is checked but not set. Checked in 37559 and 1 other sigs
29/10/2020 -- 14:02:36 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.doc|file.docx' is checked but not set. Checked in 45370 and 1 other sigs
29/10/2020 -- 14:02:36 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.ole|file.doc' is checked but not set. Checked in 30533 and 3 other sigs
29/10/2020 -- 14:02:36 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.corel|file.doc' is checked but not set. Checked in 36501 and 0 other sigs
29/10/2020 -- 14:02:36 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs
29/10/2020 -- 14:02:36 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.doc|file.rtf' is checked but not set. Checked in 45519 and 2 other sigs
29/10/2020 -- 14:02:36 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs
29/10/2020 -- 14:02:36 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.doc|file.docm' is checked but not set. Checked in 43975 and 1 other sigs
29/10/2020 -- 14:02:37 - <Warning> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Inefficient setup: ring-size < max_pending_packets. Resetting to decent value 5001.
29/10/2020 -- 14:02:37 - <Info> - Going to use 1 thread(s)
29/10/2020 -- 14:02:37 - <Info> - Running in live mode, activating unix socket
29/10/2020 -- 14:02:37 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
29/10/2020 -- 14:02:37 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
29/10/2020 -- 14:02:37 - <Info> - All AFP capture threads are running.

In /nsm/wazuh/logs/ossec.log, there are these two errors:

2020/10/29 21:08:02 ossec-analysisd: ERROR: (1202): Configuration error at 'etc/rules/local_rules.xml'.
2020/10/29 21:08:02 ossec-analysisd: CRITICAL: (1220): Error loading the rules: 'etc/rules/local_rules.xml'.

However when I look at the /nsm/wazuh/etc/rules/local_rules.xml file, there's nothing in it:

<!-- Local rules -->

<!-- Modify it at your will. -->
<!-- Copyright (C) 2015-2020, Wazuh Inc. -->

I did a search for event.dataset:alert in the last 18 hours, nothing listed.

[netsecninja]

Just an update after spending hours messing with things. I found Wazuh rules stopped working after I cleared out the example rule in /nsm/wazuh/etc/rules/local_rules.xml. It appears the missing tag was required to remain otherwise Wazuh goes nuts. I found a sample of the original example rule and replaced it, and after restarting Wazuh it began producing alerts.

Thinking that one minor change is what caused that issue, I turned my attention to Suricata. The only change I made was to use the Talos ruleset, which I did during the install. So I changed the config in securityonion_standalone.sts to:

idstools:
  config:
    ruleset: 'ETOPEN'

Ran sudo salt securityonion_standalone state.apply idstools, so-rule-update, then so-suricata-restart. Now alerts are firing.

In the end, I am still confused why Talos ruleset stops alerting from happening at all. Given the log output above, there were functioning rules available and the process was running.

My experiences so far show that minor changes brings SO to it's knees. I'm not doing anything advanced or undocumented. I appreciate all the work the team has put in to the product, it's a welcome upgrade and I know it will just get better from here on. If you would please add some resiliency in the application, that would be appreciated.