wazuh-ruleset icon indicating copy to clipboard operation
wazuh-ruleset copied to clipboard

Published 20 hours ago verified publisher icon wazuh

New decoders and rules macOS

Open Zenidd opened this issue 5 years ago • 2 comments

In this PR new decoders and rules are added, generating alerts when a ssh connection or disconnection is made from a macOS device. Issue: https://github.com/wazuh/wazuh-ruleset/issues/348

  • Closing an SSH session:

    • Log: Apr 11 01:56:43 macos sshd: vagrant [priv][9271]: USER_PROCESS: 9274 ttys001

    • ossec-logtest output:

**Phase 1: Completed pre-decoding.
       full event: 'Apr 11 01:56:43 macos sshd: vagrant [priv][9271]: USER_PROCESS: 9274 ttys001'
       timestamp: 'Apr 11 01:56:43'
       hostname: 'macos'
       program_name: 'sshd'
       log: 'vagrant [priv][9271]: USER_PROCESS: 9274 ttys001'

**Phase 2: Completed decoding.
       decoder: 'sshd'

**Phase 3: Completed filtering (rules).
       Rule id: '5760'
       Level: '3'
       Description: 'sshd: Authentication success. SSH process running.'
**Alert to be generated.



  • Opening an SSH session:

    • Log:
Apr 11 02:00:15 macos sshd: vagrant [priv][9271]: DEAD_PROCESS: 9274 ttys001
Apr 11 02:00:15 macos com.apple.xpc.launchd[1] (com.openssh.sshd.2D107600-FD32-441E-B1E1-534F48A5EFCE[9271]): Service exited with abnormal code: 255
  • ossec-logtest output:
**Phase 1: Completed pre-decoding.
       full event: 'Apr 11 02:00:15 macos sshd: vagrant [priv][9271]: DEAD_PROCESS: 9274 ttys001'
       timestamp: 'Apr 11 02:00:15'
       hostname: 'macos'
       program_name: 'sshd'
       log: 'vagrant [priv][9271]: DEAD_PROCESS: 9274 ttys001'

**Phase 2: Completed decoding.
       decoder: 'sshd'

**Phase 3: Completed filtering (rules).
       Rule id: '5761'
       Level: '3'
       Description: 'sshd: SSH Connection Closed. Process stopped. '
**Alert to be generated.

**Phase 1: Completed pre-decoding.
       full event: 'Apr 11 02:00:15 macos com.apple.xpc.launchd[1] (com.openssh.sshd.2D107600-FD32-441E-B1E1-534F48A5EFCE[9271]): Service exited with abnormal code: 255'
       timestamp: 'Apr 11 02:00:15'
       hostname: 'macos'
       program_name: 'com.apple.xpc.launchd'
       log: '(com.openssh.sshd.2D107600-FD32-441E-B1E1-534F48A5EFCE[9271]): Service exited with abnormal code: 255'

**Phase 2: Completed decoding.
       decoder: 'sshd-mac'

**Phase 3: Completed filtering (rules).
       Rule id: '5762'
       Level: '3'
       Description: 'SSH service exited(Maybe too many authentication failures)'
**Alert to be generated.



_The log line _Apr 11 01:56:43 macos ant [priv][9274]: no path for address 0x11243f000 has been excluded from this PR when we are deciding if it is relevant.

Zenidd avatar Apr 12 '19 13:04 Zenidd

  • The new commit on this PR adds some rule for authentication events on mac that look like this:

Apr 11 02:00:15 localhost com.apple.AccountPolicyHelper[245]: (88.21.2) AuthenticationAllowed completed: record "root", result: Success (0).

  • The even has an output as the further example:
**Phase 1: Completed pre-decoding.
       full event: 'Apr 11 02:00:15 localhost com.apple.AccountPolicyHelper[245]: (88.21.2) AuthenticationAllowed completed: record "root", result: Success (0).'
       timestamp: 'Apr 11 02:00:15'
       hostname: 'localhost'
       program_name: 'com.apple.AccountPolicyHelper'
       log: '(88.21.2) AuthenticationAllowed completed: record "root", result: Success (0).'

**Phase 2: Completed decoding.
       decoder: 'su-mac'

**Phase 3: Completed filtering (rules).
       Rule id: '5307'
       Level: '3'
       Description: 'Authentication Attempt on user: '
**Alert to be generated.

Zenidd avatar May 14 '19 15:05 Zenidd

  • Now the rule is able to output which user was the target of the log attempt:

Event log: Apr 11 02:00:15 localhost com.apple.AccountPolicyHelper[245]: (88.21.2) AuthenticationAllowed completed: record "root", result: Success (0).

**Phase 1: Completed pre-decoding.
       full event: 'Apr 11 02:00:15 localhost com.apple.AccountPolicyHelper[245]: (88.21.2) AuthenticationAllowed completed: record "root", result: Success (0).'
       timestamp: 'Apr 11 02:00:15'
       hostname: 'localhost'
       program_name: 'com.apple.AccountPolicyHelper'
       log: '(88.21.2) AuthenticationAllowed completed: record "root", result: Success (0).'

**Phase 2: Completed decoding.
       decoder: 'su-mac'
       dstuser: 'root'

**Phase 3: Completed filtering (rules).
       Rule id: '5307'
       Level: '3'
       Description: 'Authentication Attempt on user: root '
**Alert to be generated.

The event log line has been added on file 0315-su_decoders.xml above the decoder for future testing:
https://github.com/wazuh/wazuh-ruleset/blob/27ceeedc678ad87a689d9ebeb7cc05863c57f67a/decoders/0315-su_decoders.xml#L73

Zenidd avatar May 15 '19 10:05 Zenidd