wazuh-ruleset
wazuh-ruleset copied to clipboard
wazuh
Improve Owncloud rules and decoders
Hello team,
I have noted Owncloud rules and decoders have some issues. I'll list them below:
-
Some logs examples have strange characters
-
Following decoder isn't necessary:
https://github.com/wazuh/wazuh-ruleset/blob/de407b8c0038b95641029346bf86a7de4049c270/decoders/0435-owncloud_decoders.xml#L44-L46
And the owncloud-loglevel decoder and rules which depends it can be modified. They are the following:
https://github.com/wazuh/wazuh-ruleset/blob/de407b8c0038b95641029346bf86a7de4049c270/decoders/0435-owncloud_decoders.xml#L74-L79
https://github.com/wazuh/wazuh-ruleset/blob/de407b8c0038b95641029346bf86a7de4049c270/rules/0500-owncloud_rules.xml#L82-L116
- Following brute force rule can be improved:
https://github.com/wazuh/wazuh-ruleset/blob/de407b8c0038b95641029346bf86a7de4049c270/rules/0500-owncloud_rules.xml#L66-L72
This rule match if rule 87301 has fired eight times in 120 seconds with the same srcip.
Rule 87301 match logs like:
Sep 1 20:16:09 foo ownCloud[15463]: {core} Login failed: 'test' (Remote IP: '127.0.0.1')
{"reqId":"55769fcacd1e0","app":"core","message":"Login failed: user 'admin' , wrong password, IP:127.0.0.1","level":2,"time":"2015-06-09T08:11:54+00:00","method":"POST","url":"\/owncloud\/index.php","@source":"ownCloud"}
First logs has srcip but the second one hasn't got. It causes some brute force events are lost.
Best regards, Eva
