Professional Documents
Culture Documents
Deck 1
Emiliano Fontana
May 2021
Introduction
Deck 1, Slide 2
Wazuh
Deck 1, Slide 3
What is Wazuh?
Main Components
● Log Collection
● Log Analysis (customizable set of over 3000 HIDS rules)
● File Integrity Monitoring
● Host-based anomaly detection
● Security compliance scanning for known vulnerabilities
● Real time alerting (e-mail, SMS, Slack, etc)
● Active Response (a HIDS-driven IPS implementation)
Deck 1, Slide 4
What is Wazuh?
Agents available for many diverse platforms
note
For downloading and installing the latest Wazuh and related
packages: https://wazuh.com/start/
Deck 1, Slide 5
Wazuh Architecture
https://documentation.wazuh.com
Deck 1, Slide 6
Wazuh Architecture
Deck 1, Slide 7
Main Components
https://documentation.wazuh.com
Deck 1, Slide 8
Wazuh Processes
Deck 1, Slide 9
Network Communication
Deck 1, Slide 11
Flood protection
https://documentation.wazuh.com
Deck 1, Slide 12
Leaky bucket buffer flooding scenario with alerts and final recovery
Deck 1, Slide 13
Lab Exercise 1a
Wazuh Server Configuration
Deck 1, Slide 14
Lab Exercise 1a
Wazuh Server Configuration
Lab Objective
Do some basic configuration of the Wazuh Manager and
authenticate with and query the Wazuh API for the first time.
Deck 1, Slide 15
Lab Exercise 1b
Wazuh Web UI
Deck 1, Slide 16
Lab Exercise 1b
Wazuh Web UI
Lab Objective
Briefly explore the Wazuh Web UI and the Kibana environment
where it is housed.
Deck 1, Slide 17
Agent registration
Deck 1, Slide 18
Authd registration service
Deck 1, Slide 19
Agents initiating registration
Deck 1, Slide 20
Lab Exercise 1c
Auto enrollment
Deck 1, Slide 21
Lab Exercise 1c
Auto enrollment
Lab Objective
Register your linux-agent with your Wazuh manager using auto
enrollment.
Deck 1, Slide 22
Lab Exercise 1d
Deployment variables
Deck 1, Slide 23
Lab Exercise 1d
Deployment variables
Lab Objective
Install and register your windows-agent with deployment variables.
Deck 1, Slide 24
Lab Exercise 1e
agent-auth tool
Deck 1, Slide 25
Lab Exercise 1e
agent-auth tool
Lab Objective
Register your elastic-agent with the agent-auth tool.
https://documentation.wazuh.com
Deck 1, Slide 26
Remotely upgrading
Wazuh agents
https://documentation.wazuh.com
Deck 1, Slide 27
Ways to remotely upgrade Wazuh agents
Instead of manually upgrading Wazuh directly on agent systems, or using
yum/apt repositories which bring the risk of agents being prematurely
upgraded to a newer version than what is on your managers, you can
push Wazuh agent upgrades out from your Wazuh managers to
connected agents, even to remote ones.
● Wazuh API
○ automatically routes upgrade tasks to the right managers
○ up to 100 agents queued up at a time (must be connected)
● agent_upgrade (legacy)
○ a CLI tool to upgrade agent(s) in a single-manger setups
○ not for use with Wazuh managed cloud, or manager clusters
● Limitations
○ not manageable in Wazuh web interface (yet)
○ scripting needed for upgrades of hundreds or more agents
○ upgrade tasks not queued up for disconnected agents
Deck 1, Slide 28
Lab Exercise 1f
Agent remote upgrade
Deck 1, Slide 29
Lab Exercise 1f
Agent remote upgrade
Deck 1, Slide 30
General configuration
https://documentation.wazuh.com
Deck 1, Slide 31
ossec.conf
Deck 1, Slide 32
internal_options.conf
● Location:
○ internal_options.conf
■ shows all options, but is overwritten by Wazuh upgrades
○ local_internal_options.conf
■ copy items from internal_options.conf here to customize
● internal options are for
○ controlling debug level for specific daemons
○ enabling/disabling grouping of email alerts
○ enabling/disabling full subject line in email alerts
○ enabling/disabling remote commands
○ various other obscure settings generally best left alone
● Handle with care!
Deck 1, Slide 33
Agent configuration
https://documentation.wazuh.com
Deck 1, Slide 34
agent.conf
● Location
○ /var/ossec/etc/shared/*GROUP*/agent.conf
○ Multiple possible *GROUP* locations, each servicing a
different group of agents. Agents can be in multiple groups
○ Controlled by agent_groups command on the manager.
Default group is called default
● Agents pull it from the Wazuh manager, quickly fetching new
versions and automatically restarting to apply them.
● agent.conf should never be edited on the agent side as
changes will quickly be overwritten with the manager’s version.
● Specific agent config sections are possible on a per-OS, per-
profile, and per-agent basis, allowing great flexibility.
● Editable from the Web Interface
Deck 1, Slide 35
Agent groups and profiles
● agent groups
● configuration profiles
Deck 1, Slide 36
Agent configuration profiles
In an agent's ossec.conf, the <config-profile> line can include
multiple profiles separated by a comma and space.
Deck 1, Slide 37
agents.conf large example
agent.conf (on manager)
<agent_config>
...
</agent_config>
<agent_config os="Linux">
...
</agent_config>
<agent_config os="Windows">
...
</agent_config>
<agent_config profile="rhel7">
...
</agent_config>
<agent_config profile="ubuntu18.04">
...
</agent_config>
<agent_config name="alpha">
...
</agent_config>
Deck 1, Slide 38
Lab Exercise 1g
Centralized agent configuration
Deck 1, Slide 39
Lab Exercise 1g
Centralized agent configuration
Deck 1, Slide 40
Mass deployment
Deck 1, Slide 41
Log Analysis
https://documentation.wazuh.com
Deck 1, Slide 42
Log Analysis with Wazuh
Deck 1, Slide 43
Log Flow (agent/server)
Deck 1, Slide 44
Stages of Log Analysis
● Log collection on agents as defined in <localfile> sections
○ These define a <log_format> that informs pre-decoding.
○ For json logs, these also can define one or more additional
fields to mark the json logs to clearly indicate the log type
or source, to inform rule-based analysis.
● Pre-decoding
○ extracts basic fields based on <log_format> value of
source, like program_name from from the syslog header
● Decoding
○ extracts program-specific fields like srcip or username
● Rule-based analysis of decoded log
○ One more more instances and types of matching criteria
can be against individual log fields or the whole log.
○ Matching of field values against CDB lists also supported.
Deck 1, Slide 45
Example <localfile> sections
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>eventchannel</log_format>
<location>Application</location>
</localfile>
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve-*.json</location>
<label key="@source">suricata</label>
</localfile>
Deck 1, Slide 46
Various log samples
[Sun Mar 06 08:52:16 2016] [error] [client 187.172.181.57] Invalid URI in request
GET: index.php HTTP/1.0
Deck 1, Slide 47
Example 1/2
Log
Dec 5 00:08:49 manager6 sshd[25467]: Failed password for root from
113.195.145.13 port 19044 ssh2
Pre-decoding
● hostname: manager6
● program_name: sshd
● log: Failed password for root from 113.195.145.13 port 19044 ssh2
Deck 1, Slide 48
Example 2/2
Log
Dec 5 00:08:49 manager6 sshd[25467]: Failed password for root from
113.195.145.13 port 19044 ssh2
Decoding
● decoder: sshd
● dstuser: root
● srcip: 113.195.145.13
● srcport: 19044
Deck 1, Slide 49
Logging alerts to alerts.json
When <jsonout_output> is enabled in the manager's ossec.conf,
alerts are recorded as JSON records in alerts.json. These are
normally shipped by Filebeat to Elasticsearch or by Splunk
Universal Forwarder to Splunk.
/var/ossec/logs/alerts/alerts.json
{"timestamp":"2020-12-07T21:44:37.313+0000","rule":{"level":5,"description":"sshd: Reverse lookup error (bad ISP
or attack).","id":"5702","firedtimes":58,"mail":false,"groups":["syslog","sshd"],"pci_dss":["11.4"],"gpg13":
["4.12"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":
{"id":"000","name":"manager1"},"manager":{"name":"manager1"},"id":"1607377477.3731351","cluster":
{"name":"wazuh","node":"master"},"full_log":"Dec 7 21:44:37 ip-10-0-1-1 sshd[22566]: reverse mapping checking
getaddrinfo for 190.202.147.253.estatic.cantv.net [190.202.147.253] failed - POSSIBLE BREAK-IN
ATTEMPT!","predecoder":{"program_name":"sshd","timestamp":"Dec 7 21:44:37","hostname":"ip-10-0-1-
1"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"190.202.147.253"},"location":"/var/log/secure"}
Deck 1, Slide 50
Expanded alerts.json record
{
"timestamp": "2020-12-07T21:44:37.313+0000",
"rule": {
"level": 5, ...
"description": "sshd: Reverse lookup error (bad ISP or attack).", "predecoder": {
"id": "5702", "program_name": "sshd",
"firedtimes": 58, "timestamp": "Dec 7 21:44:37",
"mail": false, "hostname": "ip-10-0-1-1"
"groups": [ },
"syslog", "decoder": {
"sshd" "parent": "sshd",
], "name": "sshd"
"pci_dss": [ },
"11.4" "data": {
], "srcip": "190.202.147.253"
"gpg13": [ },
"4.12" "location": "/var/log/secure"
], }
"gdpr": [
"IV_35.7.d"
],
"nist_800_53": [
"SI.4"
],
"tsc": [
"CC6.1",
"CC6.8",
"CC7.2",
"CC7.3"
]
},
"agent": {
"id": "000",
"name": "manager1"
},
"manager": {
"name": "manager1"
},
"id": "1607377477.3731351",
"cluster": {
"name": "wazuh",
"node": "master"
},
"full_log": "Dec 7 21:44:37 ip-10-0-1-1 sshd[22566]: reverse mapping checking getaddrinfo for 190.202.147.253.estatic.cantv.net [190.202.147.253] failed - POSSIBLE
BREAK-IN ATTEMPT!",
...
Deck 1, Slide 51
Logging alerts to archives.json
Alternatively, when <logall_json> is enabled, all events are logged
to archives.json whether or not they match a rule. Such logging
may take up a great deal of space but at times is needed in order
to discover classes of events that should be tripping rules but are
not doing so. Consider at times routing archives.json temporarily
to a separate index pattern from wazuh-alerts-*, like to wazuh-
archives-*, since you presumably will not want to retain the non-
alert events as long.
/var/ossec/logs/archives/archives.json
{"timestamp":"2017-12-05T02:51:36+0000","rule":{},"agent":{"id":"000",
"name":"manager6"},"manager":{"name":"manager6"},"id":"1512442296.
149532","full_log":"Dec 5 02:51:35 manager6 sshd[382]: Disconnected
from 113.195.145.13 port 48727 [preauth]","predecoder":{"program_name":
"sshd","hostname":"manager6"},"decoder":{"name":"sshd"},
"location":"/var/log/secure"}
Deck 1, Slide 52
JSON Logging Issues
Issues to consider with the alerts.json and archives.json
Deck 1, Slide 53
Log Analysis and Regulatory Compliance
Deck 1, Slide 54
Why analyze logs?
Log analysis is a requirement for:
Deck 1, Slide 55
Compliance mapping in Wazuh rules
Deck 1, Slide 56
Lab Exercise Set 2
Deck 1, Slide 57
Lab Exercise Set 2
2a
Generate a brute-force attack -- Repeatedly attempt to use a
wrong password with an agent. Monitor the alerts.log, watching for
the generation of the brute-force alert.
Deck 1, Slide 58
Lab Exercise Set 2
2a
Generate a brute-force attack -- Repeatedly attempt to use a
wrong password with an agent. Monitor the alerts.log, watching for
the generation of the brute-force alert.
2b
Log Analysis: Analyze the log entries resulting from the previous
exercise. What is shown and what does it mean? How can you
distinguish an attack from a harmless log event?
Deck 1, Slide 59
Lab Exercise Set 2
2a
Generate a brute-force attack -- Repeatedly attempt to use a
wrong password with an agent. Monitor the alerts.log, watching for
the generation of the brute-force alert.
2b
Log Analysis: Analyze the log entries resulting from the previous
exercise. What is shown and what does it mean? How can you
distinguish an attack from a harmless log event?
2c
Looking up and tracing Wazuh rules for better understanding of
alerts
Deck 1, Slide 60
Elastic Stack
Deck 1, Slide 61
Elasticsearch
https://www.elastic.co/products/elasticsearch
Deck 1, Slide 62
Kibana
https://www.elastic.co/products/kibana
Deck 1, Slide 63
Beats family (including Filebeat)
https://www.elastic.co/products/beats
Deck 1, Slide 64
Elastic Stack Integration
Deck 1, Slide 65
Elastic Stack Show and Tell
Deck 1, Slide 66