Silence OSSEC rootcheck alerts

Question

I'm trying to silence some OSSEC rootcheck alerts like these:-

** Alert 1456448991.70239: mail  - ossec,rootcheck,
2016 Feb 26 01:09:51 myhost->rootcheck
Rule: 519 (level 7) -> 'System Audit: Vulnerable web application found.'
System Audit: Web vulnerability - Backdoors / Web based malware found - eval(base64_decode. File: /var/www/somepath/app/code/local/Mlx/Mlx/Model/Observer.php.

** Alert 1456448991.70587: mail  - ossec,rootcheck,
2016 Feb 26 01:09:51 myhost->rootcheck
Rule: 519 (level 7) -> 'System Audit: Vulnerable web application found.'
System Audit: Web vulnerability - Backdoors / Web based malware found - eval(base64_decode. File: /var/www/otherpath/app/code/local/Mlx/Mlx/controllers/ServiceController.php.

I've added a rule to rules/local_rules.xml which ought to stop the alerts by setting level="0":-

<group name="rootcheck">

  <rule id="100200" level="0">
    <if_sid>519</if_sid>
    <match>Web vulnerability - Backdoors / Web based malware found - eval(base64_decode</match>
    <match>app/code/local/Mlx/Mlx</match>
    <description>Ignore Magento extension Mlx license restriction PHP</description>
  </rule>

Here's the chain of rules it depends on, from rules/ossec_rules.xml:-

<group name="ossec,">

  <rule id="509" level="0">
    <category>ossec</category>
    <decoded_as>rootcheck</decoded_as>
    <description>Rootcheck event.</description>
    <group>rootcheck,</group>
  </rule>

  <rule id="510" level="7">
    <if_sid>509</if_sid>
    <description>Host-based anomaly detection event (rootcheck).</description>
    <group>rootcheck,</group>
    <if_fts />
  </rule>

  <rule id="516" level="3">
    <if_sid>510</if_sid>
    <match>^System Audit</match>
    <description>System Audit event.</description>
    <group>rootcheck,</group>
  </rule>

  <rule id="519" level="7">
    <if_sid>516</if_sid>
    <match>^System Audit: Web vulnerability</match>
    <description>System Audit: Vulnerable web application found.</description>
    <group>rootcheck,</group>
  </rule>

These commands, executed after making any change to the rule, restart ossec, clear the rootcheck db and start (after some delay) a new rootcheck:-

# bin/ossec-control restart
# bin/rootcheck_control -u 000
# bin/agent_control -ru 000

ossec-logtest can be used to see how lines from a log file are decoded and what rules are used to generate alerts, but doesn't seem to be any use for testing rootcheck rules:-

# bin/ossec-logtest
2016/02/26 01:52:55 ossec-testrule: INFO: Reading local decoder file.
2016/02/26 01:52:55 ossec-testrule: INFO: Started (pid: 24633).
ossec-testrule: Type one log per line.

System Audit: Web vulnerability - Backdoors / Web based malware found - eval(base64_decode. File: /var/www/otherpath/app/code/local/Mlx/Mlx/controllers/ServiceController.php.

**Phase 1: Completed pre-decoding.
       full event: 'System Audit: Web vulnerability - Backdoors / Web based
                    malware found - eval(base64_decode. File:
                    /var/www/otherpath/app/code/local/Mlx/Mlx/controllers/ServiceController.php.'
       hostname: 'myhost'
       program_name: '(null)'
       log: 'System Audit: Web vulnerability - Backdoors / Web based
             malware found - eval(base64_decode. File:
             /var/www/otherpath/app/code/local/Mlx/Mlx/controllers/ServiceController.php.'

**Phase 2: Completed decoding.
       No decoder matched.

Indeed, there are no decoders that would decode this 'log' line (or the variations I tried).

It is possible to overwrite a rule by copying it into local_rules.xml and adding the overwrite attribute:-

<rule id="519" level="0" overwrite="yes">
  <if_sid>516</if_sid>
  <match>^System Audit: Web vulnerability</match>
  <description>System Audit: Vulnerable web application found.</description>
  <group>rootcheck,</group>
</rule>

And having changed the level attribute, all 519 alerts are silenced.

So there must be something wrong with my rule. What am I doing wrong?

score 1 · Accepted Answer · answered Feb 26 '16 at 23:11

What you're doing wrong is assuming that multiple <match> elements in a rule are ANDed when actually they're concatenated. So your rule:-

<group name="rootcheck">

  <rule id="100200" level="0">
    <if_sid>519</if_sid>
    <match>Web vulnerability - Backdoors / Web based malware found - eval(base64_decode</match>
    <match>app/code/local/Mlx/Mlx</match>
  </rule>

won't match the message you're getting alerted about, but it will match the string:-

"Web vulnerability - Backdoors / Web based malware found - eval(base64_decodeapp/code/local/Mlx/Mlx"

You might try this:-

<rule id="100200" level="0">
  <if_sid>519</if_sid>
  <match>System Audit: Web vulnerability - Backdoors / Web based malware found</match>
  <match> - eval(base64_decode. File: /var/www/</match>
  <regex>somepath/app/code/local/Mlx/Mlx|</regex>
  <regex>otherpath/app/code/local/Mlx/Mlx</regex>
  <description>Ignore Magento extension Mlx license restriction PHP</description>
</rule>

That rule uses multiple match and regex elements only to shorten the patterns to make then more readable. Multiple regex elements are also concatenated and in this case results in two ORd patterns (using the pipe symbol to separate them). The resulting match and regex strings are ANDed so that this rule will work as desired.

It should be pointed out that the working rule, above, is too permissive: it would also match:-

"System Audit: Web vulnerability - Backdoors / Web based malware found - eval(base64_decode. File: /var/www/completely-different-path/somepath/app/code/local/Mlx/Mlx/ReallyEvil.php."

and not trigger an alert for the presence of something really evil. It might be better to use multiple rules which are very specific about the paths they match.

This first rule extends rule 519 "System Audit: Vulnerable web application found", uses the same alert level and has a slightly more specific match and description:-

<rule id="100200" level="7">
  <if_sid>519</if_sid>
  <match>^System Audit: Web vulnerability - Backdoors / Web based malware found - eval(base64_decode.</match>
  <description>System Audit: Vulnerable web application with possible back door or web based malware found.</description>
  <group>rootcheck</group>
</rule>

Then these additional rules extend rule 100200 to suppress the alerts for specific files, matching at the end of the message:-

<rule id="100201" level="0">
  <if_sid>100200</if_sid>
  <match>File: /var/www/somepath/app/code/local/Mlx/Mlx/Model/Observer.php.$</match>
  <description>Ignore Magento extension Mlx license restriction PHP</description>
  <group>rootcheck</group>
</rule>

<rule id="100202" level="0">
  <if_sid>100200</if_sid>
  <match>File: /var/www/otherpath/app/code/local/Mlx/Mlx/controllers/ServiceController.php.$</match>
  <description>Ignore Magento extension Mlx license restriction PHP</description>
  <group>rootcheck</group>
</rule>

Verbose, but more correct.

Silence OSSEC rootcheck alerts

1 Answers1