Monitoring system security is crucial, especially when it comes to detecting unauthorized activities like opening ports or installing applications. This is where Wazuh comes into play. I’ve been using the Wazuh REST API and custom rules to monitor these activities effectively.
By utilizing the Wazuh REST API and setting up custom rules, we can track port openings and application installations across our network. This is essential for keeping an eye on potential security threats and ensuring only authorized activities are happening.
Below is a custom rule set to monitor ports and application installations. Also there is a whitelist and alerting system to notify us when new applications are installed or ports are opened.
Custom Rule Configuration:
Here is an example of the custom rules we added to the /var/ossec/ruleset/rules/local_rules.xml file of the Wazuh server:
<group name="syslog,linuxkernel,">
<rule id="5104" level="8" overwrite="yes">
<if_sid>5100</if_sid>
<srcip>!192.168.1.2</srcip>
<regex>Promiscuous mode enabled|</regex>
<regex>device \S+ entered promiscuous mode</regex>
<description>Interface entered in promiscuous (sniffing) mode.</description>
<mitre>
<id>T1040</id>
</mitre>
<group>promisc,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_SI.4,tsc_CC7.2,tsc_CC7.3,tsc_CC6.1,tsc_CC6.8,</group>
</rule>
</group>
<group name="rootcheck,ossec,">
<rule id="510" level="0" overwrite="yes">
<match>/bin/diff</match>
<description>Ignore 510 rootcheck on /bin/diff</description>
</rule>
</group>
<!-- Syscollector Rule for ports -->
<group name="syscollector,">
<!-- Ports -->
<rule id="100310" level="3">
<if_sid>221</if_sid>
<field name="type">dbsync_ports</field>
<description>Syscollector ports event.</description>
</rule>
<rule id="100311" level="3">
<if_sid>100310</if_sid>
<field name="operation_type">INSERTED</field>
<description>The port: $(port.local_port), with local IP: $(port.local_ip) has been opened. Syscollector creation event detected.</description>
</rule>
<rule id="100312" level="3">
<if_sid>100310</if_sid>
<field name="operation_type">MODIFIED</field>
<description>The port: $(port.local_port), with local IP: $(port.local_ip) has been modified. Syscollector modification event detected.</description>
</rule>
<rule id="100313" level="3">
<if_sid>100310</if_sid>
<field name="operation_type">DELETED</field>
<description>The port: $(port.local_port), with local IP: $(port.local_ip) has been closed. Syscollector deletion event detected.</description>
</rule>
</group>
<group name="syscollector,">
<rule id="221" level="3" overwrite="yes">
<category>ossec</category>
<decoded_as>syscollector</decoded_as>
<description>Syscollector event.</description>
</rule>
</group>
These rules help us monitor system activities, such as when network interfaces enter promiscuous mode, or when new ports are opened, modified, or closed. The rules also help ignore certain non-critical checks to reduce noise in our alerts.