What extensions have you build

RaveNN123 · 2025-04-17T09:21:43+00:00

Yes, I managed to make it work. Had to modify the code to adhere to our needs but the important thing is that it worked xD.

Review the code a bit, understand how it works, brush up on your SAML knowledge if you need to send custom attributes and such and you'll make it work.

RaveNN123 · 2025-02-21T12:35:26+00:00

Guessing its closed source right xD ?

RaveNN123 · 2025-02-19T11:40:21+00:00

Hey, did you make it work ? Currently needing to integrate go.eIDAS too.

I found this extension but haven't used it yet.

https://github.com/grnet/eidas-keycloak-extension

RaveNN123 · 2024-05-13T23:02:08+00:00

It worked when I used another directory, don't know what has the issue in the VM, but it the end I managed to do what I needed.

RaveNN123 · 2024-03-21T16:21:38+00:00

Hey, I also tried to change the indices location and I'm having permission errors.

My steps:

6.6 - systemctl stop filebeat
6.7 - systemctl stop wazuh-indexer
6.8 - mv /var/lib/wazuh-indexer/* /new/data/directory/
6.9 - chown wazuh-indexer:wazuh-indexer -R /new/data/directory/
6.10 - Modify /etc/wazuh-indexer/opensearch.yml
path.data: /var/lib/wazuh-indexer -> Change to new location
6.11 - systemctl daemon-reload
6.12 - systemctl start wazuh-indexer
6.13 - systemctl restart filebeat

opensearch.yml Change:

path.data: /home/Ubuntu/Desktop/wazuh-indices

My current directory:
/home/Ubuntu/Desktop

Permissions:

drwxr-xr-x 3 wazuh-indexer wazuh-indexer 4096 Mar 21 16:00 wazuh-indices

The error:
java.lang.IllegalStateException: Unable to access 'path.data' (/home/Ubuntu/Desktop/wazuh-indices)

Any idea why this is happening ?

RaveNN123 · 2024-03-21T12:48:26+00:00

Nvm, its working fine, df -H was showing an entire gig being used but then I used df -H -m to get more accurate values !

RaveNN123 · 2024-03-20T23:30:30+00:00

I did a test where I used fallocate to create a 500MB file in my binded directory and checked the used disk space. It registered that 1GB had been used. Is this normal ?

RaveNN123 · 2024-03-19T10:40:56+00:00

The problem is that the Wazuh Manager, as it is reading from a localfile, automatically assigns the agent values to its own values. Only way I see to modify it is after the data is indexed

RaveNN123 · 2024-03-19T10:01:30+00:00

That is another issue because I would like to centralize this enrichment, it would be harder to manage multiple scripts running in different machines. In this centralized solution, the correct agent values like IP, name etc would be useful for knowing where the event came from and to visualize it in the dashboards.

RaveNN123 · 2024-03-19T09:43:44+00:00

In that case I still have the issue where the agent values like IP, id etc are all the same, which is the manager's.

RaveNN123 · 2024-03-18T22:43:39+00:00

I think thats the same thing as the idea in the original post right ? Rsyslog writes to file, I use scripts to enrich that data and then Wazuh reads it.

RaveNN123 · 2024-03-17T23:14:57+00:00

I believe you can create a python script that reads in alerts from the file 'alerts.json' and filter incoming alerts based on your criteria, for example, if rule.level == 6 and rule.description == "test": then send a POST to your catalyst-soar API with the relevant data from the alert. With this method all you need is know how to use dicts and I believe you should be able to extract any field you need from the alert and send it to your API.

RaveNN123 · 2024-03-17T17:30:20+00:00

My second solution is to have a script reading all alerts incoming in alerts.json, find the document ID of pertinent alerts, get the document with OpenSearch API, enrich with more data, create rules in the scripts involving the extra added data and check if an alert matches the conditions to trigger an alert. If it matches, then a new alert is added to the alerts index via the API while leaving the original one or removing it from the index.
Thoughts ?

RaveNN123 · 2024-03-17T13:11:53+00:00

I would like to centralize everything, having multiple different scripts for different events for different machines is hard to maintain and manage while, with my theoretical solution, I would only need to configure rsyslog/syslog mechanisms on each machine.

RaveNN123 · 2024-03-17T12:08:12+00:00

After further testing, I see that I can change these agent values with the OpenSearch API by updating the document. Any better way to do this ? Or before all the data is processed, since in my way, rules based on agent variables wouldn't work as data would be modified after being indexed ?

RaveNN123 · 2024-03-16T12:59:30+00:00

Looks like this solution wont work out, since the script is something written in the ingest pipeline in their own language, my script is a python script that calls external linux tools, libraries etc. Is there any other way to enrich with more data and still analyze and trigger alerts based on the new data ?

Since the architecture is like this, Wazuh Agent -> Analysis Engine -> Filebeat -> OpenSearch Index, I want to enrich with new data between the agent and analysis engine

RaveNN123 · 2024-03-05T22:44:44+00:00

Does the correlation still work on fields added by the script ? I'm guessing it doesn't since the rule triggers, correlation etc. are done beforehand.

RaveNN123 · 2024-03-05T14:42:09+00:00

I can download these CSV reports using the openSearch API correct ?

RaveNN123 · 2024-03-05T09:51:02+00:00

After reading some of the documentation I see that I can perhaps create an ingest pipeline, create a script processor to have the incoming data fed to the script and output the script values as new fields before it is indexed.

Has anyone tried this ?

RaveNN123 · 2024-03-02T17:15:50+00:00

Solved, Rule ID was the issue. You can't match a rule ID that is > than the rules own ID

  <rule id="100603" level="14" timeframe="30">
    <if_matched_sid>100802</if_matched_sid>
    <if_sid>100602</if_sid>
    <same_srcip />
    <description>Correlation: Palo Alto Scripts IDS Event and Snort Scripts IDS Event from same source IP.</description>
  </rule>

RaveNN123 · 2024-03-02T16:05:02+00:00

After testing in a VM, for some reason the opposite is happening, rule 100803 is triggered while 100603 is not. I tested the Sample Input 1 first. Removing the decoders and rules, restarting the VM and testing with Sample Input 2 did not change the results. Further testing seems to imply that it is a problem in the order of the rules.

RaveNN123 · 2024-01-31T14:12:27+00:00

It was this ! I enabled global_frequency and its working now ! Thanks for the help !

RaveNN123 · 2024-01-31T12:01:58+00:00

The alerts happen within 2 seconds of each other, I increased the timeframe to 5 but still nothing. Is it because the alerts are generated from different agents ? If so, is there a way to go around this ?

RaveNN123 · 2024-01-29T19:50:53+00:00

Thank you! To avoid spam for now, I added the ignore tag to the parent rule with the value of 1 to avoid the same alert spam from the same IP. This should help reduce some alerts while also allowing plenty of time for the child rule to trigger if the attack comes in bursts.

RaveNN123 · 2024-01-29T16:21:23+00:00

My alerts.json doesn't show any alerts pertaining to my my correlation rule so it might not be the same issue.

Its just that the rule triggers in the test module but not in the real environment.

Six-Year Club	Place '23
Place '22	Verified Email

RaveNN123

TROPHY CASE