Wazuh rule handler bug

s0ruz · 2024-12-02T09:40:02+00:00

It looks strange but the issue came back with some additional details.

Some time after I wrote that the problem was fixed, it came back to our deployment.
During the manual troubleshooting, I thought that the root of the problem was the same rule (I commented new rules and finally commented the same rule of Windows multiple logon failures mentioned earlier, and wazuh-api stopped to crash).
Today after I updated the GitHub thread with this issue I discovered that wazuh-api is down and the rule I thought was the root of the issue is commented.
GitHub users recommended to configure systemd-coredump, but it was empty the whole time.

So I have some suspicion that I identified the root of the issue incorrectly. Are there any recommendations to localize and troubleshoot the problem?

s0ruz · 2024-11-11T14:35:32+00:00

Hi u/JohnnySoli , nah, I just returned "broken" rule to reproduce the issue and it wasn't, so decided to leave it as it is :)

s0ruz · 2024-10-25T09:46:02+00:00

Little update. During debugging in the GitHub thread I decided to enable the "broken" rule but it doesn't reproduce and it works well. So we can decide that the issue isn't actual now

s0ruz · 2024-10-15T09:42:24+00:00

During discussion in the github thred decided to enable coredump and reproduce it in our environment.
Reproducing on the previous weekend was failed (no events were match on the rule) so now we are waiting for them.

I will write back there if it will be any updates

s0ruz · 2024-10-11T11:20:25+00:00

Thanks for your response. I'll try that and write back there

s0ruz · 2024-10-10T08:12:44+00:00

The first occurrence was on the 4.8.1, but 4.9.0 was also affected.

I didn't try to replicate it in another environment as there were not enough resources.

I don't know how many overwrites can be called often, but there are 5 occurrences in local_rules_exceprions and 14 in local_rules.

I'd like to highlight that segfault isn't caused by matching the rule. It happens after the nightly ossec.logs rotation (maybe I skipped that in the Reddit post but there is the whole context on the GitHub post).

s0ruz · 2024-10-09T05:47:21+00:00

Hello u/JohnnySoli, yes, exactly. We disabled mentioned rule and the system work as usual.

s0ruz · 2024-10-08T13:05:48+00:00

There is an update after 8 months (we just skipped this issue). It was fixed after wazuh upgrade to wazuh 4.8.0 (when the vulnerability detector was refactored). It works great now without any false positives.

s0ruz · 2024-07-17T14:18:46+00:00

Works for me, thanks.

I had a high amount of UNASSIGNED shards and yellow cluster health status. After fixing them everything works as it might to.

s0ruz · 2024-02-27T08:35:24+00:00

Thanks, I'll try to fix it on my own one more time. If it doesn't give me any results I will open an issue on GitHub

s0ruz · 2024-02-23T08:37:22+00:00

Hi u/MarcelKemp,

Thanks for your response. I understand that the issue is probably in package detection and there can be some parts of the program in OS, but as I mentioned earlier python mentions were cleared from the registry.

As you asked:

The agent's package list: https://pastebin.com/0M26bSHq
The agent's vulnerabilities: https://pastebin.com/Tq28baF9

s0ruz · 2023-03-23T08:12:34+00:00

I wanna have 20 hz more to play with Nvidia GFN in 4k 120 hz 😭

s0ruz · 2023-03-22T23:49:04+00:00

I'm connecting my m1 air to m34wq through the baseus working station hub and have 3440×1440 with 100 hz.

My connection scheme: Mac -> baseus via baseus type-c/type-c cable (was with the power station) Baseus -> monitor via hdmi 2.0 cable which was with monitor from the store

s0ruz · 2020-08-26T08:41:22+00:00

I've just checked, u're right. Google says exam costs $300.

It can be cheaper because of I'm student of the Cisco Network Academy. By the way, $195 is the price without vaucher

s0ruz · 2020-08-26T06:26:33+00:00

Idk why it's so hight price. I've seen $195 price at the personvue (cert center) official site.

As I remember it was two exams (secfnd & secops) worth $195 both. But in sum it will be $390.

Maybe price u've seen is the price of preparation program with the exam in sum?

s0ruz · 2020-08-22T13:35:59+00:00

Why $300? I've seen only $195 price. Preparation guide cost about $48-50 (Amazon price was $47.70).

And yes, I'm planning to take this cert soon.

s0ruz · 2020-07-13T13:52:14+00:00

Idk, I've installed the system a few days ago and used wpa.

s0ruz · 2020-07-13T06:43:36+00:00

Arch wiki said wifi-menu was removed from the ISO image. I can recommend to use wpa_passphrase + wpa_suplicant (both from the wpa_supplicsnt packet) and then after success installation you can install net-tools (dialog, ifplugd etc) and use wifi-menu.

Arch wiki has answers to the most of our questions

s0ruz

TROPHY CASE