Rules - testing messages do not appear as feedback to the user

[gdiazlo]

Wazuh	Elastic	Rev	Security
4.x	-	-	-

Browser
Chrome, Firefox, Safari, etc

Description

When a user goes to test a new rule in Tools -> Ruleset Test, we receive messages from the API which are not shown.

Steps to reproduce

1. Navigate to '...'
2. Click on '....'
3. Scroll down to '....'

Expected Result

1. Feedback to the user showing the messages received from the API.

Actual Result

[rauldpm]

Hello team, testing this issue I have found some inconsistencies with the wazuh-logtest binary, which shows less information that using the app, also, the mail field is shown with 3 different values

wazuh-logtest binary output (debug mode)

[root@ip-172-31-13-95 ec2-user]# /var/ossec/bin/wazuh-logtest -d
2022-04-27 20:03:40,291 wazuh-logtest[INFO] Starting wazuh-logtest v4.3.0
2022-04-27 20:03:40,292 wazuh-logtest[INFO] Type one log per line

2022-04-27 09:41:26.604999-0700 localhost AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired
2022-04-27 20:03:46,792 wazuh-logtest[INFO] 
2022-04-27 20:03:46,792 wazuh-logtest[DEBUG] Request: {"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location": "stdin", "log_format": "syslog", "event": "2022-04-27 09:41:26.604999-0700 localhost AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired"}}

2022-04-27 20:03:47,541 wazuh-logtest[DEBUG] Reply: {"error":0,"data":{"messages":["INFO: (7202): Session initialized with token 'efe2c330'"],"token":"efe2c330","output":{"timestamp":"2022-04-27T20:03:47.540+0000","rule":{"level":3,"description":"parent macos air","id":"100004","firedtimes":1,"mail":false,"groups":["macos_air"]},"agent":{"id":"000","name":"ip-172-31-13-95.us-east-2.compute.internal"},"manager":{"name":"ip-172-31-13-95.us-east-2.compute.internal"},"id":"1651089827.963962","full_log":"2022-04-27 09:41:26.604999-0700 localhost AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired","predecoder":{"program_name":"AirPlayXPCHelper","timestamp":"2022-04-27 09:41:26.604999-0700"},"decoder":{},"location":"stdin"},"alert":true,"codemsg":0}}

2022-04-27 20:03:47,541 wazuh-logtest[DEBUG] {
  "messages": [
    "INFO: (7202): Session initialized with token 'efe2c330'"
  ],
  "token": "efe2c330",
  "output": {
    "timestamp": "2022-04-27T20:03:47.540+0000",
    "rule": {
      "level": 3,
      "description": "parent macos air",
      "id": "100004",
      "firedtimes": 1,
      "mail": false,
      "groups": [
        "macos_air"
      ]
    },
    "agent": {
      "id": "000",
      "name": "ip-172-31-13-95.us-east-2.compute.internal"
    },
    "manager": {
      "name": "ip-172-31-13-95.us-east-2.compute.internal"
    },
    "id": "1651089827.963962",
    "full_log": "2022-04-27 09:41:26.604999-0700 localhost AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired",
    "predecoder": {
      "program_name": "AirPlayXPCHelper",
      "timestamp": "2022-04-27 09:41:26.604999-0700"
    },
    "decoder": {},
    "location": "stdin"
  },
  "alert": true,
  "codemsg": 0
}
2022-04-27 20:03:47,541 wazuh-logtest[INFO] **Phase 1: Completed pre-decoding.
2022-04-27 20:03:47,541 wazuh-logtest[INFO] 	full event: '2022-04-27 09:41:26.604999-0700 localhost AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired'
2022-04-27 20:03:47,541 wazuh-logtest[INFO] 	timestamp: '2022-04-27 09:41:26.604999-0700'
2022-04-27 20:03:47,541 wazuh-logtest[INFO] 	program_name: 'AirPlayXPCHelper'
2022-04-27 20:03:47,541 wazuh-logtest[INFO] 
2022-04-27 20:03:47,542 wazuh-logtest[INFO] **Phase 2: Completed decoding.
2022-04-27 20:03:47,542 wazuh-logtest[INFO] 	No decoder matched.
2022-04-27 20:03:47,542 wazuh-logtest[INFO] 
2022-04-27 20:03:47,542 wazuh-logtest[INFO] **Phase 3: Completed filtering (rules).
2022-04-27 20:03:47,542 wazuh-logtest[INFO] 	id: '100004'
2022-04-27 20:03:47,542 wazuh-logtest[INFO] 	level: '3'
2022-04-27 20:03:47,542 wazuh-logtest[INFO] 	description: 'parent macos air'
2022-04-27 20:03:47,542 wazuh-logtest[INFO] 	groups: '['macos_air']'
2022-04-27 20:03:47,542 wazuh-logtest[INFO] 	firedtimes: '1'
2022-04-27 20:03:47,542 wazuh-logtest[INFO] 	mail: 'False'
2022-04-27 20:03:47,542 wazuh-logtest[INFO] **Alert to be generated.

WUI logtest output

**Phase 1: Completed pre-decoding. 
    full event:  2022-04-27 09:41:26.604999-0700 localhost AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired  
    timestamp: 2022-04-27 09:41:26.604999-0700 
    hostname: - 
    program_name: AirPlayXPCHelper 

**Phase 2: Completed decoding. 
    name: - 
    data: "-" 

**Phase 3: Completed filtering (rules). 
    id: 100004 
    level: 3 
    description: parent macos air 
    groups: ["macos_air"] 
    firedtimes: 1 
    gdpr: "-" 
    gpg13: "-" 
    hipaa: "-" 
    mail: "-" 
    mitre.id: "-" 
    mitre.technique: "-" 
    nist_800_53: "-" 
    pci_dss: "-" 
    tsc: "-" 
**Alert to be generated. 

Rules, decoder and localfile used

• In macos catalina:

<localfile>
  <location>macos</location>
  <log_format>macos</log_format>
  <query type="trace,log,activity" level="info">process == "AirPlayXPCHelper" AND  message CONTAINS "Re$
</localfile>

• In manager

<group name="macos_air">
  <rule id="100004" level="3">
   <program_name>AirPlayXPCHelper</program_name>
   <match>Retry timer fired</match>
   <description>parent macos air</description>
  </rule>
</group>

<decoder name="macos_air">
  <prematch>^(\d+-\d+-\d+ \d+:\d+:\d+-\d+) (\S+) AirPlayXPCHelper:</prematch>
</decoder>

<decoder name="macos_air_child">
  <parent>macos_air</parent>
  <regex>(\S+) (\S+):</regex>
  <order>hostname, program_name</order>
</decoder>

2022-04-27 09:41:26.604999-0700 localhost AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired  

• It can be seen that the mail field has three different values:

  • WUI: mail: "-"
  • binary: mail: 'False'
  • binary (api response): "mail": false,

• Inspecting the browser, I get this request

{"error":0,"data":{"messages":["WARNING: (7003): '3ee262ad' token expires","INFO: (7202): Session initialized with token '7ed33174'"],"token":"7ed33174","output":{"timestamp":"2022-04-27T20:48:56.129000Z","rule":{"level":3,"description":"parent macos air","id":"100004","firedtimes":1,"mail":false,"groups":["macos_air"]},"agent":{"id":"000","name":"ip-172-31-13-95.us-east-2.compute.internal"},"manager":{"name":"ip-172-31-13-95.us-east-2.compute.internal"},"id":"1651092536.1177833","full_log":"2022-04-27 09:41:26.604999-0700 localhost AirPlayXPCHelper: (CoreUtils) [AirPlay:APBonjourCache] Retry timer fired","predecoder":{"program_name":"AirPlayXPCHelper","timestamp":"2022-04-27 09:41:26.604999-0700"},"decoder":{},"location":"logtest"},"alert":true,"codemsg":1}}

Regards, Raúl

[Desvelao]

I have found some inconsistencies with the wazuh-logtest binary, which shows less information that using the app

The Wazuh API response doesn't return the same result text using the wazuh-logtest utility. Instead, the decoded fields are returned. The Wazuh plugin for Kibana builds a similar message as the output of wazuh-logtest with a predefined set of fields to display but it is not the same.

the mail field is shown with 3 different values

The values displayed in the UI as the - are because they have a falsy value. For the case of rule.mail: false, false is a interpreted as a falsy value. The mechanism to decide when displays - is not correct and causes this bug. Currently, the fields displayed in the decoding are fixed independently if they exist or not. We should change the logic to display - when the field is not defined.

[Desvelao]

Related to: #4111 (comment)

We fixed and enhanced the output of the Ruleset Test on this PR #4141 and its issue #4138.

[yenienserrano]

I share 2 proposals for displaying messages, one of them is to show it in a toast and the other would be at the beginning of the answer.

On a toast would look like this:

The other option would look like this:

[yenienserrano]

Solve:

• Ruleset test messages #4244