Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve rules for Docker listener #293

Merged
merged 8 commits into from
Feb 26, 2019
Merged

Improve rules for Docker listener #293

merged 8 commits into from
Feb 26, 2019

Conversation

vikman90
Copy link
Member

@vikman90 vikman90 commented Feb 22, 2019
edited
Loading

Issues detected

  1. docker exec incorrectly triggered rules 87901 (container created) and 87903 (container started).
  2. Alerts from Docker listener included the full_log even through the input is fully decoded (JSON).

Point (2) rationale:

docker exec produces a log like this:

{
  "docker": {
    "status": "exec_start: bash ",
    (...)
    "id": "7697fa3fec2a0221e448886e5c574c082309fbe0cac8b358d11c3830164c5e37"
  },
  "integration": "docker"
}

Rule 87901 contains this filter:

<field name="docker.status">start</field>

This makes docker exec trigger rule 87903.

Changes proposed

  1. Disable the full_log in the Docker listener rules.
  2. Fix <field> filters in those rules to match the exact string (instead of a substring).
  3. Add a specific rule (87907) for command execution in containers (docker exec).

Sample alert

{
  "timestamp": "2019-02-21T18:01:44.193-0800",
  "rule": {
    "level": 3,
    "description": "Command run in container reverent_ishizaka",
    "id": "87907",
    "firedtimes": 2,
    "mail": false,
    "groups": [
      "docker"
    ]
  },
  "agent": {
    "id": "001",
    "name": "DemoAgent",
    "ip": "192.168.33.1"
  },
  "manager": {
    "name": "stretch64"
  },
  "id": "1550800904.201466",
  "decoder": {
    "name": "json"
  },
  "data": {
    "docker": {
      "status": "exec_start: echo Hello World",
      "timeNano": "1550800904187913984.000000",
      "from": "ubuntu",
      "Actor": {
        "Attributes": {
          "execID": "4270b190f78fcad1849ce23300b1be4e1907111747457ee470e878214aeec38c",
          "image": "ubuntu",
          "name": "reverent_ishizaka"
        },
        "ID": "4b478281f9c8a9d504a1835b409e4c35f8dd95cff1d21da0dd440effd9d85fe3"
      },
      "time": "1550800904",
      "Action": "exec_start: echo Hello World",
      "scope": "local",
      "Type": "container",
      "id": "4b478281f9c8a9d504a1835b409e4c35f8dd95cff1d21da0dd440effd9d85fe3"
    },
    "integration": "docker"
  },
  "location": "Wazuh-Docker"
}

@vikman90
Copy link
Member Author

Waiting for further changes by @cristgl.

@cristgl
Copy link
Contributor

cristgl commented Feb 22, 2019

At the time, every Docker event generated matches a rule and its specific alert is triggered. This seems like a problem, as each command can generate more than one event.

I have written a comment at the issue #294 where I relate the Docker command with the rule matched, the event and the alert triggered. There, it can be seen that almost every command generates more than one event, this means that, for example, for the event docker stop, events for status kill, die, stop and destroy are shown, which means 4 alerts.

vikman90
vikman90 commented Feb 25, 2019
View reviewed changes
rules/0560-docker_integration_rules.xml Outdated

<rule id="87908" level="3">
<if_sid>87907</if_sid>
<field name="docker.status">^exec_start: bash</field>
Copy link
Member Author

@vikman90 vikman90 Feb 25, 2019
edited by cristgl
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This condition does only catch:

  • bash
  • /bin/bash
  • sh
  • /bin/sh
  • dash
  • /bin/dash

rules/0560-docker_integration_rules.xml Show resolved Hide resolved
@cristgl cristgl mentioned this pull request Feb 25, 2019
Closed
@chemamartinez
Copy link
Contributor

Why don't we add a rule for the pull action? Here we can see the event generated by the integration:

{
  "integration": "docker",
  "docker": {
    "status": "pull",
    "id": "centos:latest",
    "Type": "image",
    "Action": "pull",
    "Actor": {
      "ID": "centos:latest",
      "Attributes": {
        "name": "centos",
        "org.label-schema.build-date": "20181205",
        "org.label-schema.license": "GPLv2",
        "org.label-schema.name": "CentOS Base Image",
        "org.label-schema.schema-version": "1.0",
        "org.label-schema.vendor": "CentOS"
      }
    },
    "scope": "local",
    "time": 1551182693,
    "timeNano": 1551182693249997000
  }
}

@chemamartinez chemamartinez merged commit 9267416 into 3.9 Feb 26, 2019
@chemamartinez chemamartinez deleted the 3.9-docker-improvements branch February 26, 2019 13:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cristgl cristgl cristgl left review comments

@chemamartinez chemamartinez chemamartinez approved these changes

@santiago-bassett santiago-bassett Awaiting requested review from santiago-bassett

Assignees

@vikman90 vikman90

@cristgl cristgl

@chemamartinez chemamartinez

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vikman90 @cristgl @chemamartinez @albertomn86