Fix alert email sending when no_full_log option is set in a rule by DaveVG1 · Pull Request #3174 · wazuh/wazuh

DaveVG1 · 2019-04-25T11:30:27Z

This fixes #3163 and #3762

Fix

The email alerts that were triggered by rules that have the no_full_log option weren't working.

Testing

Rule configuration

This rule has been included in /var/ossec/etc/rules/local_rules.xml:

<group name="SSHLoginFailed">
  <rule id="100150" level="14">
    <decoded_as>json</decoded_as>
    <field name="eventid">\.*login.failed</field>
    <description> Username $(username) : attempted to login</description>
    <options>no_full_log</options>
  </rule>
</group>

To trigger the alert that matches this rule the following log has been concatenated to /var/log/syslog (Ubuntu):

{"eventid":"cowrie.login.failed","username":"twalton","timestamp":"2019-04-17T16:24:33.510587Z","message":"login attempt [twalton/test] failed","system":"SSHService 'ssh-userauth'","src_ip":"10.160.60.27","session":"f05271d202b6","password":"test","sensor":"1ca11427d473"}

Valgrind report

==27856== HEAP SUMMARY:
==27856==     in use at exit: 68,585 bytes in 49 blocks
==27856==   total heap usage: 9,581 allocs, 9,532 frees, 3,596,032 bytes allocated
==27856==
==27856== 75 (24 direct, 51 indirect) bytes in 1 blocks are definitely lost in loss record 23 of 30
==27856==    at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==27856==    by 0x41E1F7: Read_Global (global-config.c:426)
==27856==    by 0x40E12B: read_main_elements (config.c:71)
==27856==    by 0x40F0BF: ReadConfig (config.c:245)
==27856==    by 0x40BAFD: MailConf (config.c:54)
==27856==    by 0x40C68F: main (maild.c:123)
==27856==
==27856== 159 (16 direct, 143 indirect) bytes in 1 blocks are definitely lost in loss record 25 of 30
==27856==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==27856==    by 0x4C2FDEF: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==27856==    by 0x41E3B7: Read_Global (global-config.c:446)
==27856==    by 0x40E12B: read_main_elements (config.c:71)
==27856==    by 0x40F0BF: ReadConfig (config.c:245)
==27856==    by 0x40BAFD: MailConf (config.c:54)
==27856==    by 0x40C68F: main (maild.c:123)
==27856==
==27856== 393 (144 direct, 249 indirect) bytes in 1 blocks are definitely lost in loss record 27 of 30
==27856==    at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==27856==    by 0x41C9E9: Read_GlobalSK (global-config.c:105)
==27856==    by 0x40E4DA: read_main_elements (config.c:102)
==27856==    by 0x40F0BF: ReadConfig (config.c:245)
==27856==    by 0x40BAFD: MailConf (config.c:54)
==27856==    by 0x40C68F: main (maild.c:123)
==27856==
==27856== LEAK SUMMARY:
==27856==    definitely lost: 184 bytes in 3 blocks
==27856==    indirectly lost: 443 bytes in 27 blocks
==27856==      possibly lost: 0 bytes in 0 blocks
==27856==    still reachable: 67,958 bytes in 19 blocks
==27856==         suppressed: 0 bytes in 0 blocks
==27856== Reachable blocks (those to which a pointer was found) are not shown.

Result

An alert mail that's been triggered by a rule that has the no_full_log option, now look like this:

Wazuh Notification.
2019-04-25T10:23:15.118+0000

Received From: vm-ubuntu4->/var/log/syslog
Rule: 100150 fired (level 14) -> " Username twalton : attempted to login"
Portion of the log(s):




 --END OF NOTIFICATION

DaveVG1 · 2019-08-12T07:17:45Z

I tested this PR with the granular configuration and it works fine (also ran it with valgrind):

<email_alerts>
    <email_to>mail@wazuh.com</email_to>
    <level>6</level>
</email_alerts>

DaveVG1 · 2019-08-13T11:40:14Z

I've also compiled the Wazuh server with scan-build resulting in no errors on the code changed for this fix:

DaveVG1 · 2019-08-14T10:28:59Z

I added the inclusion of the full JSON alert when full_log is not present (fa74f5e). sca email alert example:

Wazuh Notification.
2019-08-14T09:10:10.708+0000

Received From: (vm-ubuntu3) 10.0.2.15->sca
Rule: 19007 fired (level 7) -> "CIS benchmark for Debian/Linux: Ensure IPv4 forwarding is disabled"
Portion of the log(s):

{
        "timestamp":    "2019-08-14T09:10:10.708+0000",
        "rule": {
                "level":        7,
                "description":  "CIS benchmark for Debian/Linux: Ensure IPv4 forwarding is disabled",
                "id":   "19007",
                "firedtimes":   14,
                "mail": true,
                "groups":       ["sca"],
                "gdpr": ["IV_35.7.d"],
                "cis_csc":      ["5.1"],
                "cis":  ["3.1.1"]
        },
        "agent":        {
                "id":   "002",
                "name": "vm-ubuntu3",
                "ip":   "10.0.2.15"
        },
        "manager":      {
                "name": "vm-manager-ubuntu"
        },
        "id":   "1565773810.328489",
        "decoder":      {
                "name": "sca"
        },
        "data": {
                "sca":  {
                        "type": "check",
                        "scan_id":      "1768545613",
                        "policy":       "CIS benchmark for Debian/Linux",
                        "check":        {
                                "id":   "5031",
                                "title":        "Ensure IPv4 forwarding is disabled",
                                "description":  "The net.ipv4.ip_forward flag are used to tell the system whether it can forward packets or not.",
                                "rationale":    "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router.",
                                "remediation":  "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0",
                                "compliance":   {
                                        "cis_csc":      "5.1",
                                        "cis":  "3.1.1"
                                },
                                "file": ["/proc/sys/net/ipv4/ip_forward"],
                                "result":       "failed"
                        }
                }
        },
        "location":     "sca"
}


 --END OF NOTIFICATION

Lopuiz · 2019-08-22T12:11:25Z

Hi team!

I add a new commit to modify an email alert format. Both full_log and no_full_log alerts are printed with the same format.

Some email examples are:

Wazuh Notification.
2019-08-22T13:44:53.322+0200

Received From: lopezziur->ossec-monitord
Rule: 502 fired (level 3) -> "Ossec server started."
Alert(s):

                Timestamp: "2019-08-22T13:44:53.322+0200"
                Rule
                        Level: 3
                        Description: "Ossec server started."
                        Id: "502"
                        Firedtimes: 1
                        Mail: true
                        Groups: ["ossec"]
                        Pci_dss: ["10.6.1"]
                        Gpg13: ["10.1"]
                        Gdpr: ["IV_35.7.d"]
                        Hipaa: ["164.312.b"]
                        Nist_800_53: ["AU.6"]
                Agent
                        Id: "000"
                        Name: "lopezziur"
                Manager
                        Name: "lopezziur"
                Id: "1566474293.538759"
                Full_log: "ossec: Ossec started."
                Decoder
                        Name: "ossec"
                Location: "ossec-monitord"



 --END OF NOTIFICATION

And netstat listening ports rule:

Wazuh Notification.
2019-08-22T13:44:46.353+0200

Received From: lopezziur->netstat listening ports
Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new port opened or closed)."
Alert(s):

                Timestamp: "2019-08-22T13:44:46.353+0200"
                Rule
                        Level: 7
                        Description: "Listened ports status (netstat) changed (new port opened or closed)."
                        Id: "533"
                        Firedtimes: 1
                        Mail: true
                        Groups: ["ossec"]
                        Pci_dss: ["10.2.7","10.6.1"]
                        Gpg13: ["10.1"]
                        Gdpr: ["IV_35.7.d"]
                        Hipaa: ["164.312.b"]
                        Nist_800_53: ["AU.3.1","IA.10","AU.6"]
                Agent
                        Id: "000"
                        Name: "lopezziur"
                Manager
                        Name: "lopezziur"
                Id: "1566474286.534214"
                Previous_output: "Previous output:\nossec: output: 'netstat listening ports':\ntcp6       0      0 :::2049                 :::*                    ESCUCHAR    -                   \ntcp6       0      0 :::44223                :::*                    ESCUCHAR    -                   \nudp6       0      0 :::2049                 :::*                                -                   \nudp6       0      0 :::46945                :::*                                -                   \ntcp        0      0 0.0.0.0:2049            0.0.0.0:*               ESCUCHAR    -                   \ntcp        0      0 0.0.0.0:42899           0.0.0.0:*               ESCUCHAR    -                   \nudp        0      0 0.0.0.0:2049            0.0.0.0:*                           -                   \nudp        0      0 0.0.0.0:35324           0.0.0.0:*                           -                   \ntcp 0.0.0.0:25 0.0.0.0:* 2919/master\ntcp6 :::25 :::* 2919/master\ntcp 127.0.0.53:53 0.0.0.0:* 991/sy
 stemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 991/systemd-resolve\nudp 0.0.0.0:68 0.0.0.0:* 2049/dhclient\ntcp 0.0.0.0:111 0.0.0.0:* 1/init\ntcp6 :::111 :::* 1/init\nudp 0.0.0.0:111 0.0.0.0:* 1/init\nudp6 :::111 :::* 1/init\ntcp 127.0.0.1:631 0.0.0.0:* 1087/cupsd\ntcp6 ::1:631 :::* 1087/cupsd\nudp 0.0.0.0:631 0.0.0.0:* 1207/cups-browsed\nudp 0.0.0.0:1514 0.0.0.0:* 22384/ossec-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 22309/ossec-authd\nudp 0.0.0.0:5353 0.0.0.0:* 1084/avahi-daemon\nudp6 :::5353 :::* 1084/avahi-daemon\nudp 0.0.0.0:35084 0.0.0.0:* 19506/VirtualBoxVM\nudp 0.0.0.0:37492 0.0.0.0:* 1248/rpc\ntcp 0.0.0.0:37719 0.0.0.0:* 1248/rpc\nudp6 :::38530 :::* 1084/avahi-daemon\nudp 0.0.0.0:40237 0.0.0.0:* 1248/rpc\ntcp 0.0.0.0:40673 0.0.0.0:* 1248/rpc\nudp 0.0.0.0:40832 0.0.0.0:* 19506/VirtualBoxVM\ntcp6 :::40881 :::* 1248/rpc\ntcp6 :::41813 :::* 1248/rpc\ntcp6 :::44851 :::* 1248/rpc\nudp6 :::48932 :::* 1248/rpc\nudp6 :::51139 :::* 1248/rpc\nudp 0.0.0.0:52995 0.0.0.0:* 19506/VirtualBoxVM\ntcp
 0.0.0.0:53015 0.0.0.0:* 1248/rpc\nudp 0.0.0.0:54471 0.0.0.0:* 1248/rpc\ntcp 127.0.0.1:55900 0.0.0.0:* 15279/code\nudp 0.0.0.0:55940 0.0.0.0:* 1084/avahi-daemon\nudp6 :::56990 :::* 1248/rpc"
                Full_log: "ossec: output: 'netstat listening ports':\ntcp6       0      0 :::2049                 :::*                    ESCUCHAR    -                   \ntcp6       0      0 :::44223                :::*                    ESCUCHAR    -                   \nudp6       0      0 :::2049                 :::*                                -                   \nudp6       0      0 :::46945                :::*                                -                   \ntcp        0      0 0.0.0.0:2049            0.0.0.0:*               ESCUCHAR    -                   \ntcp        0      0 0.0.0.0:42899           0.0.0.0:*               ESCUCHAR    -                   \nudp        0      0 0.0.0.0:2049            0.0.0.0:*                           -                   \nudp        0      0 0.0.0.0:35324           0.0.0.0:*                           -                   \ntcp 0.0.0.0:25 0.0.0.0:* 2919/master\ntcp6 :::25 :::* 2919/master\ntcp 127.0.0.53:53 0.0.0.0:* 991/systemd-resolve\nudp 127.0.
 0.53:53 0.0.0.0:* 991/systemd-resolve\nudp 0.0.0.0:68 0.0.0.0:* 2049/dhclient\ntcp 0.0.0.0:111 0.0.0.0:* 1/init\ntcp6 :::111 :::* 1/init\nudp 0.0.0.0:111 0.0.0.0:* 1/init\nudp6 :::111 :::* 1/init\ntcp 127.0.0.1:631 0.0.0.0:* 1087/cupsd\ntcp6 ::1:631 :::* 1087/cupsd\nudp 0.0.0.0:631 0.0.0.0:* 1207/cups-browsed\nudp 0.0.0.0:1514 0.0.0.0:* 30212/ossec-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 30157/ossec-authd\nudp 0.0.0.0:5353 0.0.0.0:* 1084/avahi-daemon\nudp6 :::5353 :::* 1084/avahi-daemon\nudp 0.0.0.0:35084 0.0.0.0:* 19506/VirtualBoxVM\nudp 0.0.0.0:37492 0.0.0.0:* 1248/rpc\ntcp 0.0.0.0:37719 0.0.0.0:* 1248/rpc\nudp6 :::38530 :::* 1084/avahi-daemon\nudp 0.0.0.0:40237 0.0.0.0:* 1248/rpc\ntcp 0.0.0.0:40673 0.0.0.0:* 1248/rpc\nudp 0.0.0.0:40832 0.0.0.0:* 19506/VirtualBoxVM\ntcp6 :::40881 :::* 1248/rpc\ntcp6 :::41813 :::* 1248/rpc\ntcp6 :::44851 :::* 1248/rpc\nudp6 :::48932 :::* 1248/rpc\nudp6 :::51139 :::* 1248/rpc\nudp 0.0.0.0:52995 0.0.0.0:* 19506/VirtualBoxVM\ntcp 0.0.0.0:53015 0.0.0.0:* 1
 248/rpc\nudp 0.0.0.0:54471 0.0.0.0:* 1248/rpc\ntcp 127.0.0.1:55900 0.0.0.0:* 15279/code\nudp 0.0.0.0:55940 0.0.0.0:* 1084/avahi-daemon\nudp6 :::56990 :::* 1248/rpc"
                Decoder
                        Name: "ossec"
                Previous_log: "ossec: output: 'netstat listening ports':\ntcp6       0      0 :::2049                 :::*                    ESCUCHAR    -                   \ntcp6       0      0 :::44223                :::*                    ESCUCHAR    -                   \nudp6       0      0 :::2049                 :::*                                -                   \nudp6       0      0 :::46945                :::*                                -                   \ntcp        0      0 0.0.0.0:2049            0.0.0.0:*               ESCUCHAR    -                   \ntcp        0      0 0.0.0.0:42899           0.0.0.0:*               ESCUCHAR    -                   \nudp        0      0 0.0.0.0:2049            0.0.0.0:*                           -                   \nudp        0      0 0.0.0.0:35324           0.0.0.0:*                           -                   \ntcp 0.0.0.0:25 0.0.0.0:* 2919/master\ntcp6 :::25 :::* 2919/master\ntcp 127.0.0.53:53 0.0.0.0:* 991/systemd-resolve\nudp 12
 7.0.0.53:53 0.0.0.0:* 991/systemd-resolve\nudp 0.0.0.0:68 0.0.0.0:* 2049/dhclient\ntcp 0.0.0.0:111 0.0.0.0:* 1/init\ntcp6 :::111 :::* 1/init\nudp 0.0.0.0:111 0.0.0.0:* 1/init\nudp6 :::111 :::* 1/init\ntcp 127.0.0.1:631 0.0.0.0:* 1087/cupsd\ntcp6 ::1:631 :::* 1087/cupsd\nudp 0.0.0.0:631 0.0.0.0:* 1207/cups-browsed\nudp 0.0.0.0:1514 0.0.0.0:* 22384/ossec-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 22309/ossec-authd\nudp 0.0.0.0:5353 0.0.0.0:* 1084/avahi-daemon\nudp6 :::5353 :::* 1084/avahi-daemon\nudp 0.0.0.0:35084 0.0.0.0:* 19506/VirtualBoxVM\nudp 0.0.0.0:37492 0.0.0.0:* 1248/rpc\ntcp 0.0.0.0:37719 0.0.0.0:* 1248/rpc\nudp6 :::38530 :::* 1084/avahi-daemon\nudp 0.0.0.0:40237 0.0.0.0:* 1248/rpc\ntcp 0.0.0.0:40673 0.0.0.0:* 1248/rpc\nudp 0.0.0.0:40832 0.0.0.0:* 19506/VirtualBoxVM\ntcp6 :::40881 :::* 1248/rpc\ntcp6 :::41813 :::* 1248/rpc\ntcp6 :::44851 :::* 1248/rpc\nudp6 :::48932 :::* 1248/rpc\nudp6 :::51139 :::* 1248/rpc\nudp 0.0.0.0:52995 0.0.0.0:* 19506/VirtualBoxVM\ntcp 0.0.0.0:53015 0.0.0.0
 :* 1248/rpc\nudp 0.0.0.0:54471 0.0.0.0:* 1248/rpc\ntcp 127.0.0.1:55900 0.0.0.0:* 15279/code\nudp 0.0.0.0:55940 0.0.0.0:* 1084/avahi-daemon\nudp6 :::56990 :::* 1248/rpc"
                Location: "netstat listening ports"



 --END OF NOTIFICATION

Regards,
Eva

Lopuiz · 2019-08-22T12:15:31Z

Hi!

The Windows Eventchannel alerts will show as follows:

Wazuh Notification.
2019-08-22T13:47:05.881+0200

Received From: (WIN-6UJQ4IGFLK2) 10.0.2.15->EventChannel
Rule: 60642 fired (level 3) -> "Software Protection service scheduled successfully"
Alert(s):

                Timestamp: "2019-08-22T13:47:05.881+0200"
                Rule
                        Level: 3
                        Description: "Software Protection service scheduled successfully"
                        Id: "60642"
                        Firedtimes: 1
                        Mail: true
                        Groups: ["windows","windows_application"]
                Agent
                        Id: "001"
                        Name: "WIN-6UJQ4IGFLK2"
                        Ip: "10.0.2.15"
                Manager
                        Name: "lopezziur"
                Id: "1566474425.549355"
                Decoder
                        Name: "windows_eventchannel"
                Data
                        Win
                                System
                                        ProviderName: "Microsoft-Windows-Security-SPP"
                                        ProviderGuid: "{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}"
                                        EventSourceName: "Software Protection Platform Service"
                                        EventID: "16384"
                                        Version: "0"
                                        Level: "4"
                                        Task: "0"
                                        Opcode: "0"
                                        Keywords: "0x80000000000000"
                                        SystemTime: "2019-08-22T11:47:05.806951700Z"
                                        EventRecordID: "250"
                                        ProcessID: "0"
                                        ThreadID: "0"
                                        Channel: "Application"
                                        Computer: "WIN-6UJQ4IGFLK2"
                                        SeverityValue: "INFORMATION"
                                        Message: "Successfully scheduled Software Protection service for re-start at 2020-01-02T11:42:05Z. Reason: RulesEngine."
                                Eventdata
                                        Data: "2020-01-02T11:42:05Z, RulesEngine"
                Location: "EventChannel"



 --END OF NOTIFICATION

And Sysmon rule with full_log:

Wazuh Notification.
2019-08-22T13:46:32.271+0200

Received From: (WIN-6UJQ4IGFLK2) 10.0.2.15->EventChannel
Rule: 61618 fired (level 12) -> "Sysmon - Suspicious Process - svchost.exe"
Alert(s):

                Timestamp: "2019-08-22T13:46:32.271+0200"
                Rule
                        Level: 12
                        Description: "Sysmon - Suspicious Process - svchost.exe"
                        Id: "61618"
                        Firedtimes: 1
                        Mail: true
                        Groups: ["windows","sysmon","sysmon_process-anomalies"]
                        Pci_dss: ["10.6.1","11.4"]
                        Gdpr: ["IV_35.7.d"]
                        Hipaa: ["164.312.b"]
                        Nist_800_53: ["AU.6","SC.7"]
                Agent
                        Id: "001"
                        Name: "WIN-6UJQ4IGFLK2"
                        Ip: "10.0.2.15"
                Manager
                        Name: "lopezziur"
                Id: "1566474392.546020"
                Full_log: "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2019-08-22T11:46:31.193048300Z\",\"eventRecordID\":\"544\",\"processID\":\"1820\",\"threadID\":\"2604\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"WIN-6UJQ4IGFLK2\",\"severityValue\":\"INFORMATION\",\"message\":\"Process Create:\"},\"eventdata\":{\"utcTime\":\"2019-08-22 11:46:31.183\",\"processGuid\":\"{c9c7f4ca-8097-5d5e-0000-0010a4952f00}\",\"processId\":\"2884\",\"image\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"fileVersion\":\"10.0.17763.1 (WinBuild.160101.0800)\",\"description\":\"Host Process for Windows Services\",\"product\":\"Microsoft® Windows® Operating System\",\"company\":\"Microsoft Corporation\",\"originalFileName\":\"svchost.exe\",\"commandLine\":\"C:\\\\Windows
 \\\\System32\\\\svchost.exe -k smphost\",\"currentDirectory\":\"C:\\\\Windows\\\\system32\\\\\",\"user\":\"NT AUTHORITY\\\\NETWORK SERVICE\",\"logonGuid\":\"{c9c7f4ca-fbdc-5d5e-0000-0020e4030000}\",\"logonId\":\"0x3e4\",\"terminalSessionId\":\"0\",\"integrityLevel\":\"System\",\"hashes\":\"MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6\",\"parentProcessGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"parentProcessId\":\"572\",\"parentImage\":\"?\",\"parentCommandLine\":\"?\"}}}"
                Decoder
                        Name: "windows_eventchannel"
                Data
                        Win
                                System
                                        ProviderName: "Microsoft-Windows-Sysmon"
                                        ProviderGuid: "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"
                                        EventID: "1"
                                        Version: "5"
                                        Level: "4"
                                        Task: "1"
                                        Opcode: "0"
                                        Keywords: "0x8000000000000000"
                                        SystemTime: "2019-08-22T11:46:31.193048300Z"
                                        EventRecordID: "544"
                                        ProcessID: "1820"
                                        ThreadID: "2604"
                                        Channel: "Microsoft-Windows-Sysmon/Operational"
                                        Computer: "WIN-6UJQ4IGFLK2"
                                        SeverityValue: "INFORMATION"
                                        Message: "Process Create:"
                                Eventdata
                                        UtcTime: "2019-08-22 11:46:31.183"
                                        ProcessGuid: "{c9c7f4ca-8097-5d5e-0000-0010a4952f00}"
                                        ProcessId: "2884"
                                        Image: "C:\\Windows\\System32\\svchost.exe"
                                        FileVersion: "10.0.17763.1 (WinBuild.160101.0800)"
                                        Description: "Host Process for Windows Services"
                                        Product: "Microsoft® Windows® Operating System"
                                        Company: "Microsoft Corporation"
                                        OriginalFileName: "svchost.exe"
                                        CommandLine: "C:\\Windows\\System32\\svchost.exe -k smphost"
                                        CurrentDirectory: "C:\\Windows\\system32\\"
                                        User: "NT AUTHORITY\\NETWORK SERVICE"
                                        LogonGuid: "{c9c7f4ca-fbdc-5d5e-0000-0020e4030000}"
                                        LogonId: "0x3e4"
                                        TerminalSessionId: "0"
                                        IntegrityLevel: "System"
                                        Hashes: "MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6"
                                        ParentProcessGuid: "{00000000-0000-0000-0000-000000000000}"
                                        ParentProcessId: "572"
                                        ParentImage: "?"
                                        ParentCommandLine: "?"
                Location: "EventChannel"



 --END OF NOTIFICATION

And this is how you see some alerts in the same message:

Wazuh Notification.
2019-08-23T09:26:00.007+0200

Received From: (WIN-6UJQ4IGFLK2) 10.0.2.15->EventChannel
Rule: 60775 fired (level 5) -> "WSearch was unavailable to handle a notification event"
Alert(s):

                Timestamp: "2019-08-23T09:26:00.007+0200"
                Rule
                        Level: 5
                        Description: "WSearch was unavailable to handle a notification event"
                        Id: "60775"
                        Firedtimes: 1
                        Mail: true
                        Groups: ["windows","windows_application"]
                Agent
                        Id: "001"
                        Name: "WIN-6UJQ4IGFLK2"
                        Ip: "10.0.2.15"
                Manager
                        Name: "lopezziur"
                Id: "1566545160.163696"
                Decoder
                        Name: "windows_eventchannel"
                Data
                        Win
                                System
                                        ProviderName: "Microsoft-Windows-Winlogon"
                                        ProviderGuid: "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}"
                                        EventSourceName: "Wlclntfy"
                                        EventID: "6000"
                                        Version: "0"
                                        Level: "4"
                                        Task: "0"
                                        Opcode: "0"
                                        Keywords: "0x80000000000000"
                                        SystemTime: "2019-08-23T07:25:58.050735400Z"
                                        EventRecordID: "281"
                                        ProcessID: "0"
                                        ThreadID: "0"
                                        Channel: "Application"
                                        Computer: "WIN-6UJQ4IGFLK2"
                                        SeverityValue: "INFORMATION"
                                        Message: "The winlogon notification subscriber <WSearch> was unavailable to handle a notification event."
                                Eventdata
                                        Binary: "D9060000"
                                        Data: "WSearch"
                Location: "EventChannel"



 --END OF NOTIFICATION



Wazuh Notification.
2019-08-23T09:26:00.037+0200

Received From: (WIN-6UJQ4IGFLK2) 10.0.2.15->EventChannel
Rule: 60106 fired (level 3) -> "Windows Logon Success"
Alert(s):

                Timestamp: "2019-08-23T09:26:00.037+0200"
                Rule
                        Level: 3
                        Description: "Windows Logon Success"
                        Id: "60106"
                        Firedtimes: 1
                        Mail: true
                        Groups: ["windows"," windows_security","authentication_success"]
                        Pci_dss: ["10.2.5"]
                        Gpg13: ["7.1","7.2"]
                        Gdpr: ["IV_32.2"]
                        Hipaa: ["164.312.b"]
                        Nist_800_53: ["AU.3.1","IA.10"]
                Agent
                        Id: "001"
                        Name: "WIN-6UJQ4IGFLK2"
                        Ip: "10.0.2.15"
                Manager
                        Name: "lopezziur"
                Id: "1566545160.165203"
                Decoder
                        Name: "windows_eventchannel"
                Data
                        Win
                                System
                                        ProviderName: "Microsoft-Windows-Security-Auditing"
                                        ProviderGuid: "{54849625-5478-4994-a5ba-3e3b0328c30d}"
                                        EventID: "4624"
                                        Version: "2"
                                        Level: "0"
                                        Task: "12544"
                                        Opcode: "0"
                                        Keywords: "0x8020000000000000"
                                        SystemTime: "2019-08-23T07:25:57.490022900Z"
                                        EventRecordID: "5697"
                                        ProcessID: "580"
                                        ThreadID: "628"
                                        Channel: "Security"
                                        Computer: "WIN-6UJQ4IGFLK2"
                                        SeverityValue: "AUDIT_SUCCESS"
                                        Message: "An account was successfully logged on."
                                Eventdata
                                        SubjectUserSid: "S-1-5-18"
                                        SubjectUserName: "WIN-6UJQ4IGFLK2$"
                                        SubjectDomainName: "WORKGROUP"
                                        SubjectLogonId: "0x3e7"
                                        TargetUserSid: "S-1-5-18"
                                        TargetUserName: "SYSTEM"
                                        TargetDomainName: "NT AUTHORITY"
                                        TargetLogonId: "0x3e7"
                                        LogonType: "5"
                                        LogonProcessName: "Advapi"
                                        AuthenticationPackageNam!: "Negotiate"
                                        LogonGuid: "{00000000-0000-0000-0000-000000000000}"
                                        KeyLength: "0"
                                        ProcessId: "0x23c"
                                        ProcessName: "C:\\Windows\\System32\\services.exe"
                                        ImpersonationLevel: "%%1833"
                                        VirtualAccount: "%%1843"
                                        TargetLinkedLogonId: "0x0"
                                        ElevatedToken: "%%1842"
                Location: "EventChannel"



 --END OF NOTIFICATION



Wazuh Notification.
2019-08-23T09:26:00.063+0200

Received From: (WIN-6UJQ4IGFLK2) 10.0.2.15->EventChannel
Rule: 60775 fired (level 5) -> "SessionEnv was unavailable to handle a notification event"
Alert(s):

                Timestamp: "2019-08-23T09:26:00.063+0200"
                Rule
                        Level: 5
                        Description: "SessionEnv was unavailable to handle a notification event"
                        Id: "60775"
                        Firedtimes: 2
                        Mail: true
                        Groups: ["windows","windows_application"]
                Agent
                        Id: "001"
                        Name: "WIN-6UJQ4IGFLK2"
                        Ip: "10.0.2.15"
                Manager
                        Name: "lopezziur"
                Id: "1566545160.167903"
                Decoder
                        Name: "windows_eventchannel"
                Data
                        Win
                                System
                                        ProviderName: "Microsoft-Windows-Winlogon"
                                        ProviderGuid: "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}"
                                        EventSourceName: "Wlclntfy"
                                        EventID: "6000"
                                        Version: "0"
                                        Level: "4"
                                        Task: "0"
                                        Opcode: "0"
                                        Keywords: "0x80000000000000"
                                        SystemTime: "2019-08-23T07:25:58.531937400Z"
                                        EventRecordID: "282"
                                        ProcessID: "0"
                                        ThreadID: "0"
                                        Channel: "Application"
                                        Computer: "WIN-6UJQ4IGFLK2"
                                        SeverityValue: "INFORMATION"
                                        Message: "The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event."
                                Eventdata
                                        Binary: "D9060000"
                                        Data: "SessionEnv"
                Location: "EventChannel"



 --END OF NOTIFICATION

Regards,
Eva

Lopuiz · 2019-08-23T07:14:41Z

Hello team!

Following examples are Syscheck alert emails:

Wazuh Notification.
2019-08-23T07:50:17.225+0200

Received From: lopezziur->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Alert(s):

                Timestamp: "2019-08-23T07:50:17.225+0200"
                Rule
                        Level: 7
                        Description: "Integrity checksum changed."
                        Id: "550"
                        Firedtimes: 3
                        Mail: true
                        Groups: ["ossec","syscheck"]
                        Pci_dss: ["11.5"]
                        Gpg13: ["4.11"]
                        Gdpr: ["II_5.1.f"]
                        Hipaa: ["164.312.c.1","164.312.c.2"]
                        Nist_800_53: ["SI.7"]
                Agent
                        Id: "000"
                        Name: "lopezziur"
                Manager
                        Name: "lopezziur"
                Id: "1566539417.7825"
                Full_log: "File '/boot/grub/grubenv' checksum changed.\nOld modification time was: 'Thu Aug 22 07:36:20 2019', now it is 'Fri Aug 23 07:48:51 2019'\n"
                Syscheck
                        Path: "/boot/grub/grubenv"
                        Size_after: "1024"
                        Perm_after: "100644"
                        Uid_after: "0"
                        Gid_after: "0"
                        Md5_after: "64d53c72784085f13f75a31d44a97718"
                        Sha1_after: "3115ecc316b0784b40c2c33b472f0ed1a93bd3e1"
                        Sha256_after: "570ebf2844deac6ea39805f47605c44722261e99b0c8891490b532d3ad498cc5"
                        Uname_after: "root"
                        Gname_after: "root"
                        Mtime_before: "2019-08-22T07:36:20"
                        Mtime_after: "2019-08-23T07:48:51"
                        Inode_after: 10223907
                        Event: "modified"
                Decoder
                        Name: "syscheck_integrity_changed"
                Location: "syscheck"



 --END OF NOTIFICATION

And this is how you see two Syscheck alerts in the same message:

Wazuh Notification.
2019-08-23T07:49:17.542+0200

Received From: lopezziur->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Alert(s):

                Timestamp: "2019-08-23T07:49:17.542+0200"
                Rule
                        Level: 7
                        Description: "Integrity checksum changed."
                        Id: "550"
                        Firedtimes: 1
                        Mail: true
                        Groups: ["ossec","syscheck"]
                        Pci_dss: ["11.5"]
                        Gpg13: ["4.11"]
                        Gdpr: ["II_5.1.f"]
                        Hipaa: ["164.312.c.1","164.312.c.2"]
                        Nist_800_53: ["SI.7"]
                Agent
                        Id: "000"
                        Name: "lopezziur"
                Manager
                        Name: "lopezziur"
                Id: "1566539357.4771"
                Full_log: "File '/etc/cups/subscriptions.conf.O' checksum changed.\nOld md5sum was: '19cbaf8165fd94172eef2068470ef8b5'\nNew md5sum is : 'b8f67e3370baf57a7c77a35dd79c366d'\nOld sha1sum was: '2cf345ca7b7b98dbda3f2e79acd2e55ece3be7a5'\nNew sha1sum is : 'efa0f4a5f8fbbde9bb7b1d88d25dcd02dcebda60'\nOld sha256sum was: 'ce07d6903fd321571aeeb81d9dd2a82cd0fc2fb8a2ad68c3ee4a741741adfa81'\nNew sha256sum is : 'fd9b6ad57580cd46d81b684f8824eac9a69052c519040cb763e836c17c4e83ef'\nOld modification time was: 'Thu Aug 22 12:28:48 2019', now it is 'Thu Aug 22 14:25:28 2019'\nOld inode was: '13894374', now it is '13894139'\n"
                Syscheck
                        Path: "/etc/cups/subscriptions.conf.O"
                        Size_after: "690"
                        Perm_after: "100640"
                        Uid_after: "0"
                        Gid_after: "7"
                        Md5_before: "19cbaf8165fd94172eef2068470ef8b5"
                        Md5_after: "b8f67e3370baf57a7c77a35dd79c366d"
                        Sha1_before: "2cf345ca7b7b98dbda3f2e79acd2e55ece3be7a5"
                        Sha1_after: "efa0f4a5f8fbbde9bb7b1d88d25dcd02dcebda60"
                        Sha256_before: "ce07d6903fd321571aeeb81d9dd2a82cd0fc2fb8a2ad68c3ee4a741741adfa81"
                        Sha256_after: "fd9b6ad57580cd46d81b684f8824eac9a69052c519040cb763e836c17c4e83ef"
                        Uname_after: "root"
                        Gname_after: "lp"
                        Mtime_before: "2019-08-22T12:28:48"
                        Mtime_after: "2019-08-22T14:25:28"
                        Inode_before: 13894374
                        Inode_after: 13894139
                        Event: "modified"
                Decoder
                        Name: "syscheck_integrity_changed"
                Location: "syscheck"



 --END OF NOTIFICATION



Wazuh Notification.
2019-08-23T07:49:17.543+0200

Received From: lopezziur->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Alert(s):

                Timestamp: "2019-08-23T07:49:17.543+0200"
                Rule
                        Level: 7
                        Description: "Integrity checksum changed."
                        Id: "550"
                        Firedtimes: 2
                        Mail: true
                        Groups: ["ossec","syscheck"]
                        Pci_dss: ["11.5"]
                        Gpg13: ["4.11"]
                        Gdpr: ["II_5.1.f"]
                        Hipaa: ["164.312.c.1","164.312.c.2"]
                        Nist_800_53: ["SI.7"]
                Agent
                        Id: "000"
                        Name: "lopezziur"
                Manager
                        Name: "lopezziur"
                Id: "1566539357.5901"
                Full_log: "File '/etc/cups/subscriptions.conf' checksum changed.\nSize changed from '690' to '93'\nOld md5sum was: '3afe72ff6a4a1963539e9d95f8a195a3'\nNew md5sum is : 'f42b273451b765772695ea8cb75fe63a'\nOld sha1sum was: '173e435ea80eecf12e9ac58cf9d6fc255d10a7f9'\nNew sha1sum is : 'a8d6b3986e488dafd064f9b724b7bf9d4700e1a6'\nOld sha256sum was: '9a4b96fa4f750e0201d8e16c195c7fe0cf739519730f08c643aff687896f43f6'\nNew sha256sum is : '116b66bed35259d3b2fc7be534fad9123bc12daa7750c499ce3c3b1958fec098'\nOld modification time was: 'Thu Aug 22 13:27:08 2019', now it is 'Thu Aug 22 15:00:21 2019'\nOld inode was: '13893824', now it is '13894374'\n"
                Syscheck
                        Path: "/etc/cups/subscriptions.conf"
                        Size_before: "690"
                        Size_after: "93"
                        Perm_after: "100640"
                        Uid_after: "0"
                        Gid_after: "7"
                        Md5_before: "3afe72ff6a4a1963539e9d95f8a195a3"
                        Md5_after: "f42b273451b765772695ea8cb75fe63a"
                        Sha1_before: "173e435ea80eecf12e9ac58cf9d6fc255d10a7f9"
                        Sha1_after: "a8d6b3986e488dafd064f9b724b7bf9d4700e1a6"
                        Sha256_before: "9a4b96fa4f750e0201d8e16c195c7fe0cf739519730f08c643aff687896f43f6"
                        Sha256_after: "116b66bed35259d3b2fc7be534fad9123bc12daa7750c499ce3c3b1958fec098"
                        Uname_after: "root"
                        Gname_after: "lp"
                        Mtime_before: "2019-08-22T13:27:08"
                        Mtime_after: "2019-08-22T15:00:21"
                        Inode_before: 13893824
                        Inode_after: 13894374
                        Event: "modified"
                Decoder
                        Name: "syscheck_integrity_changed"
                Location: "syscheck"



 --END OF NOTIFICATION

And this is how you see two Windows Syscheck alerts:

Wazuh Notification.
2019-08-23T09:10:29.547+0200

Received From: (WIN-6UJQ4IGFLK2) 10.0.2.15->syscheck
Rule: 553 fired (level 7) -> "File deleted."
Alert(s):

                Timestamp: "2019-08-23T09:10:29.547+0200"
                Rule
                        Level: 7
                        Description: "File deleted."
                        Id: "553"
                        Firedtimes: 1
                        Mail: true
                        Groups: ["ossec","syscheck"]
                        Pci_dss: ["11.5"]
                        Gpg13: ["4.11"]
                        Gdpr: ["II_5.1.f"]
                        Hipaa: ["164.312.c.1","164.312.c.2"]
                        Nist_800_53: ["SI.7"]
                Agent
                        Id: "001"
                        Name: "WIN-6UJQ4IGFLK2"
                        Ip: "10.0.2.15"
                Manager
                        Name: "lopezziur"
                Id: "1566544229.151558"
                Full_log: "File 'c:\\users\\administrator\\documents\\testing\\nuevo documento de texto.txt' was deleted.\n"
                Syscheck
                        Path: "c:\\users\\administrator\\documents\\testing\\nuevo documento de texto.txt"
                        Event: "deleted"
                Decoder
                        Name: "syscheck_integrity_changed"
                Location: "syscheck"



 --END OF NOTIFICATION



Wazuh Notification.
2019-08-23T09:10:29.585+0200

Received From: (WIN-6UJQ4IGFLK2) 10.0.2.15->syscheck
Rule: 554 fired (level 5) -> "File added to the system."
Alert(s):

                Timestamp: "2019-08-23T09:10:29.585+0200"
                Rule
                        Level: 5
                        Description: "File added to the system."
                        Id: "554"
                        Firedtimes: 2
                        Mail: true
                        Groups: ["ossec","syscheck"]
                        Pci_dss: ["11.5"]
                        Gpg13: ["4.11"]
                        Gdpr: ["II_5.1.f"]
                        Hipaa: ["164.312.c.1","164.312.c.2"]
                        Nist_800_53: ["SI.7"]
                Agent
                        Id: "001"
                        Name: "WIN-6UJQ4IGFLK2"
                        Ip: "10.0.2.15"
                Manager
                        Name: "lopezziur"
                Id: "1566544229.151890"
                Full_log: "File 'c:\\users\\administrator\\documents\\testing\\testing.txt' was added.\n"
                Syscheck
                        Path: "c:\\users\\administrator\\documents\\testing\\testing.txt"
                        Size_after: "0"
                        Win_perm_after: [{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","FILE_READ_DATA","FILE_WRITE_DATA","FILE_APPEND_DATA","FILE_READ_EA","FILE_WRITE_EA","FILE_EXECUTE","FILE_READ_ATTRIBUTES","FILE_WRITE_ATTRIBUTES"]},{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","FILE_READ_DATA","FILE_WRITE_DATA","FILE_APPEND_DATA","FILE_READ_EA","FILE_WRITE_EA","FILE_EXECUTE","FILE_READ_ATTRIBUTES","FILE_WRITE_ATTRIBUTES"]},{"name":"Administrator","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","FILE_READ_DATA","FILE_WRITE_DATA","FILE_APPEND_DATA","FILE_READ_EA","FILE_WRITE_EA","FILE_EXECUTE","FILE_READ_ATTRIBUTES","FILE_WRITE_ATTRIBUTES"]}]
                        Uid_after: "S-1-5-32-544"
                        Md5_after: "d41d8cd98f00b204e9800998ecf8427e"
                        Sha1_after: "da39a3ee5e6b4b0d3255bfef95601890afd80709"
                        Sha256_after: "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
                        Attrs_after: ["ARCHIVE"]
                        Uname_after: "Administrators"
                        Mtime_after: "2019-08-23T09:10:27"
                        Event: "added"
                Decoder
                        Name: "syscheck_new_entry"
                Location: "syscheck"



 --END OF NOTIFICATION

Regards,
Eva

chemamartinez · 2019-08-23T09:02:00Z

 {
    int i = 0, sms_set = 0, donotgroup = 0;
-    size_t body_size = OS_MAXSTR - 3, log_size;
+    size_t *body_size = malloc(sizeof(size_t)), log_size;


Use os_malloc() instead of calling malloc directly. Same for the others occurrences.

chemamartinez · 2019-08-23T09:02:31Z

    if (!(rule = cJSON_GetObjectItem(al_json, "rule"), rule && (mail_flag = cJSON_GetObjectItem(rule, "mail"), mail_flag && cJSON_IsTrue(mail_flag))))
        goto end;

+


Remove this whiteline

chemamartinez · 2019-08-23T09:04:31Z

+    // Add alert to logs
+    char *tab = malloc(14*sizeof(char));
+    strcpy(tab, "\t");
+    cJSON_PrintTable(al_json, logs, body_size, tab, 2);


Change the name of the function. cJSON_X() can lead to a think it belongs to the cJSON library.

chemamartinez · 2019-08-23T09:06:42Z

+{
+    char *val1 = NULL, *val2 = NULL;
+    int log_size;
+    char *t = malloc(14*sizeof(char));


It's the maximum number of times it can be tabulated.

chemamartinez · 2019-08-23T09:07:04Z

+    char *val1 = NULL, *val2 = NULL;
+    int log_size;
+    char *t = malloc(14*sizeof(char));
+    strcpy(t, tab);


Use strncpy instead

chemamartinez · 2019-08-23T09:08:33Z

+                }
+            }
+
+            if(dep < 12){


dep refers to the depth of the search in the incoming JSON? If so, it should not be limited.

It's the number of times it's been tabulated. I have modified the variable name so that there is no confusion.

Lopuiz · 2019-08-24T06:19:06Z

Hi!

It needs a new review. I have added changes requested, and fixed invalid read and invalid free.

I attach Valgrind log file:
valgrind.txt

Regards,
Eva

Lopuiz · 2019-08-26T12:36:20Z

Hello team!

I've added the following modifications:

Array format:
Fields containing arrays will be printed as follows

Wazuh Notification.
2019-08-26T14:04:43.035+0200

Received From: lopezziur->/var/log/auth.log
Rule: 5404 fired (level 10) -> "Three failed attempts to run sudo"
Alert(s):

                Timestamp: "2019-08-26T14:04:43.035+0200"
                Rule
                        Level: 10
                        Description: "Three failed attempts to run sudo"
                        Id: "5404"
                        Firedtimes: 2
                        Mail: true
                        Groups: syslog sudo
                        Pci_dss: 10.2.4 10.2.5
                        Gpg13: 7.8
                        Gdpr: IV_35.7.d IV_32.2
                        Hipaa: 164.312.b
                        Nist_800_53: AU.14 AC.7
                Agent
                        Id: "000"
                        Name: "lopezziur"
                Manager
                        Name: "lopezziur"
                Id: "1566821083.581642"
                Predecoder
                        Program_name: "sudo"
                        Timestamp: "Aug 26 14:04:41"
                        Hostname: "lopezziur"
                Decoder
                        Parent: "sudo"
                        Name: "sudo"
                        Ftscomment: "First time user executed the sudo command"
                Data
                        Srcuser: "lopezziur"
                        Dstuser: "root"
                        Tty: "pts/3"
                        Pwd: "/home/lopezziur/wazuh/wazuh/src"
                        Command: "/bin/su"
                Location: "/var/log/auth.log"

 --END OF NOTIFICATION

Syscheck alerts:
When Syscheck alert has full log, the message sent is as follow (It's full log field):

Wazuh Notification.
2019-08-26T11:23:26.982+0200

Received From: lopezziur->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Alert(s):

File '/home/lopezziur/Documentos/valgrind.txt' checksum changed.
Size changed from '283' to '8660'
Old md5sum was: 'e4d1ddb8b56523c7fa5206be67c71c14'
New md5sum is : '3e7277d5de6ac3dd83f41dfcf49d0130'
Old sha1sum was: '0e0c0cdb4239f182f7245206752304514a27fb04'
New sha1sum is : '857de9498e80b589ec224e4c75c6360c69dd9c4d'
Old sha256sum was: '5a3c4fa6e8aa3183b46c0d0eaa4b35abd5fc0ddb1f1eb990db8110d60a1274ec'
New sha256sum is : 'b708a3f3fc83a58c5a76f01e6f61e82d9a2140b5fd16f0d60151d34967ad34a8'
Old modification time was: 'Mon Aug 26 11:23:16 2019', now it is 'Mon Aug 26 11:23:26 2019'

 --END OF NOTIFICATION

If Syscheck alert hasn't full log, the message sent is as follow:

Wazuh Notification.
2019-08-26T13:08:14.081+0200

Received From: lopezziur->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Alert(s):

File: /home/lopezziur/Documentos/valgrind.txt modified
Old md5sum was: 13829679ab1f3725ae51cde886d36ce8
New md5sum is: b4929c09b69cc1b50d79365a0ff5bde0
Old sha1sum was: c7f76c27ed2e129bd2bd4e321f7036c100c356ab
New sha1sum is: 7cdb0d88b10b2c918401f0840dca6a5b254f9f86
Old sha256sum was: 4451ac9e236c380952ae2e09f1950795c1fb59b040c1ca1c8baef3878d65cee0
New sha256sum is: ee7325df70dd95347e031d5d1c4fbce8d9cf855345faf28e09dd09675fc29600

 --END OF NOTIFICATION

This change is due that when Syscheck alert has full log the messages sent was as follow:

Wazuh Notification.
2019-08-26T10:48:28.545+0200

Received From: lopezziur->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Alert(s):

File '/home/lopezziur/Documentos/test/testing.txt' checksum changed.
Size changed from '0' to '24'
Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'
New md5sum is : 'ce61ae5dbb727f3277d3d50ca28eab60'
Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'
New sha1sum is : '4a825aedc86ca794537e1d6bc95bfc49d9818c03'
Old sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
New sha256sum is : '318a52d992c300dce8812bbc66a34f97cabb0eb1b49018dfb954bf695a061370'
Old modification time was: 'Mon Aug 26 10:47:41 2019', now it is 'Mon Aug 26 10:48:28 2019'
Old md5sum was: d41d8cd98f00b204e9800998ecf8427e
New md5sum is: ce61ae5dbb727f3277d3d50ca28eab60
Old sha1sum was:da39a3ee5e6b4b0d3255bfef95601890afd80709
New sha1sum is:4a825aedc86ca794537e1d6bc95bfc49d9818c03
Old sha256sum wae3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
New sha256sum i318a52d992c300dce8812bbc66a34f97cabb0eb1b49018dfb954bf695a061370

 --END OF NOTIFICATION

As shown, Sha1sum, Sha256sum, and Md5sum are duplicated.

Alerts with full log:
These new formats will not be applied to alerts containing the full log field.

Wazuh Notification.
2019-08-26T13:54:11.313+0200

Received From: lopezziur->/var/log/auth.log
Rule: 5402 fired (level 3) -> "Successful sudo to ROOT executed"
Alert(s):

Aug 26 13:54:11 lopezziur sudo: lopezziur : TTY=pts/2 ; PWD=/home/lopezziur/wazuh/wazuh/src ; USER=root ; COMMAND=/bin/cp ossec-maild /var/ossec/bin/

Test Valgrind:
Also, I execute Valgrind in the new binary and it haven't reported any fail. I attach Valgrind log file:
valgrind.txt

Regards,
Eva

Lopuiz · 2019-08-26T12:59:25Z

Hi!

Also, I attach Eventchannel alerts:

Wazuh Notification.
2019-08-26T14:51:36.528+0200

Received From: (WIN-6UJQ4IGFLK2) 10.0.2.15->EventChannel
Rule: 60642 fired (level 3) -> "Software Protection service scheduled successfully"
Alert(s):

                Timestamp: "2019-08-26T14:51:36.528+0200"
                Rule
                        Level: 3
                        Description: "Software Protection service scheduled successfully"
                        Id: "60642"
                        Firedtimes: 1
                        Mail: true
                        Groups: windows windows_application
                Agent
                        Id: "001"
                        Name: "WIN-6UJQ4IGFLK2"
                        Ip: "10.0.2.15"
                Manager
                        Name: "lopezziur"
                Id: "1566823896.658661"
                Decoder
                        Name: "windows_eventchannel"
                Data
                        Win
                                System
                                        ProviderName: "Microsoft-Windows-Security-SPP"
                                        ProviderGuid: "{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}"
                                        EventSourceName: "Software Protection Platform Service"
                                        EventID: "16384"
                                        Version: "0"
                                        Level: "4"
                                        Task: "0"
                                        Opcode: "0"
                                        Keywords: "0x80000000000000"
                                        SystemTime: "2019-08-26T12:51:35.711386600Z"
                                        EventRecordID: "302"
                                        ProcessID: "0"
                                        ThreadID: "0"
                                        Channel: "Application"
                                        Computer: "WIN-6UJQ4IGFLK2"
                                        SeverityValue: "INFORMATION"
                                        Message: "Successfully scheduled Software Protection service for re-start at 2020-01-02T11:42:35Z. Reason: RulesEngine."
                                Eventdata
                                        Data: "2020-01-02T11:42:35Z, RulesEngine"
                Location: "EventChannel"



 --END OF NOTIFICATION

Regards,
Eva

chemamartinez · 2019-08-27T11:09:14Z

Defects found by building with scan-build 8 in Ubuntu 18.04 related to this PR:

Bug Group	Bug Type	File	Function/Method	Line
Dead store	Dead increment	os_maild/os_maild_client.c	OS_RecvMailQ_JSON	399
Dead store	Dead increment	os_maild/os_maild_client.c	OS_RecvMailQ_JSON	488
Logic error	Uninitialized argument value	os_maild/os_maild_client.c	PrintTable	799

chemamartinez · 2019-08-27T10:35:45Z

Let's continue using Portion of the log(s), in many cases is the full_log field the printed data.

chemamartinez · 2019-08-27T11:14:58Z

Why counter should be less than 12? We have to allow more tabs by default.

chemamartinez · 2019-08-27T11:37:58Z

Add the explicit check of the json_field content. Some gcc versions complain about this:

os_maild/os_maild_client.c: In function ‘OS_RecvMailQ_JSON’: os_maild/os_maild_client.c:389:8: warning: suggest parentheses around assignment used as truth value [-Wparentheses] if(json_field = cJSON_GetObjectItem(al_json,"full_log")){ ^~~~~~~~~~

By adding:

if(json_field = cJSON_GetObjectItem(al_json,"full_log"), json_field){

we avoid the error

chemamartinez · 2019-08-27T11:44:33Z

Same as above:

else if (json_object = cJSON_GetObjectItem(al_json,"syscheck"), json_object){

chemamartinez · 2019-08-27T11:45:09Z

Same:

while(json_array = cJSON_GetArrayItem(item, i), json_array){

chemamartinez · 2019-08-27T11:48:17Z

Define log_size as size_t to avoid these errors:

os_maild/os_maild_client.c:808:31: warning: comparison between signed and unsigned integer expressions [-Wsign-compare] if (body_size > log_size) {

Author: DaveVG1 <vgdavid91@gmail.com> Committer: DaveVG1 <vgdavid91@gmail.com>

Lopuiz · 2019-08-28T13:08:32Z

Hi!

I've subjected maild to a high workload. Valgrind has not reported any memory leak. I attach the log file:
valgrind.txt

Maild generates about 12 emails per second.

Regards,
Eva

chemamartinez · 2019-08-28T14:43:17Z

GJ @Lopuiz and @DaveVG1!

DaveVG1 requested a review from albertomn86 April 25, 2019 11:30

DaveVG1 added the status/needs documentation label Apr 25, 2019

DaveVG1 assigned albertomn86 Apr 25, 2019

DaveVG1 mentioned this pull request Apr 25, 2019

'no_full_log' option documentation incomplete wazuh/wazuh-documentation#1142

Closed

DaveVG1 removed the status/needs documentation label Apr 25, 2019

DaveVG1 marked this pull request as ready for review April 25, 2019 13:59

DaveVG1 mentioned this pull request Aug 8, 2019

maild fails to properly read alerts.json #3762

Closed

DaveVG1 requested a review from bah07 August 8, 2019 12:25

snaow self-requested a review August 13, 2019 16:35

DaveVG1 changed the base branch from 3.9 to 3.10 August 14, 2019 10:00

chemamartinez requested review from chemamartinez and removed request for albertomn86 and bah07 August 23, 2019 08:58

chemamartinez suggested changes Aug 23, 2019

View reviewed changes

chemamartinez suggested changes Aug 27, 2019

View reviewed changes

DaveVG1 and others added 5 commits August 28, 2019 04:11

Fix alert email sending when no_full_log option is set in a rule

a75f0a2

Add full JSON alert to mail when 'full_log' field is not present

e7262f9

Author: DaveVG1 <vgdavid91@gmail.com> Committer: DaveVG1 <vgdavid91@gmail.com>

send alert JSON by email

dd1ac04

fix invalid read and added requested changes

8476442

fix invalid read and added requested changes

c098a07

Lopuiz added 13 commits August 28, 2019 04:11

fix invalid read and added requested changes

f27983d

remove full_log from alert emails

67e227b

fix invalid free

37e07b8

add old email format for alerts with full log

d51aea9

add old email format for alerts with full log

f17e223

fix Sha1sum, md5sum and sha256sum duplicated

5c7a5de

Documented code and reserved plus memory for tab and t

8f6aaf3

modify array format

cb4b2ec

fix bug reported by coverity

560f1d3

added changes requested

1cacf9c

added changes requested

7672d41

function declared in header file

bb0c98a

improve code

cdde86f

chemamartinez force-pushed the fix-email-log-option branch from 2c2fbf6 to cdde86f Compare August 28, 2019 11:12

Lopuiz added 2 commits August 28, 2019 13:26

improve code

5d168a8

improve code

44c146d

chemamartinez approved these changes Aug 28, 2019

View reviewed changes

chemamartinez merged commit 4c48652 into 3.10 Aug 28, 2019

chemamartinez deleted the fix-email-log-option branch August 28, 2019 14:43

		if (!(rule = cJSON_GetObjectItem(al_json, "rule"), rule && (mail_flag = cJSON_GetObjectItem(rule, "mail"), mail_flag && cJSON_IsTrue(mail_flag))))
		goto end;

Conversation

DaveVG1 commented Apr 25, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Fix

Testing

Rule configuration

Valgrind report

Result

Uh oh!

DaveVG1 commented Aug 12, 2019

Uh oh!

DaveVG1 commented Aug 13, 2019

Uh oh!

DaveVG1 commented Aug 14, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Lopuiz commented Aug 22, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Lopuiz commented Aug 22, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Lopuiz commented Aug 23, 2019

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Lopuiz Aug 23, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Lopuiz commented Aug 24, 2019

Uh oh!

Lopuiz commented Aug 26, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Lopuiz commented Aug 26, 2019

Uh oh!

chemamartinez commented Aug 27, 2019

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Lopuiz commented Aug 28, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

chemamartinez commented Aug 28, 2019

Uh oh!

Reviewers

Assignees

Labels

DaveVG1 commented Apr 25, 2019 •

edited

Loading

DaveVG1 commented Aug 14, 2019 •

edited

Loading

Lopuiz commented Aug 22, 2019 •

edited

Loading

Lopuiz commented Aug 22, 2019 •

edited

Loading

Lopuiz Aug 23, 2019 •

edited

Loading

Lopuiz commented Aug 26, 2019 •

edited

Loading

Lopuiz commented Aug 28, 2019 •

edited

Loading