Overwrite rules label fix and rules features tests

[Zenidd]

Related issue
#3381

Description

• Overwrite & list fix

wazuh/src/analysisd/rules_list.c

Line 256 in 35fac3d

int OS_AddRuleInfo(RuleNode *r_node, RuleInfo *newrule, int sid)

This function is responsible for rewriting the data of a rule that was triggered if there is another rule that overwrites it.

The label corresponding to the cdb lists was not being copied by this function. It has been added along with other attributes that may be useful after overwrite of a rule occurs.

            r_node->ruleinfo->location = newrule->location;
            r_node->ruleinfo->lists = newrule->lists;
            r_node->ruleinfo->prev_rule = newrule->prev_rule;
            r_node->ruleinfo->same_fields = newrule->same_fields;
            r_node->ruleinfo->not_same_fields = newrule->not_same_fields;

#ifdef LIBGEOIP_ENABLED
            r_node->ruleinfo->srcgeoip = newrule->srcgeoip;
            r_node->ruleinfo->dstgeoip = newrule->dstgeoip;
#endif

• Rules features test

  • in contrib/ossec-testing has been added a test file(features.ini) that checks that this new feature works.
  • The script that performs the tests has been modified so that it admits inputs with more than one event. This way checks that require multiple events as input can be performed.

Logs/Alerts example

• Rule added on /var/ossec/etc/rules/local_rules.xml

  <rule id="5501" level="12" overwrite="yes">
    <if_sid>5500</if_sid>
    <match>session opened for user </match>
  <list field="program_name" lookup="match_key">etc/lists/my/oom_white_list</list>
    <description>System running out of memory. </description>

    <description>Availability of the MY system is in risk.</description>
    <group>service_availability,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,</group>
  </rule>

• Output when using as input of logcollector this sshd log line May 23 13:10:58 centos sshd[7621]: pam_unix(sshd:session): session opened for user root by (uid=0)

**Phase 1: Completed pre-decoding.
       full event: 'May 23 13:10:58 centos sshd[7621]: pam_unix(sshd:session): session opened for user root by (uid=0)'
       timestamp: 'May 23 13:10:58'
       hostname: 'centos'
       program_name: 'sshd'
       log: 'pam_unix(sshd:session): session opened for user root by (uid=0)'

**Phase 2: Completed decoding.
       decoder: 'pam'
       dstuser: 'root'
       uid: '0

• No rule matches with this log input and this is caused by the correct functioning of the label .

Tests

Compilation without warnings in every supported platform:

• Linux
• Source installation

The additional attributes that are now also copied do not represent a change in the way memory is allocated so they do not require a thorough memory test.

• QA templates contemplate the added capabilities

QA template for ruleset has been extended to include testing this new functionality. A test file has also been added to contrib/ossec-testing for automatic testing.

[Zenidd]

Hello @vikman90,

I've opened a pull request on Wazuh-ruleset about this features wazuh/wazuh-ruleset#413



Best regards,

Juan Pablo Sáez

[vikman90]

LGTM!