Wazuh is a versatile and extremely useful open-source intrusion detection (aka protective monitoring) system that can monitor a broad range of operating systems. We are enthusiastic user and contributor to the project and while rules written by us are being contributed to the upstream Wazuh library, one of the less known strengths of the system are rules you can write on your own.

One of the functions Wazuh performs is monitoring the availability of WebCookies website. The implementations is comprised of two simple configuration pieces. First one uses command monitoring feature and is enabled by the following fragment in ossec.conf (see localfile documentation):

<localfile>
    <log_format>command</log_format>
    <command>curl -6 --compressed --connect-timeout 5 -I https://webcookies.org/number-of-cookies 2>&1</command>
    <alias>curl webcookies </alias>
    <frequency>120</frequency>
</localfile>

The localfile section executes the curl command every 2 minutes and injects its whole output into the Wazuh log processing engine. This now needs to be accompanied by custom rules which are simply placed in rules/local_rules.xml configuration file:

<group name="ossec,webcookies,">
    <rule id="100080" level="0">
        <if_sid>530</if_sid>
        <match>curl webcookies</match>
        <description>WebCookies connection check</description>
    </rule>

    <rule id="100081" level="12" ignore="3600">
        <if_sid>100080</if_sid>
        <match>timed out</match>
        <description>Connection to WebCookies.org: timed out</description>
    </rule>

    <rule id="100082" level="12" ignore="3600">
        <if_sid>100080</if_sid>
        <match>HTTP/2 500</match>
        <description>Connection to WebCookies.org: internal server error</description>
    </rule>

    <rule id="100083" level="12" ignore="3600">
        <if_sid>100080</if_sid>
        <match>certificate problem</match>
        <description>Connection to WebCookies.org: certificate problem</description>
    </rule>

    <rule id="100084" level="12" ignore="3600">
        <if_sid>100080</if_sid>
        <match>curl: (</match>
        <description>Connection to WebCookies.org: other problem</description>
    </rule>
</group>

These rules initially "capture" the curl output into this particular branch of analysis tree and then detect specific patterns found in the output alarming about particular events, such as DNS resolution problem, TCP connection problem, TLS certificate problem and then any other problems.

In our implementation the alerts are then sent to us using Matrix.org instant messaging using external API integrations.

Fully automated RESTful API is now available. Subscribe for your free trial today!