Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adapt agent simulator in order to generate Vulnerability detector alerts #4868

Merged
merged 21 commits into from
Jan 24, 2024
Merged

Adapt agent simulator in order to generate Vulnerability detector alerts #4868

merged 21 commits into from
Jan 24, 2024

Conversation

Rebits
Copy link
Member

@Rebits Rebits commented Jan 17, 2024
edited
Loading

Related issue
#4781

Description

This pull request addresses the need for performance testing to evaluate the effectiveness of the newly refactored vulnerability detector. The proposed changes involve adapting the Agent Simulator module to accommodate the latest updates in this regard.

Main Changes

  • Update Syscollector Message Template: Align the Agent Simulator's Syscollector message template with the message format changes introduced since version 4.2.
  • Support Package Deletion Operations: Include support for Syscollector package deletion operation messages in the Agent Simulator.
  • Enhanced Simulation Script: Improve the simulate agent script to allow customization of Syscollector parameters such as batch frequency, version format, event types, and custom package files.
  • Parser Tool Addition: Introduce a parser tool that generates a JSON dictionary containing the necessary metadata for mocking Syscollector package messages from a content snapshot. The repository now includes a default set of 100 packages.
  • Basic Debugging Options: Incorporate basic debugging options into the Agent Simulator and simulate agent script.

Simulate Agents Script Enhancements

The simulate agents script has been enhanced to provide more flexibility in syscollector message generation. Some of the new options include:

  • --debug: Enable debug mode.
  • --syscollector-frequency: Set syscollector frequency.
  • --syscollector-event-type: Specify syscollector event type.
  • --syscollector-legacy-messages: Enable legacy syscollector messages.
  • --syscollector-packages-list-file: Set the syscollector packages file to be used in agent simulation.

Syscollector message simulator design

Currently, the simulate agent command sends package Syscollector event types by default. The proposed simulation of package events is outlined as follows:

  • Utilizing the current list of packages (provided with package name, version, and vendor) or using the default list if none is provided, the Syscollector generator will initially send an "install" event type for all the packages.
  • In the second iteration, the Syscollector generator will repeat the process, but this time, it will send a "delete" operation for each package.

Syscollector Message Simulator Design

  • Due to the limitations of the simulator there only used Delta messages. For this reason the following error will be generated in the manager during the simulation:
2024/01/18 16:30:50 wazuh-modulesd:vulnerability-scanner[4519] osDataCache.hpp:129 at getOsData(): DEBUG: Error querying Wazuh-DB: Empty response from Wazuh-DB

This error should not affect alert generation or event processing in the environment.

  • Syscollector messages do not account for whether the installation event previously sent has been processed. As a result, the simulator will consistently send install and delete events, potentially leading to the omission of certain alerts.

  • Different packages will produce varying numbers of alerts based on their vulnerabilities. Consideration should be given to adjusting default package lists for the simulation accordingly.

Uses cases

Basic Syscollector Package events 
> simulate-agents -a MANAGER_IP  -n 1 -t 10 -s 1 -m syscollector --debug
DEBUG:root:Registration - 1-bqzjVhAF9Xe5IiEP-debian8(076) in 172.31.0.65
DEBUG:root:Keep alive message = #!-Linux |agent-debian8 |3.16.0-9-amd64 |#1 SMP Debian 3.16.68-1 (2019-05-22) |x86_64 [Debian GNU/Linux|debian: 8 (jessie)] - Wazuh v4.2.0 / ab73af41699f13fdd81903b5f23d8d00
d6e3ac3e75ca0319af3e7c262776f331 merged.mg
#"_agent_ip":10.0.2.15

INFO:P115137:{'keepalive': {'status': 'enabled', 'frequency': 10.0}, 'fim': {'status': 'disabled', 'eps': 0}, 'fim_integrity': {'status': 'disabled', 'eps': 0}, 'syscollector': {'status': 'enabled', 'frequency': 60, 'eps': 1}, 'rootcheck': {'status': 'disabled', 'frequency': 60.0, 'eps': 0}, 'sca': {'status': 'disabled', 'frequency': 60, 'eps': 0}, 'hostinfo': {'status': 'disabled', 'eps': 0}, 'winevt': {'status': 'disabled', 'eps': 0}, 'logcollector': {'status': 'disabled', 'eps': 0}, 'receive_messages': {'status': 'enabled'}}
INFO:P115137:Waiting 0 seconds before sending EPS and keep-alive events
INFO:P115137:Starting 1 agents.
DEBUG:root:Starting - 1-bqzjVhAF9Xe5IiEP-debian8(076)(debian8) - keepalive
DEBUG:root:Starting - 1-bqzjVhAF9Xe5IiEP-debian8(076)(debian8) - syscollector
DEBUG:root:Starting - 1-bqzjVhAF9Xe5IiEP-debian8(076)(debian8) - receive_messages
DEBUG:root:Startup - 1-bqzjVhAF9Xe5IiEP-debian8(076)
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"x86_64","checksum":"BRS64WHQHZ","description":"A low-level cryptographic library","format":"rpm","groups":"editors","install_time":"2024/01/10 00:00:00","item_id":"BRS64WHQHZ","location":"","multiarch":"null","name":"nettle","priority":"optional","scan_time":"2023/12/1915:32:25","size":"1","source":"vim","vendor":"Ubuntu Developers <[email protected]>","version":"2.7.1-9.el7_9"}, "operation": "INSERTED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_packages", "data": {"architectu

Alerts:

{"timestamp":"2024-01-10T17:09:18.042+0000","rule":{"level":10,"description":"CVE-2015-8805 affects nettle","id":"23505","firedtimes":186,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"076","name":"1-bqzjVhAF9Xe5IiEP-debian8"},"manager":{"name":"ip-172-31-0-65"},"id":"1704906558.3989024951","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"mitre","cve":"CVE-2015-8805","cvss":{"cvss2":{"base_score":"7.500000","vector":{"access_complexity":"LOW","authentication":"NONE","availability":"PARTIAL","confidentiality_impact":"PARTIAL","integrity_impact":"PARTIAL"}}},"cwe_reference":"CWE-310","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than 3.1.1-4ubuntu0.1","name":"nettle","source":"vim","version":"2.7.1-9.el7_9"},"published":"2016-02-23T19:59:03Z","rationale":"The ecc_256_modq function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8803.","reference":"https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d, http://lists.opensuse.org/opensuse-updates/2016-02/msg00091.html, http://lists.opensuse.org/opensuse-updates/2016-02/msg00093.html, http://lists.opensuse.org/opensuse-updates/2016-02/msg00100.html, http://rhn.redhat.com/errata/RHSA-2016-2582.html, http://www.openwall.com/lists/oss-security/2016/02/02/2, http://www.openwall.com/lists/oss-security/2016/02/03/1, http://www.securityfocus.com/bid/84272, http://www.ubuntu.com/usn/USN-2897-1, https://blog.fuzzing-project.org/38-Miscomputations-of-elliptic-curve-scalar-multiplications-in-Nettle.html","severity":"High","status":"Active","title":"CVE-2015-8805 affects nettle","type":"Packages","updated":"2018-10-30T16:27:35Z"}},"location":"vulnerability-detector"}
{"timestamp":"2024-01-10T17:09:18.052+0000","rule":{"level":7,"description":"CVE-2016-6489 affects nettle","id":"23504","firedtimes":186,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"076","name":"1-bqzjVhAF9Xe5IiEP-debian8"},"manager":{"name":"ip-172-31-0-65"},"id":"1704906558.3989028685","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"debian","cve":"CVE-2016-6489","cvss":{"cvss2":{"base_score":"5","vector":{"access_complexity":"LOW","authentication":"NONE","availability":"NONE","confidentiality_impact":"PARTIAL","integrity_impact":"NONE"}}},"cwe_reference":"CWE-203","enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package less than 3.2-1ubuntu0.16.04.1","name":"nettle","source":"vim","version":"2.7.1-9.el7_9"},"published":"2017-04-14T18:59:00Z","rationale":"The RSA and DSA decryption code in Nettle makes it easier for attackers to discover private keys via a cache side channel attack.","reference":"https://bugzilla.redhat.com/show_bug.cgi?id=1362016, http://www.openwall.com/lists/oss-security/2016/07/29/7, https://git.lysator.liu.se/nettle/nettle/commit/3fe1d6549765ecfb24f0b80b2ed086fdc818bff3, https://eprint.iacr.org/2016/596.pdf, http://www.ubuntu.com/usn/USN-3193-1, https://security.gentoo.org/glsa/201706-21, https://www.oracle.com/security-alerts/cpuapr2020.html, http://rhn.redhat.com/errata/RHSA-2016-2582.html","severity":"Medium","status":"Active","title":"CVE-2016-6489 affects nettle","type":"Packages","updated":"2020-11-16T20:20:41Z"}},"location":"vulnerability-detector"}
Legacy Syscollector format 
> simulate-agents -a MANAGER_IP  -n 1 -t 30 -s 1 -m syscollector --debug --syscollector-legacy-messages
DEBUG:root:Registration - 1-1rTIP9V0wN5bmkOJ-debian8(079) in 172.31.0.65
DEBUG:root:Keep alive message = #!-Linux |agent-debian8 |3.16.0-9-amd64 |#1 SMP Debian 3.16.68-1 (2019-05-22) |x86_64 [Debian GNU/Linux|debian: 8 (jessie)] - Wazuh v4.2.0 / ab73af41699f13fdd81903b5f23d8d00
d6e3ac3e75ca0319af3e7c262776f331 merged.mg
#"_agent_ip":10.0.2.15

INFO:P116405:{'keepalive': {'status': 'enabled', 'frequency': 10.0}, 'fim': {'status': 'disabled', 'eps': 0}, 'fim_integrity': {'status': 'disabled', 'eps': 0}, 'syscollector': {'status': 'enabled', 'frequency': 60, 'eps': 1}, 'rootcheck': {'status': 'disabled', 'frequency': 60.0, 'eps': 0}, 'sca': {'status': 'disabled', 'frequency': 60, 'eps': 0}, 'hostinfo': {'status': 'disabled', 'eps': 0}, 'winevt': {'status': 'disabled', 'eps': 0}, 'logcollector': {'status': 'disabled', 'eps': 0}, 'receive_messages': {'status': 'enabled'}}
INFO:P116405:Waiting 0 seconds before sending EPS and keep-alive events
INFO:P116405:Starting 1 agents.
DEBUG:root:Starting - 1-1rTIP9V0wN5bmkOJ-debian8(079)(debian8) - keepalive
DEBUG:root:Starting - 1-1rTIP9V0wN5bmkOJ-debian8(079)(debian8) - syscollector
DEBUG:root:Starting - 1-1rTIP9V0wN5bmkOJ-debian8(079)(debian8) - receive_messages
DEBUG:root:Startup - 1-1rTIP9V0wN5bmkOJ-debian8(079)
DEBUG:root:KeepAlive - 1-1rTIP9V0wN5bmkOJ-debian8(079)
DEBUG:root:Syscollector Event  - d:syscollector:{"type":"packages","ID":1,"timestamp":"2024/01/10 00:00:00","program":{"format":"rpm","name":"V20QQSTO02","description":"JSON::XS compatible pure-Perl module","size":126,"vendor":"CentOS","group":"Unspecified","architecture":"noarch","source":"perl-JSON-PP-2.97.001-3.el8.src.rpm","install_time":"2021/03/12 12:23:17","version":"1:2.97.001-3.el8"}}
DEBUG:root:Syscollector Event  - d:syscollector:{"type":"packages","ID":2,"timestamp":"2024/01/10 00:00:00","program":{"format":"rpm","name":"KCI3

Manager Log

2024/01/10 17:14:03 :router: ERROR: Error sending message to provider: Error parsing message, 1: 135: error: unknown enum value: packages
2024/01/10 17:14:04 :router: ERROR: Error sending message to provider: Error parsing message, 1: 135: error: unknown enum value: packages
2024/01/10 17:14:05 :router: ERROR: Error sending message to provider: Error parsing message, 1: 135: error: unknown enum value: packages
2024/01/10 17:14:06 :router: ERROR: Error sending message to provider: Error parsing message, 1: 135: error: unknown enum value: packages
2024/01/10 17:14:07 :router: ERROR: Error sending message to provider: Error parsing message, 1: 135: error: unknown enum value: packages
2024/01/10 17:14:08 :router: ERROR: Error sending message to provider: Error parsing message, 1: 135: error: unknown enum value: packages
2024/01/10 17:14:09 :router: ERROR: Error sending message to provider: Error parsing message, 1: 135: error: unknown enum value: packages
2024/01/10 17:14:10 :router: ERROR: Error sending message to provider: Error parsing message, 1: 135: error: unknown enum value: packages
2024/01/10 17:14:11 :router: ERROR: Error sending message to provider: Error parsing message, 1: 135: error: unknown enum value: packages
2024/01/10 17:14:12 :router: ERROR: Error sending message to provider: Error parsing message, 1: 135: error: unknown enum value: packages
2024/01/10 17:14:13 :router: ERROR: Error sending message to provider: Error parsing message, 1: 135: error: unknown enum value: packages
2024/01/10 17:14:14 :router: ERROR: Error sending message to provider: Error parsing message, 1: 135: error: unknown enum value: packages
Syscollector messages with custom frequency

simulate-agents -a 172.31.0.65 -n 1 -t 120 -s 1 -m syscollector --debug --syscollector-frequency 1
DEBUG:root:Registration - 1-wGhgYVvCcX2ZSWkR-debian8(080) in 172.31.0.65
DEBUG:root:Keep alive message = #!-Linux |agent-debian8 |3.16.0-9-amd64 |#1 SMP Debian 3.16.68-1 (2019-05-22) |x86_64 [Debian GNU/Linux|debian: 8 (jessie)] - Wazuh v4.2.0 / ab73af41699f13fdd81903b5f23d8d00
d6e3ac3e75ca0319af3e7c262776f331 merged.mg
#"_agent_ip":10.0.2.15

INFO:P116973:{'keepalive': {'status': 'enabled', 'frequency': 10.0}, 'fim': {'status': 'disabled', 'eps': 0}, 'fim_integrity': {'status': 'disabled', 'eps': 0}, 'syscollector': {'status': 'enabled', 'frequency': 1, 'eps': 1}, 'rootcheck': {'status': 'disabled', 'frequency': 60.0, 'eps': 0}, 'sca': {'status': 'disabled', 'frequency': 60, 'eps': 0}, 'hostinfo': {'status': 'disabled', 'eps': 0}, 'winevt': {'status': 'disabled', 'eps': 0}, 'logcollector': {'status': 'disabled', 'eps': 0}, 'receive_messages': {'status': 'enabled'}}
INFO:P116973:Waiting 0 seconds before sending EPS and keep-alive events
INFO:P116973:Starting 1 agents.
DEBUG:root:Starting - 1-wGhgYVvCcX2ZSWkR-debian8(080)(debian8) - keepalive
DEBUG:root:Starting - 1-wGhgYVvCcX2ZSWkR-debian8(080)(debian8) - syscollector
DEBUG:root:Starting - 1-wGhgYVvCcX2ZSWkR-debian8(080)(debian8) - receive_messages
DEBUG:root:Startup - 1-wGhgYVvCcX2ZSWkR-debian8(080)
DEBUG:root:KeepAlive - 1-wGhgYVvCcX2ZSWkR-debian8(080)
DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"x86_64","checksum":"HEKIXBOS6T","description":"A low-level cryptographic library","format":"rpm","groups":"editors","install_time":"2024/01/10 00:00:00","item_id":"HEKIXBOS6T","location":"","multiarch":"null","name":"nettle","priority":"optional","scan_time":"2023/12/1915:32:25","size":"1","source":"vim","vendor":"Ubuntu Developers [email protected]","version":"2.7.1-9.el7_9"}, "operation": "INSERTED"}
DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"x86_64","checksum":"4Z6ECR3GOG","description":"A low-level cryptographic library","format":"rpm","groups":"editors","install_time":"2024/01/10 00:00:00","item_id":"4Z6ECR3GOG","location":"","multiarch":"null","name":"nettle","priority":"optional","scan_time":"2023/12/1915:32:25","size":"2","source":"vim","vendor":"Ubuntu Developers [email protected]","version":"2.7.1-9.el7_9"}, "operation": "INSERTED"}

Custom Syscollector Types events 
> simulate-agents -a MANAGER_IP  -n 1 -t 500 -s 1 -m syscollector --syscollector-event-types 'packages ports network' --debug
DEBUG:root:Registration - 1-ySTO8LtVpBioIrJh-debian8(083) in 172.31.0.65
DEBUG:root:Keep alive message = #!-Linux |agent-debian8 |3.16.0-9-amd64 |#1 SMP Debian 3.16.68-1 (2019-05-22) |x86_64 [Debian GNU/Linux|debian: 8 (jessie)] - Wazuh v4.2.0 / ab73af41699f13fdd81903b5f23d8d00
d6e3ac3e75ca0319af3e7c262776f331 merged.mg
#"_agent_ip":10.0.2.15

INFO:P118261:{'keepalive': {'status': 'enabled', 'frequency': 10.0}, 'fim': {'status': 'disabled', 'eps': 0}, 'fim_integrity': {'status': 'disabled', 'eps': 0}, 'syscollector': {'status': 'enabled', 'frequency': 60, 'eps': 1}, 'rootcheck': {'status': 'disabled', 'frequency': 60.0, 'eps': 0}, 'sca': {'status': 'disabled', 'frequency': 60, 'eps': 0}, 'hostinfo': {'status': 'disabled', 'eps': 0}, 'winevt': {'status': 'disabled', 'eps': 0}, 'logcollector': {'status': 'disabled', 'eps': 0}, 'receive_messages': {'status': 'enabled'}}
INFO:P118261:Waiting 0 seconds before sending EPS and keep-alive events
INFO:P118261:Starting 1 agents.
DEBUG:root:Starting - 1-ySTO8LtVpBioIrJh-debian8(083)(debian8) - keepalive
DEBUG:root:Starting - 1-ySTO8LtVpBioIrJh-debian8(083)(debian8) - syscollector
DEBUG:root:Starting - 1-ySTO8LtVpBioIrJh-debian8(083)(debian8) - receive_messages
DEBUG:root:Startup - 1-ySTO8LtVpBioIrJh-debian8(083)
DEBUG:root:KeepAlive - 1-ySTO8LtVpBioIrJh-debian8(083)
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"x86_64","checksum":"LK8VO2TVRU","description":"A low-level cryptographic library","format":"rpm","groups":"editors","install_time":"2024/01/10 00:00:00","item_id":"LK8VO2TVRU","location":"","multiarch":"null","name":"nettle","priority":"optional","scan_time":"2023/12/1915:32:25","size":"1","source":"vim","vendor":"Ubuntu Developers <[email protected]>","version":"2.7.1-9.el7_9"}, "operation": "INSERTED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"x86_64","checksum":"HIURVR7M2O","description":"A low-level cryptographic library","format":"rpm","groups":"editors","install_time":"2024/01/10 00:00:00","item_id":"HIURVR7M2O","location":"","multiarch":"null","name":"nettle","priority":"optional","scan_time":"2023/12/1915:32:25","size":"2","source":"vim","vendor":"Ubuntu Developers <[email protected]>","version":"2.7.1-9.el7_9"}, "operation": "INSERTED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"x86_64","checksum":"5SWP41O9LJ","description":"A low-level cryptographic library","format":"rpm","groups":"editors","install_time":"2024/01/10 00:00:00","item_id":"5SWP41O9LJ","location":"","multiarch":"null","name":"nettle","priority":"optional","scan_time":"2023/12/1915:32:25","size":"3","source":"vim","vendor":"Ubuntu Developers <[email protected]>","version":"2.7.1-9.el7_9"}, "operation": "INSERTED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"x86_64","checksum":"CAERI1ZXH8","description":"A low-level cryptographic library","format":"rpm","groups":"editors","install_time":"2024/01/10 00:00:00","item_id":"CAERI1ZXH8","location":"","multiarch":"null","name":"nettle","priority":"optional","scan_time":"2023/12/1915:32:25","size":"4","source":"vim","vendor":"Ubuntu Developers <[email protected]>","version":"2.7.1-9.el7_9"}, "operation": "INSERTED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"x86_64","checksum":"07SYGDD1OV","description":"A low-level cryptographic library","format":"rpm","groups":"editors","install_time":"2024/01/10 00:00:00","item_id":"07SYGDD1OV","location":"","multiarch":"null","name":"nettle","priority":"optional","scan_time":"2023/12/1915:32:25","size":"5","source":"vim","vendor":"Ubuntu Developers <[email protected]>","version":"2.7.1-9.el7_9"}, "operation": "INSERTED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"x86_64","checksum":"ZNRILVJV2O","description":"A low-level cryptographic library","format":"rpm","groups":"editors","install_time":"2024/01/10 00:00:00","item_id":"ZNRILVJV2O","location":"","multiarch":"null","name":"nettle","priority":"optional","scan_time":"2023/12/1915:32:25","size":"6","source":"vim","vendor":"Ubuntu Developers <[email protected]>","version":"2.7.1-9.el7_9"}, "operation": "INSERTED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"x86_64","checksum":"7KYGH75A73","description":"A low-level cryptographic library","format":"rpm","groups":"editors","install_time":"2024/01/10 00:00:00","item_id":"7KYGH75A73","location":"","multiarch":"null","name":"nettle","priority":"optional","scan_time":"2023/12/1915:32:25","size":"7","source":"vim","vendor":"Ubuntu Developers <[email protected]>","version":"2.7.1-9.el7_9"}, "operation": "INSERTED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"x86_64","checksum":"9R2R2R4MEF","description":"A low-level cryptographic library","format":"rpm","groups":"editors","install_time":"2024/01/10 00:00:00","item_id":"9R2R2R4MEF","location":"","multiarch":"null","name":"nettle","priority":"optional","scan_time":"2023/12/1915:32:25","size":"8","source":"vim","vendor":"Ubuntu Developers <[email protected]>","version":"2.7.1-9.el7_9"}, "operation": "INSERTED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"x86_64","checksum":"W0YOCG43Q1","description":"A low-level cryptographic library","format":"rpm","groups":"editors","install_time":"2024/01/10 00:00:00","item_id":"W0YOCG43Q1","location":"","multiarch":"null","name":"nettle","priority":"optional","scan_time":"2023/12/1915:32:25","size":"9","source":"vim","vendor":"Ubuntu Developers <[email protected]>","version":"2.7.1-9.el7_9"}, "operation": "INSERTED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"x86_64","checksum":"L4N4B7WCT3","description":"A low-level cryptographic library","format":"rpm","groups":"editors","install_time":"2024/01/10 00:00:00","item_id":"L4N4B7WCT3","location":"","multiarch":"null","name":"nettle","priority":"optional","scan_time":"2023/12/1915:32:25","size":"10","source":"vim","vendor":"Ubuntu Developers <[email protected]>","version":"2.7.1-9.el7_9"}, "operation": "INSERTED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_ports", "data": {"checksum":"S42984ZCKE","item_id":"S42984ZCKE","local_ip":"0.0.0.0","local_port":"11","pid":"11","process":"NULL","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":"11","rx_queue":"11","scan_time":"2024/01/10 00:00:00","state":"listening","tx_queue":"11"}, "operation": "MODIFIED"}
DEBUG:root:KeepAlive - 1-ySTO8LtVpBioIrJh-debian8(083)
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_ports", "data": {"checksum":"ANYBWMIZ1Q","item_id":"ANYBWMIZ1Q","local_ip":"0.0.0.0","local_port":"12","pid":"12","process":"NULL","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":"12","rx_queue":"12","scan_time":"2024/01/10 00:00:00","state":"listening","tx_queue":"12"}, "operation": "MODIFIED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_ports", "data": {"checksum":"T0IXYZOCA0","item_id":"T0IXYZOCA0","local_ip":"0.0.0.0","local_port":"13","pid":"13","process":"NULL","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":"13","rx_queue":"13","scan_time":"2024/01/10 00:00:00","state":"listening","tx_queue":"13"}, "operation": "MODIFIED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_ports", "data": {"checksum":"03B4FHYFCT","item_id":"03B4FHYFCT","local_ip":"0.0.0.0","local_port":"14","pid":"14","process":"NULL","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":"14","rx_queue":"14","scan_time":"2024/01/10 00:00:00","state":"listening","tx_queue":"14"}, "operation": "MODIFIED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_ports", "data": {"checksum":"J2TNQ8RBWK","item_id":"J2TNQ8RBWK","local_ip":"0.0.0.0","local_port":"15","pid":"15","process":"NULL","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":"15","rx_queue":"15","scan_time":"2024/01/10 00:00:00","state":"listening","tx_queue":"15"}, "operation": "MODIFIED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_ports", "data": {"checksum":"B44MXO3OCR","item_id":"B44MXO3OCR","local_ip":"0.0.0.0","local_port":"16","pid":"16","process":"NULL","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":"16","rx_queue":"16","scan_time":"2024/01/10 00:00:00","state":"listening","tx_queue":"16"}, "operation": "MODIFIED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_ports", "data": {"checksum":"OY2YOSQ133","item_id":"OY2YOSQ133","local_ip":"0.0.0.0","local_port":"17","pid":"17","process":"NULL","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":"17","rx_queue":"17","scan_time":"2024/01/10 00:00:00","state":"listening","tx_queue":"17"}, "operation": "MODIFIED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_ports", "data": {"checksum":"3DMMZDAWBO","item_id":"3DMMZDAWBO","local_ip":"0.0.0.0","local_port":"18","pid":"18","process":"NULL","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":"18","rx_queue":"18","scan_time":"2024/01/10 00:00:00","state":"listening","tx_queue":"18"}, "operation": "MODIFIED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_ports", "data": {"checksum":"E2DZWE0XOD","item_id":"E2DZWE0XOD","local_ip":"0.0.0.0","local_port":"19","pid":"19","process":"NULL","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":"19","rx_queue":"19","scan_time":"2024/01/10 00:00:00","state":"listening","tx_queue":"19"}, "operation": "MODIFIED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_ports", "data": {"checksum":"C3QWBLW2TZ","item_id":"C3QWBLW2TZ","local_ip":"0.0.0.0","local_port":"20","pid":"20","process":"NULL","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":"20","rx_queue":"20","scan_time":"2024/01/10 00:00:00","state":"listening","tx_queue":"20"}, "operation": "MODIFIED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_network_iface", "data": {"adapter":null,"checksum":"21","item_id":"21","mac":"21","mtu":"21","name":"21","rx_bytes":"21","rx_dropped":"21","rx_errors":"21","rx_packets":"21","scan_time":"2024/01/10 00:00:00","state":"21","tx_bytes":"21","tx_dropped":"21","tx_errors":"21","tx_packets":"21","type":"21"}, "operation": "MODIFIED"}
DEBUG:root:KeepAlive - 1-ySTO8LtVpBioIrJh-debian8(083)
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_network_iface", "data": {"adapter":null,"checksum":"22","item_id":"22","mac":"22","mtu":"22","name":"22","rx_bytes":"22","rx_dropped":"22","rx_errors":"22","rx_packets":"22","scan_time":"2024/01/10 00:00:00","state":"22","tx_bytes":"22","tx_dropped":"22","tx_errors":"22","tx_packets":"22","type":"22"}, "operation": "MODIFIED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_network_iface", "data": {"adapter":null,"checksum":"23","item_id":"23","mac":"23","mtu":"23","name":"23","rx_bytes":"23","rx_dropped":"23","rx_errors":"23","rx_packets":"23","scan_time":"2024/01/10 00:00:00","state":"23","tx_bytes":"23","tx_dropped":"23","tx_errors":"23","tx_packets":"23","type":"23"}, "operation": "MODIFIED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_network_iface", "data": {"adapter":null,"checksum":"24","item_id":"24","mac":"24","mtu":"24","name":"24","rx_bytes":"24","rx_dropped":"24","rx_errors":"24","rx_packets":"24","scan_time":"2024/01/10 00:00:00","state":"24","tx_bytes":"24","tx_dropped":"24","tx_errors":"24","tx_packets":"24","type":"24"}, "operation": "MODIFIED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_network_iface", "data": {"adapter":null,"checksum":"25","item_id":"25","mac":"25","mtu":"25","name":"25","rx_bytes":"25","rx_dropped":"25","rx_errors":"25","rx_packets":"25","scan_time":"2024/01/10 00:00:00","state":"25","tx_bytes":"25","tx_dropped":"25","tx_errors":"25","tx_packets":"25","type":"25"}, "operation": "MODIFIED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_network_iface", "data": {"adapter":null,"checksum":"26","item_id":"26","mac":"26","mtu":"26","name":"26","rx_bytes":"26","rx_dropped":"26","rx_errors":"26","rx_packets":"26","scan_time":"2024/01/10 00:00:00","state":"26","tx_bytes":"26","tx_dropped":"26","tx_errors":"26","tx_packets":"26","type":"26"}, "operation": "MODIFIED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_network_iface", "data": {"adapter":null,"checksum":"27","item_id":"27","mac":"27","mtu":"27","name":"27","rx_bytes":"27","rx_dropped":"27","rx_errors":"27","rx_packets":"27","scan_time":"2024/01/10 00:00:00","state":"27","tx_bytes":"27","tx_dropped":"27","tx_errors":"27","tx_packets":"27","type":"27"}, "operation": "MODIFIED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_network_iface", "data": {"adapter":null,"checksum":"28","item_id":"28","mac":"28","mtu":"28","name":"28","rx_bytes":"28","rx_dropped":"28","rx_errors":"28","rx_packets":"28","scan_time":"2024/01/10 00:00:00","state":"28","tx_bytes":"28","tx_dropped":"28","tx_errors":"28","tx_packets":"28","type":"28"}, "operation": "MODIFIED"}
DEBUG:root:Syscollector Event  - d:syscollector:{"type": "dbsync_network_iface", "data": {"adapter":null,"checksum":"29","item_id":"29","mac":"29","mtu":"29","name":"29","rx_bytes":"29","rx_dropped":"29","rx_errors":"29","rx_packets":"29","scan_time":"2024/01/10 00:00:00","state":"29","tx_bytes":"29","tx_dropped":"29","tx_errors":"29","tx_packets":"29","type":"29"}, "operation": "MODIFIED"}

Validation

Local: analysisd.zip

Rebits added 19 commits January 9, 2024 16:09
@Rebits
feat: support new syscollector format
61831e0
@Rebits
fix: syscollector messages structure AS
c0323df
@Rebits
refac: GeneratorSyscollector
bf0eb17
@Rebits
refac: remove debugging messages
c6cf331
@Rebits
style: remove extra whitespaces in syscollector module
081be17
@Rebits
feat: include debug option in simulate_agents
06b8de3
@Rebits
docs: include available syscollector types
90d09c4
@Rebits
style: fix imports in agent simulator
591958f
@Rebits
style: sort simulate agents imports
d92aff2
@Rebits
style: refactor agent creation
a5fdbb8
@Rebits
Merge pull request #4831 from wazuh/enhanchement/4783-syscollector-fo…
059cf52 
…rmat-messages

Update Agent Simulator Syscollector format messages
@Rebits
feat: include delete package operations in AG Syscollector messages
574ce1e
@Rebits
fix: remove debug messages
fb82a3b
@Rebits
feat: include content snapshot parsing script
53dc3aa
@Rebits
feat: increase default packages to 10
542c492
@Rebits
style: remove nonused default package list
be408be
@Rebits
refac: remove intermediate var
b1a3c22
@Rebits
fix: unmatched package index
c79b414
@Rebits
Merge pull request #4842 from wazuh/enhanchement/4794-include-syscoll…
8558f93 
…ector-deletion-package-operation

Include Syscollector delta delete package operation support for the agent simulator
@Rebits Rebits self-assigned this Jan 17, 2024
@Rebits Rebits linked an issue Jan 17, 2024 that may be closed by this pull request
Adapt agent simulator in order to generate Vulnerability detector alerts #4781
Closed
4 tasks
@Rebits Rebits mentioned this pull request Jan 17, 2024
Closed
4 tasks
@Rebits Rebits marked this pull request as ready for review January 18, 2024 18:39
Deblintrake09
Deblintrake09 approved these changes Jan 19, 2024
View reviewed changes
Copy link
Contributor

@Deblintrake09 Deblintrake09 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GJ @Rebits! LGTM!

@davidjiglesias davidjiglesias merged commit 8df2ac4 into 4.8.0 Jan 24, 2024
2 of 4 checks passed
@davidjiglesias davidjiglesias deleted the enhanchement/4781-adapt-syscollector-agent-simulator branch January 24, 2024 16:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Deblintrake09 Deblintrake09 Deblintrake09 approved these changes

Assignees

@Rebits Rebits

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Adapt agent simulator in order to generate Vulnerability detector alerts
3 participants
@Rebits @Deblintrake09 @davidjiglesias