Adapt agent simulator in order to generate Vulnerability detector alerts #4868
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This pull request addresses the need for performance testing to evaluate the effectiveness of the newly refactored vulnerability detector. The proposed changes involve adapting the Agent Simulator module to accommodate the latest updates in this regard.
Main Changes
Simulate Agents Script Enhancements
The simulate agents script has been enhanced to provide more flexibility in syscollector message generation. Some of the new options include:
--debug
: Enable debug mode.--syscollector-frequency
: Set syscollector frequency.--syscollector-event-type
: Specify syscollector event type.--syscollector-legacy-messages
: Enable legacy syscollector messages.--syscollector-packages-list-file
: Set the syscollector packages file to be used in agent simulation.Syscollector message simulator design
Currently, the simulate agent command sends package Syscollector event types by default. The proposed simulation of package events is outlined as follows:
Syscollector Message Simulator Design
Syscollector messages do not account for whether the installation event previously sent has been processed. As a result, the simulator will consistently send install and delete events, potentially leading to the omission of certain alerts.
Different packages will produce varying numbers of alerts based on their vulnerabilities. Consideration should be given to adjusting default package lists for the simulation accordingly.
Uses cases
Basic Syscollector Package events
Alerts:
Legacy Syscollector format
Manager Log
Syscollector messages with custom frequency
simulate-agents -a 172.31.0.65 -n 1 -t 120 -s 1 -m syscollector --debug --syscollector-frequency 1
DEBUG:root:Registration - 1-wGhgYVvCcX2ZSWkR-debian8(080) in 172.31.0.65
DEBUG:root:Keep alive message = #!-Linux |agent-debian8 |3.16.0-9-amd64 |#1 SMP Debian 3.16.68-1 (2019-05-22) |x86_64 [Debian GNU/Linux|debian: 8 (jessie)] - Wazuh v4.2.0 / ab73af41699f13fdd81903b5f23d8d00
d6e3ac3e75ca0319af3e7c262776f331 merged.mg
#"_agent_ip":10.0.2.15
INFO:P116973:{'keepalive': {'status': 'enabled', 'frequency': 10.0}, 'fim': {'status': 'disabled', 'eps': 0}, 'fim_integrity': {'status': 'disabled', 'eps': 0}, 'syscollector': {'status': 'enabled', 'frequency': 1, 'eps': 1}, 'rootcheck': {'status': 'disabled', 'frequency': 60.0, 'eps': 0}, 'sca': {'status': 'disabled', 'frequency': 60, 'eps': 0}, 'hostinfo': {'status': 'disabled', 'eps': 0}, 'winevt': {'status': 'disabled', 'eps': 0}, 'logcollector': {'status': 'disabled', 'eps': 0}, 'receive_messages': {'status': 'enabled'}}
INFO:P116973:Waiting 0 seconds before sending EPS and keep-alive events
INFO:P116973:Starting 1 agents.
DEBUG:root:Starting - 1-wGhgYVvCcX2ZSWkR-debian8(080)(debian8) - keepalive
DEBUG:root:Starting - 1-wGhgYVvCcX2ZSWkR-debian8(080)(debian8) - syscollector
DEBUG:root:Starting - 1-wGhgYVvCcX2ZSWkR-debian8(080)(debian8) - receive_messages
DEBUG:root:Startup - 1-wGhgYVvCcX2ZSWkR-debian8(080)
DEBUG:root:KeepAlive - 1-wGhgYVvCcX2ZSWkR-debian8(080)
DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"x86_64","checksum":"HEKIXBOS6T","description":"A low-level cryptographic library","format":"rpm","groups":"editors","install_time":"2024/01/10 00:00:00","item_id":"HEKIXBOS6T","location":"","multiarch":"null","name":"nettle","priority":"optional","scan_time":"2023/12/1915:32:25","size":"1","source":"vim","vendor":"Ubuntu Developers [email protected]","version":"2.7.1-9.el7_9"}, "operation": "INSERTED"}
DEBUG:root:Syscollector Event - d:syscollector:{"type": "dbsync_packages", "data": {"architecture":"x86_64","checksum":"4Z6ECR3GOG","description":"A low-level cryptographic library","format":"rpm","groups":"editors","install_time":"2024/01/10 00:00:00","item_id":"4Z6ECR3GOG","location":"","multiarch":"null","name":"nettle","priority":"optional","scan_time":"2023/12/1915:32:25","size":"2","source":"vim","vendor":"Ubuntu Developers [email protected]","version":"2.7.1-9.el7_9"}, "operation": "INSERTED"}
Custom Syscollector Types events
Validation
Local: analysisd.zip