Whids service crash

Question

Whids service crash

xoverride opened this issue 2 years ago · comments

xoverride commented 2 years ago

Version: v1.8.0-beta.6
OS: Windows 10 19044 (VM)

Behavior:
Whids service restarted after an MS-Defender detection event.

Screenshot:

Quentin JEROME · Answer 1 · Wed Aug 03 2022 20:25:48 GMT+0800 (China Standard Time)

Hey @RickyXwang,

I think beta.6 still suffered from one issue, the service kills itself !
I did some changes since beta.6 regarding that issue, I'll push a new release soon so that you can try it out.
I just hope this is not MS Defender which actually killed it !

Thanks for raising that issue,

Cheers,

Quentin JEROME · Answer 2 · Wed Aug 03 2022 20:36:54 GMT+0800 (China Standard Time)

Just published a new beta release (https://github.com/0xrawsec/whids/releases/tag/v1.8.0-beta.7), could you please try it out and tell me if the issue is still there ?
Thank in advance,

xoverride · Answer 3 · Wed Aug 03 2022 22:54:18 GMT+0800 (China Standard Time)

Hi @qjerome,
I am getting this error with this new beta build when running the Linux manager.

./whids-man-v1.8.0-beta.7-amd64 -h          
./whids-man-v1.8.0-beta.7-amd64: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./whids-man-v1.8.0-beta.7-amd64)

I believe that my glib version is /usr/lib32/libc.so.6 -> libc-2.33.so

Quentin JEROME · Answer 4 · Thu Aug 04 2022 20:52:49 GMT+0800 (China Standard Time)

Hi @RickyXwang,

Maybe that is something of the latest go compiler, and maybe due to the machine I compiled it from !
Something you can try is to clone the repo and compile it on your own, it should be pretty straightforward.

# from repository directory
cd utilities/manager
make

Please let me know if that solution solved your issue.
Do you still get the agent stop issue with this new beta ?

xoverride · Answer 5 · Fri Aug 05 2022 00:31:51 GMT+0800 (China Standard Time)

Yes, compiled and the manager work.
With bata.7 I don't see the agent stop issue.
However, no event/report gets generated after events such as DefenderMalwareDetected (1116).

Quentin JEROME · Answer 6 · Fri Aug 05 2022 03:41:21 GMT+0800 (China Standard Time)

Great if the issue you've opened the GH issue for is fixed !
whids.log only logs agent's functional logs, neither alerts nor the events you want to filter-in.

The other thing you have to know is that a detection get logged:

if there is at least one rule loaded in the engine to trigger a detection on that event
if the event got a criticality above "criticality-threshold" configured in the agent configuration. Criticality of the event is defined by the sum of all the rules' criticality matching the event (bounded to 10, the maximum criticality).

In order to investigate the detections (or events filtered-in) there are two ways:

If the agent is not connected to a manager detection logs are stored inside directory configured in agent's config.toml file under item forwarder->logging->dir
If the agent is connected to a manager, which seems to be your case, logs are stored on manager's side and gets deleted from the endpoint as soon as they get sent. You can query those logs, either by using the REST API https://validator.swagger.io/?url=https://raw.githubusercontent.com/0xrawsec/whids/master/doc/admin.openapi.json, or the hardcore way by looking inside the log storage directory (as configured in manager's configuration).

NB: something I did not mentioned ! In order for the agent to work properly the endpoint needs to be rebooted after agent's installation.

Hope you manage to get the logs you are looking for :)

xoverride · Answer 7 · Fri Aug 05 2022 23:01:11 GMT+0800 (China Standard Time)

@qjerome Thanks for the response. Let me open a new issue for the not logging.