Do not alert if two conditions are met
61 views
Skip to first unread message
Lautaro Nahuel
Jan 18, 2022, 7:31:59 PM1/18/22
to ossec-list
Hello how are you?
I'm new to this, and I don't fully understand the rules.
Predefined rule example:
<group name="syslog,attacks,">
<rule id="40101" level="12">
<if_group>authentication_success</if_group>
<user>$SYS_USERS</user>
<description>System user successfully logged to the system.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_$ </rule>
I would like to create an exception, so that it doesn't raise alerts when events are fired from XX.XX.XX.XX and JHON (user)
What I try to do:
<group name="test,">
<rule id="110001" level="0">
<if_sid>40101</if_sid>
<match>user JHON</match>
<srcip>XX.XX.XX.XX</srcip>
<description>No alert.</description>
</rule>
</group>
How do I indicate that it should not alert if both conditions are met? I am somewhat lost.
Thank you.
Sorry for my bad English.
I'm new to this, and I don't fully understand the rules.
Predefined rule example:
<group name="syslog,attacks,">
<rule id="40101" level="12">
<if_group>authentication_success</if_group>
<user>$SYS_USERS</user>
<description>System user successfully logged to the system.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_$ </rule>
I would like to create an exception, so that it doesn't raise alerts when events are fired from XX.XX.XX.XX and JHON (user)
What I try to do:
<group name="test,">
<rule id="110001" level="0">
<if_sid>40101</if_sid>
<match>user JHON</match>
<srcip>XX.XX.XX.XX</srcip>
<description>No alert.</description>
</rule>
</group>
How do I indicate that it should not alert if both conditions are met? I am somewhat lost.
Thank you.
Sorry for my bad English.
Message has been deleted
Alexis Rivas
Jan 26, 2022, 1:49:35 PM1/26/22
to ossec-list
Hi! hope you’re doing well.
First of all, sorry for the late response.
I’m sharing with you an article from our Wazuh Docs that you may find interesting: xml labels used to configure rules.
If the decoder you are using it’s currently parsing the user field, you can do the following:
<group name="test,">
<rule id="110001" level="0">
<if_sid>40101</if_sid>
<user>JOHN</user>
<srcip>XX.XX.XX.XX</srcip>
<description>No alert.</description>
</rule>
</group>
If you encounter any troubles doing this, please provide me with a log sample to verify the decode process.
Regards,
Alexis
Reply all
Reply to author
Forward
0 new messages