Disable all default rules for a group
534 views
Skip to first unread message
jwalker
Sep 14, 2022, 11:47:32 AM9/14/22
to Wazuh mailing list
Hello,
I have a a group of agents I created.
I would like to disable all rules and enable only specific rules.
The only options I found are:
1. Change the severity level for logging to maximum (16)
2. Disable a specific rule.
Is there a better option?
Best regards,
Eran
Anthony Faruna
Sep 14, 2022, 1:38:51 PM9/14/22
to jwalker, Wazuh mailing list
Hello Jwalker
Thanks for using Wazuh
I will give you a response shortly however you can take a look at our documentation and let me know if meet your needs
Best Regards
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/397b7ddc-5f2b-4a44-9847-f57657ef4c42n%40googlegroups.com.
Eran Jian
Sep 14, 2022, 2:01:24 PM9/14/22
to Anthony Faruna, Wazuh mailing list
Thank you Anthony.
I already read this documentation.
However, it refers to changing a default rule, not disabling all rules.
I would like to enable just a few rules and disable all the other default rules.
Juan Carlos Tello
Sep 19, 2022, 5:19:43 AM9/19/22
to Eran Jian, Anthony Faruna, Wazuh mailing list
Hi Eran,
I apologize that the previous answer does not address your question and the lack of reply for the following 4 days. Here at Wazuh we really value our community and we strive to provide a good user experience.
It would be interesting to understand your use case more in-depth, as in most environments working with the default ruleset is considered best practice. I also see you mention in the thread's title that you're looking to disable all rules for a group, do you mean a group of agents in an environment with other agents?
In order to disable all rules, regardless of group of agents, you may configure the manager by commenting the default ruleset rules directory and individually including the only mandatory rule file:
<!-- <rule_dir>ruleset/rules</rule_dir> -->
<rule_include>ruleset/rules/0010-rules_config.xml</rule_include>
If instead you only wish to affect a subset of agents, then you can create a custom rule file that will be loaded before the other rules and have a parent rule that captures all events coming for this group of agents, note that the rule loading order heavily depends on the filename so for example you may create the /var/ossec/etc/rules/0011-silent_agents.xml where you can start the content with:
<group name="resistance">
<var name="excl_agnt">BB8|C3PO|R2D2</var>
<rule id="100002" level="0">
<location>$excl_agnt</location>
<description>These are not the agents you're looking for</description>
</rule>
</group>
Which will provide a level 0 to all events from the agents with the names BB8, C3PO and R2D2.
Note that this does not use the agent's group name, this is because as of the most recent version of Wazuh (4.3.7) the agent's groups cannot be used to affect the ruleset analysis process.
If you then wish to create rules for these agents you can do so by creating children rule of this rule (with <if_sid>100002</if_sid> )
I hope this helps and please let us know if you have any more questions.
Best Regards,
Juan C. Tello
I apologize that the previous answer does not address your question and the lack of reply for the following 4 days. Here at Wazuh we really value our community and we strive to provide a good user experience.
It would be interesting to understand your use case more in-depth, as in most environments working with the default ruleset is considered best practice. I also see you mention in the thread's title that you're looking to disable all rules for a group, do you mean a group of agents in an environment with other agents?
In order to disable all rules, regardless of group of agents, you may configure the manager by commenting the default ruleset rules directory and individually including the only mandatory rule file:
<!-- <rule_dir>ruleset/rules</rule_dir> -->
<rule_include>ruleset/rules/0010-rules_config.xml</rule_include>
If instead you only wish to affect a subset of agents, then you can create a custom rule file that will be loaded before the other rules and have a parent rule that captures all events coming for this group of agents, note that the rule loading order heavily depends on the filename so for example you may create the /var/ossec/etc/rules/0011-silent_agents.xml where you can start the content with:
<group name="resistance">
<var name="excl_agnt">BB8|C3PO|R2D2</var>
<rule id="100002" level="0">
<location>$excl_agnt</location>
<description>These are not the agents you're looking for</description>
</rule>
</group>
Which will provide a level 0 to all events from the agents with the names BB8, C3PO and R2D2.
Note that this does not use the agent's group name, this is because as of the most recent version of Wazuh (4.3.7) the agent's groups cannot be used to affect the ruleset analysis process.
If you then wish to create rules for these agents you can do so by creating children rule of this rule (with <if_sid>100002</if_sid> )
I hope this helps and please let us know if you have any more questions.
Best Regards,
Juan C. Tello
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAPKTxBeL%2BkmyEQ4xmDCX8Lqo84Y2npNtSY5YM_0Q_hDfMmKYhw%40mail.gmail.com.
Eran Jian
Oct 18, 2022, 11:07:40 AM10/18/22
to Juan Carlos Tello, Anthony Faruna, Wazuh mailing list
Hello Juan,
Thank you so much for all this information.
Very helpful information.
I just want to make sure:
Is it possible to enable a few rules for one group, while other rules are disabled.
Also, at the same time, leave the default rules enabled for all other groups.
I suspect it's not possible.
Best regards,
Eran
בתאריך יום ב׳, 19 בספט׳ 2022 ב-12:19 מאת Juan Carlos Tello <juancarl...@wazuh.com>:
Juan Carlos Tello
Oct 19, 2022, 7:05:56 AM10/19/22
to Eran Jian, Anthony Faruna, Wazuh mailing list
Hi Eran,
Yes, in order to only enable a few rules to the group of agents specified in the sample rule shown above you may add them as children rules.
So for example you may copy a few rules from the default ruleset to be considered for this group of agents:
<group name="resistance">
<var name="excl_agnt">BB8|C3PO|R2D2</var>
<rule id="100002" level="0">
<location>$excl_agnt</location>
<description>These are not the agents you're looking for</description>
</rule>
<var name="excl_agnt">BB8|C3PO|R2D2</var>
<rule id="100002" level="0">
<location>$excl_agnt</location>
<description>These are not the agents you're looking for</description>
</rule>
<rule id="105100" level="0" noalert="1">
<if_sid>100002</if_sid>
<decoded_as>dropbear</decoded_as>
<description>Grouping for dropbear rules.</description>
</rule>
<description>Grouping for dropbear rules.</description>
</rule>
<rule id="105103" level="5">
<if_sid>105100</if_sid>
<match>bad password attempt for</match>
<description>Dropbear: Bad password attempt.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.2,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<if_sid>105100</if_sid>
<match>bad password attempt for</match>
<description>Dropbear: Bad password attempt.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AC.2,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
Note how all of the new rules must have a unique ID (and it is best practices to keep the IDs of custom rules between 100001 and 119999.
Let us know if there is anything else we can help with.
Best Regards,
Juan C. Tello
Reply all
Reply to author
Forward
0 new messages