Custom rule match IP ranges

[Erik-Jan Davids]

I'm trying to create custom rules that lower the alert level for certain events when the come from know IP ranges like our vulnerability scanners.

The following works fine for a single IP address:

  <rule id="994001" level="3">
    <if_sid>31168</if_sid>
    <match>139.87.112.221</match>
    <description>Whitelisted IP adresses for Shellshock attack</description>
  </rule>

But when I attempt multiple addresses like so:

  <rule id="994001" level="3">
    <if_sid>31168</if_sid>
    <match>139.87.112.221</match>
    <match>139.87.112.222</match>
    <description>Whitelisted IP adresses for Shellshock attack</description>
  </rule>

Or a regex expression like so:

  <rule id="994001" level="3">
    <if_sid>31168</if_sid>
    <match>^139.87.112.[1-255]$</match>
    <description>Whitelisted IP adresses for Shellshock attack</description>
  </rule>

Then the custom rule does not take effect and the event is logged against the original rule.

I have also tried other regex formats like ^139\.87\.112\.\d{1,3}$ but no luck there either.

Anyone know what I'm doing wrong?

Erik-Jan

[Erik-Jan Davids]

Update. I achieved my goal in a different way using CDB lists. However I would still like to understand why my first solution did not work.

Op maandag 3 juni 2024 om 07:54:07 UTC+2 schreef Erik-Jan Davids:

[Md. Nazmur Sakib]

Hi Erik-Jan,

I am glad that the issue is resolved using the CDB list.

When you are using multiple match parameters it indicates that the rule will trigger if the log has both 139.87.112.221 and 139.87.112.221 ip in the log.

  <rule id="994001" level="3">

    <if_sid>31168</if_sid>

    <match>139.87.112.221</match>

    <match>139.87.112.222</match>

    <description>Whitelisted IP adresses for Shellshock attack</description>

  </rule>

You can use it like this.

  <rule id="994001" level="3">

    <if_sid>31168</if_sid>

    <match>139.87.112.221|139.87.112.222</match>

    <description>Whitelisted IP adresses for Shellshock attack</description>

  </rule>

Ref: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rules-match

The rule with the regex has some minor mistakes.

  <rule id="994001" level="3">

    <if_sid>31168</if_sid>

    <match>^139.87.112.[1-255]$</match>

    <description>Whitelisted IP adresses for Shellshock attack</description>

  </rule>

The ^ defines staring and $ defines end.

It will search for a match in the log event.

But the log has other content than the ip. So you cannot use ^ and $ with the IP to match it.

Also, I can see you are trying to use Perl-compatible Regular Expressions. To use Perl-compatible Regular Expressions you need to define them like this  type="pcre2"

You can write the command like this 

  <rule id="994001" level="3">

    <if_sid>31168</if_sid>

     <match type="pcre2">139.87.112.[1-255]</match>

    <description>Whitelisted IP adresses for Shellshock attack</description>

  </rule>

or

  <rule id="994001" level="3">

    <if_sid>31168</if_sid>

     <match type="pcre2">139.87.112.\d{1,3}</match>

    <description>Whitelisted IP adresses for Shellshock attack</description>

  </rule>

Check the document for reference:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/pcre2.html

Let me know if this works for you.

[Md. Nazmur Sakib]

Hi Erik-Jan,

Looking forward to your update on the issue.

[Erik-Jan Davids]

I don't have time to test it now but your explanation is clear to me. Thank you. 

Op di 4 jun 2024 08:15 schreef 'Md. Nazmur Sakib' via Wazuh | Mailing List <wa...@googlegroups.com>:

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/g_PY_tKwJ78/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d6ecd991-1977-43f3-b044-eb7a46d9e1can%40googlegroups.com.