Wazuh rule syntax
56 views
Skip to first unread message
hotaruほたる
Sep 25, 2024, 4:39:30 AM9/25/24
to Wazuh | Mailing List
Question 1: This is my custom rule for Ssms
<rule id="400002" level="12">
<if_sid>400001</if_sid>
<field name="win.system.eventID">^33205$</field>
<match>drop database</match>
<options>no_full_log</options>
<description>Drop database statement detected</description>
</rule>
<rule id="400002" level="12">
<if_sid>400001</if_sid>
<field name="win.system.eventID">^33205$</field>
<match>drop database</match>
<options>no_full_log</options>
<description>Drop database statement detected</description>
</rule>
The question is Can I add some exclue string into this rule
For example : drop database abcxyz
Can I add something like
<notmatch>abcxyz</notmatch>
or <match negate="yes">abcxyz</match>
Question2: How can I create custom rule with <match> like this
<rule id="400007" level="12">
<if_sid>400001</if_sid>
<field name="win.system.eventID">^33205$</field>
<match>grant * on * for</match>
<options>no_full_log</options>
<description>GRANT statement detected</description>
</rule>
For example: grant select on table1 to user
<if_sid>400001</if_sid>
<field name="win.system.eventID">^33205$</field>
<match>grant * on * for</match>
<options>no_full_log</options>
<description>GRANT statement detected</description>
</rule>
For example: grant select on table1 to user
Stuti Gupta
Sep 25, 2024, 5:43:26 AM9/25/24
to Wazuh | Mailing List
Hi,
hotaru
Regarding your first question:
You can use the `negate` attribute with the `match` option as you've mentioned:
<match negate="yes">abcxyz</match>
However, you cannot use multiple match regex options in a single statement. The value used for the match will correspond to the last specified label. If no label is specified, the default behavior will be applied. like:
<match negate="yes">abcxyz</match>
<match>drop database</match>
You can use only one of them and the last one will be considered
For your second question:
If you're using regex in the `match` field, you need to specify the `type` attribute. This can be one of the following types: `osmatch`, `osregex`, or `pcre2`. For example:
<match type="osregex">grant \.+ on \.+ for</match>
Without specifying the `type` as a regex type (e.g., `osregex`), the match will be treated as a plain string comparison, and it won’t function as a regular expression.
To know more about the match field please refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#match
If you still have any questions please feel free to ask.
Regarding your first question:
You can use the `negate` attribute with the `match` option as you've mentioned:
<match negate="yes">abcxyz</match>
<match negate="yes">abcxyz</match>
You can use only one of them and the last one will be considered
For your second question:
If you're using regex in the `match` field, you need to specify the `type` attribute. This can be one of the following types: `osmatch`, `osregex`, or `pcre2`. For example:
<match type="osregex">grant \.+ on \.+ for</match>
Without specifying the `type` as a regex type (e.g., `osregex`), the match will be treated as a plain string comparison, and it won’t function as a regular expression.
To know more about the match field please refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#match
If you still have any questions please feel free to ask.
Reply all
Reply to author
Forward
0 new messages