Integrating rules into the CDB list
14 views
Skip to first unread message
Tengku Arya Saputra
Jun 10, 2026, 8:13:59 AM (3 days ago) Jun 10
to Wazuh | Mailing List
I have a CDB list at /var/ossec/etc/lists/suspicious_tlds. I want to use less aggressive rules. For example:
<group name="threat_intel,tld_detection,">
<rule id="123500" level="10">
<if_sid>61650</if_sid>
<field name="win.system.eventID">^22$</field>
<field name="win.eventdata.queryName">\.xyz$|\.top$|\.click$|\.zip$</field>
<description>Suspicious TLD DNS Query</description>
<mitre>
<id>T1071.004</id>
</mitre>
</rule>
</group>
So I want this win.eventdata.queryName to check directly against the CDB list.
How can I do that?
<group name="threat_intel,tld_detection,">
<rule id="123500" level="10">
<if_sid>61650</if_sid>
<field name="win.system.eventID">^22$</field>
<field name="win.eventdata.queryName">\.xyz$|\.top$|\.click$|\.zip$</field>
<description>Suspicious TLD DNS Query</description>
<mitre>
<id>T1071.004</id>
</mitre>
</rule>
</group>
So I want this win.eventdata.queryName to check directly against the CDB list.
How can I do that?
Olamilekan Abdullateef Ajani
Jun 10, 2026, 8:48:45 AM (3 days ago) Jun 10
to Wazuh | Mailing List
Hello,
<group name="threat_intel,tld_detection,">
<rule id="123500" level="10">
<if_sid>61650</if_sid>
<field name="win.system.eventID">^22$</field>
<description>Suspicious TLD DNS Query</description>
<mitre>
<id>T1071.004</id>
</mitre>
</rule>
</group>
Sure you can do that using a CDB list lookup instead of hardcoding directly in the regex.
Set up your list in /etc/lists/suspicious_tlds
Set up your list in /etc/lists/suspicious_tlds
<group name="threat_intel,tld_detection,">
<rule id="123500" level="10">
<if_sid>61650</if_sid>
<field name="win.system.eventID">^22$</field>
<list field="win.eventdata.queryName" lookup="match_key">etc/lists/suspicious_tlds</list>
<description>Suspicious TLD DNS Query</description>
<mitre>
<id>T1071.004</id>
</mitre>
</rule>
</group>
However, there is one little caveat, match_key performs an exact lookup, so:
example.xyz
test.top
will NOT match .xyz: directly. That is, if your list contains things like
.xyz:
.top:
.zip:
CDB lists are best for static value matching, so you need to clearly define the fields as expected for accuracy.
So for domains/TLDs, your current regex approach is a simpler and more reliable solution unless you normalize the domain before lookup.
example.xyz
test.top
will NOT match .xyz: directly. That is, if your list contains things like
.xyz:
.top:
.zip:
CDB lists are best for static value matching, so you need to clearly define the fields as expected for accuracy.
So for domains/TLDs, your current regex approach is a simpler and more reliable solution unless you normalize the domain before lookup.
Please let me know your thoughts on this.
Reply all
Reply to author
Forward
0 new messages