Help for Wazuh local custom rules

188 views
Skip to first unread message

mauro....@cmcc.it

unread,
Jun 15, 2023, 7:12:31 AM6/15/23
to Wazuh mailing list
Dear Users,

I use syslog to send logs from pfSense to Wazuh.
Everything works as expected.

Now, I need to tune the parsing procedure of these logs.

In particular, I would like to separate the alerts triggered when an internal IP on the LAN contacts external IP from the alerts triggered when external public IP contacts our firewall IP.

So I customised the already existing 87702 pfSense rule and I created a new one as follows (please, note that x.x.x.x is the public IP of our firewall)

I added in local_rules.xml

  <rule id="87702" overwrite="yes" level="10" frequency="5" timeframe="45" ignore="60">

    <if_matched_sid>87701</if_matched_sid>

    <same_source_ip />

    <dstip>!x.x.x.x</dstip>

    <description>Multiple pfSense firewall blocks events from same source.</description>

    <mitre>

      <id>T1110</id>

    </mitre>

    <group>multiple_blocks,pci_dss_1.4,pci_dss_10.6.1,gpg13_4.12,hipaa_164.312.a.1,hipaa_164.312.b,nist_800_53_SC.7,nist_800_53_AU.6,tsc_CC6.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>

  </rule>


<!-- Attack from Public IPv4 -->

 <rule id="100020" level="10" frequency="5" timeframe="45" ignore="60">

    <if_matched_sid>87701</if_matched_sid>

    <same_source_ip />

    <dstip>x.x.x.x</dstip>

    <description>Attack from a public IP address offending pfsense rules > $(srcip).</description>

    <mitre>

      <id>T1110</id>

    </mitre>

    <group>multiple_blocks,pci_dss_1.4,pci_dss_10.6.1,gpg13_4.12,hipaa_164.312.a.1,hipaa_164.312.b,nist_800_53_SC.7,nist_800_53_AU.6,tsc_CC6.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>

  </rule>


I noticed that I receive both the alerts because the 87702 rule is not ignoring the public IP I'm trying to filter using !x.x.x.x.

Could you please help me to solve the issue?

Thanks in advance,

Mauro

Nicolas Agustin Guevara Pihen

unread,
Jun 15, 2023, 8:15:56 AM6/15/23
to Wazuh mailing list
Hello Mauro, I hope you are well.

I reproduced the issue and can confirm that !x.x.x.x is apparently not working.
However,  in my lab environment, I could make it work as expected by using the negate option. This is:

    <dstip negate='yes'>x.x.x.x</dstip>

Does this also work for you?
Kind regards,

Mauro Tridici

unread,
Jun 15, 2023, 9:32:52 AM6/15/23
to Nicolas Agustin Guevara Pihen, Wazuh mailing list
Hello Nicolas,

many thanks for taking care of my case.
Your workaround solved my issue.

In you opinion, could it be a bug?

Thank you in advance,
Mauro

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/40Jy7GQY4lw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/25597d11-06e3-4b0c-a2e6-75fb6dd5b66fn%40googlegroups.com.


Nicolas Agustin Guevara Pihen

unread,
Jun 15, 2023, 10:39:03 AM6/15/23
to Wazuh mailing list
Hello,
I'm glad to know that it solved your issue!

It seems to be a bug, and I already reported it, you can follow the issue if you are interested. 

Don't hesitate to contact us again if you need more help!
Have a great day
Reply all
Reply to author
Forward
0 new messages