Do not display a rule that contains a specific field
79 views
Skip to first unread message
TheLotus 24
Sep 5, 2024, 6:01:14 PM9/5/24
to Wazuh | Mailing List
Hello everyone, I have a question, I am collecting information from my firewall and there is an event that generates many alerts, these alerts have a specific field called data.policyId, is there a way to prevent the rule that contains that field from being displayed, without affecting the rule that does not contain it?
My rule
The field
Stuti Gupta
Sep 6, 2024, 3:43:05 AM9/6/24
to Wazuh | Mailing List
Hi the lotus
You can achieve this using the ignore option in you custom rule like:
<group name="Office365">
<rule id="100004" level="5" ignore="3600">
<if_sid>81634</if_sid>
<field name="policyid">\.+</field>
<description>This is a test of a custom ruleset for detecting SharePoint file-sharing events</description>
<options>no_full_log</options>
</rule>
</group>
The alert will trigger once and then ignore this rule for the next 3600 seconds. However, it will start triggering the rule-id mentioned in if_sid (91544), as this is the parent rule. Then you need to suppress that rule by changing its rule level from less than 3 so it won't trigger alerts wazuh-dashboard using the tag overwrite ="yes".
You can use negate= yes as shown below so the rule 81634 won't triggered if the there policyid Make sure that you have to modify the default rule by adding the overwrite="yes" tag. Please paste the default rule at /var/ossec/etc/rules/local_rules.xml and then edit the rule.
<rule id="81634" level="5">
<if_sid>81603</if_sid>
<match>subtype="app-ctrl"|subtype=app-ctrl</match>
<action>block</action>
<field name="policyid" negate="yes">\.+</field>
<description>Fortigate: App blocked by firewall.</description>
<group>firewall_drop,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,pci_dss_10.6.1,</group>
</rule>
To know how to change the existing rule please follow: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule
Hope this will help.
Regrads.
For that, you can refer to https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#changing-existing-rules
Refer: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rules-options
Hoppe this helps
You can achieve this using the ignore option in you custom rule like:
<group name="Office365">
<rule id="100004" level="5" ignore="3600">
<if_sid>81634</if_sid>
<field name="policyid">\.+</field>
<description>This is a test of a custom ruleset for detecting SharePoint file-sharing events</description>
<options>no_full_log</options>
</rule>
</group>
The alert will trigger once and then ignore this rule for the next 3600 seconds. However, it will start triggering the rule-id mentioned in if_sid (91544), as this is the parent rule. Then you need to suppress that rule by changing its rule level from less than 3 so it won't trigger alerts wazuh-dashboard using the tag overwrite ="yes".
You can use negate= yes as shown below so the rule 81634 won't triggered if the there policyid Make sure that you have to modify the default rule by adding the overwrite="yes" tag. Please paste the default rule at /var/ossec/etc/rules/local_rules.xml and then edit the rule.
<rule id="81634" level="5">
<if_sid>81603</if_sid>
<match>subtype="app-ctrl"|subtype=app-ctrl</match>
<action>block</action>
<field name="policyid" negate="yes">\.+</field>
<description>Fortigate: App blocked by firewall.</description>
<group>firewall_drop,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,pci_dss_10.6.1,</group>
</rule>
To know how to change the existing rule please follow: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule
Hope this will help.
Regrads.
For that, you can refer to https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#changing-existing-rules
Refer: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rules-options
Hoppe this helps
TheLotus 24
Sep 6, 2024, 10:50:37 AM9/6/24
to Wazuh | Mailing List
Hi, thanks for your reply. What if I want the alert not to be triggered if the policyId is equal to 299? How should I do that?
Stuti Gupta
Sep 9, 2024, 7:15:25 AM9/9/24
to Wazuh | Mailing List
Hi Lotus
You can achieve this by creating a custom rule and changing the rule level tp 0 like:
<rule id="101634" level="0">
<if_sid> 81634 </if_sid>
<field name="policyid"> 299 </field>
<description>Fortigate: App blocked by firewall.</description>
<group>firewall_drop,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,pci_dss_10.6.1,</group>
</rule>
The rule.level 0 is for: No action taken. Used to avoid false positives. These rules are scanned before all the others, include events with no security relevance and do not appear in the security event dashboard.
Refer to https://documentation.wazuh.com/current/user-manual/ruleset/rules/rules-classification.html
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
In case you need futher assistance with thr custom rule then please share /var/ossec/logs/archives/archives.json log
Hope this helps
You can achieve this by creating a custom rule and changing the rule level tp 0 like:
<rule id="101634" level="0">
<if_sid> 81634 </if_sid>
<field name="policyid"> 299 </field>
<description>Fortigate: App blocked by firewall.</description>
<group>firewall_drop,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,pci_dss_10.6.1,</group>
</rule>
Refer to https://documentation.wazuh.com/current/user-manual/ruleset/rules/rules-classification.html
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
In case you need futher assistance with thr custom rule then please share /var/ossec/logs/archives/archives.json log
Hope this helps
Reply all
Reply to author
Forward
0 new messages