Alert Whitelisting
Satiswaran Selva Sakeram
Hi Team,
We are currently receiving a high volume of alerts in Wazuh for allowed traffic events and would like to suppress only specific cases while keeping other alerts intact.
For example, we are seeing repeated alerts with the following details:
-
Agent: localhost.localdomain
-
Rule ID: 70022
-
Rule Description: Traffic Allowed
-
Message: Traffic Allowed: from 10.0.1.187 to 103.51.160.197
Our goal is to whitelist only this particular source/destination traffic so that these alerts do not generate notifications, but other “Traffic Allowed” events are still logged and alerted as usual.
Could you please advise on:
-
The recommended way to implement this whitelist in local_rules.xml?
-
Any best practices for managing these kinds of exceptions without affecting overall visibility.
Thank you in advance for your guidance.
Best regards,
Satiswaran
Md. Nazmur Sakib
Hi Satiswaran,
Sorry for the late response, my previous answer somehow got deleted.
You can make a custom rule like this, and add the rule in the /var/ossec/etc/rules/local_rules.xml file
<group name="sophos-fw,">
<rule id="107022" level="0">
<if_sid>70022</if_sid>
<srcip>10.0.1.187</srcip>
<dstip>103.51.160.197</dstip>
<description> Suppress Alert: Traffic Allowed: from 10.0.1.187 to 103.51.160.197</description>
</rule>
</group>
And restart the Wazuh manager.
systemctl restart wazuh-manager
Here I am using the ID of your rule as the parent ID( <if_sid>70022</if_sid>) of this rule, and the srcip and dstip as a filter with the IP mentioned. So when all these 3 conditions are matched, it will trigger a level 0 rule with ID 107022. By default, Wazuh displays level 3 and above rules, so this level 0 rule will not appear in your Wazuh dashboard.
Check these documents to learn more about the rules, syntax, and writing custom rules.
Rules Syntax
If you need further assistance with the rule, please share the full_log from the alert details.
Let me know if this works for you.