Rules Do not Work on Wazuh

[Ali Bajaj]

Hello Team,

I hope you are doing well.

I am currently experiencing an issue with the rules configured in the local rules.xml file. When I attempt to trigger an alert—either to be sent via email or displayed on the dashboard—no action is executed.

In attach, I will provide the file  of all the rules currently configured for your review.

The version of wazuh  am using is 4.11

[Md. Nazmur Sakib]

Hello!

AI tools can be helpful for creating rules and decoders, but it is important to review them with the Wazuh document.
Rules Syntax

I am making the incorrect syntax in red.

<rule id="100400" level="12">

    <if_sid>5712</if_sid>

    <same_source_ip />

    <frequency>20</frequency>

    <timeframe>60</timeframe>

    <description>Possible network scan detected (multiple connection attempts from same IP)</description>

    <mitre>

      <id>T1046</id>

    </mitre>

    <group>reconnaissance,network_scan,</group>

  </rule>


This is the corrected version.

<rule id="100400" level="12" frequency="20" timeframe="60">       

    <if_matched_sid>5712</if_matched_sid>

    <same_srcip />

    <description>Possible network scan detected (multiple connection attempts from same IP)</description>

    <mitre>

      <id>T1046</id>

    </mitre>

    <group>reconnaissance,network_scan,</group>

  </rule>

You can use frequency and timeframe when you are using if_matched_sid conditions in your rule. It will not work with if_sid

I have fixed the syntax errors in the rules. I have shared the updated rules in the txt file.


You can test the decoder and rules using this tool.
Testing decoders and rules

If you need furter help with this rule. Please share a sample log with me for what you are trying to create alerts for, so that I can test them from my end and share with you the appropriate rules you need to trigger alerts for your log.