Wazuh rule: how to match different Geoip country?

486 views
Skip to first unread message

mauro....@cmcc.it

unread,
Mar 28, 2024, 5:00:11 PM3/28/24
to Wazuh | Mailing List
Dear Users,

I created this aggregation rule:

<rule id="100311" level="12" frequency="2" timeframe="7200">
    <decoded_as>fp</decoded_as>
    <if_matched_sid>100310</if_matched_sid>
    <same_srcuser />
    <different_srcip />
    <same_dstip />
    <description> $(srcuser) connected from different source IPs: last IP is $(srcip)</description>
  </rule>
 </group>

It works, but I would like to create a new rule similar to one mentioned above, but with  a prticular difference.

Instead of using <different_srcip />, I would like to have something like <different_geoipcountry /> but it doesn't exist.

How can I achieve this goal?

I would like to know if a specific user connects to the same destination IP from different countries.

Thank you,
Mauro

Md. Nazmur Sakib

unread,
Mar 29, 2024, 12:19:37 AM3/29/24
to Wazuh | Mailing List

Hi Mauro,


Hope you are doing well.

The field GeoLocation.country_name is enriched by Wazuh-Indexer based on some alert's IP fields. This step takes place at a higher level of the stack than when the events are matched to the rules. That is why you can see the field in the final event but it is not considered to trigger the alert. That field is not available during the alert processing. The important thing to understand here is that by default the geolocation information is not available at the moment that the event is being analyzed for rule matching. That is why your rule will not work.

To workaround this you can compile the Wazuh Server enabling the USE_GEOIP flag



In order to create rules that can use geolocation, you must build Wazuh with the flag USE_GEOIP=yes.

It also requires a GeoIP database: We support the legacy Maxmind GeoLite format, and the updated and maintained databases use the new GeoLite2 format. It should be converted to the legacy format using an external tool.


Ref: https://documentation.wazuh.com/current/deployment-options/wazuh-from-sources/wazuh-server/index.html


Let me know if you need any further information.

mauro....@cmcc.it

unread,
Mar 29, 2024, 4:48:04 AM3/29/24
to Wazuh | Mailing List
Hello Nazmur,

thank you for your reply and instructions.
I already did the steps you provided and geoip info are added as expected.
Now, my question is the following one:

"It works, but I would like to create a new rule similar to one mentioned above, but with  a prticular difference.

Instead of using <different_srcip />, I would like to have something like <different_geoipcountry /> but it doesn't exist."

different_srcip doesn't work in my case because "city" geoip location is not accurate in most cases. So I would like to use "country" information to see if, in the same time,  a user connects to the host from (at least) different countries.

But I didn't find a solution for my case.

Thank you in advance,
Mauro

Md. Nazmur Sakib

unread,
Mar 29, 2024, 5:30:31 AM3/29/24
to Wazuh | Mailing List

As you have already configured geoip


geoipcountry is a dynamic field.


You can make use of <different_field>field_name</different_field> for dynamic value.

Check the document for reference:


https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#different-field

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#same-field


Let me know if this works for you.

mauro....@cmcc.it

unread,
Mar 29, 2024, 6:12:56 AM3/29/24
to Wazuh | Mailing List
Hello Nazmur,

thank you very much for your support.
You solved my issue.

Have a great day.
Mauro
Reply all
Reply to author
Forward
0 new messages