Ignore Rule syntax

1,704 views
Skip to first unread message

TUKARAM GAONKAR

unread,
Jun 26, 2021, 8:38:19 AM6/26/21
to Wazuh mailing list
Dear Team,

I found one of my rule generating high numbers of alerts from one malicious IP  .Which is flooding my dashboard and slack . I used " ignore " rule syntax in that to reduce flooding.
Please help me to resolve the below doubts 

 1.Can I see the same rule matching logs in archives if " ignore"  syntax is set for a specific time.

2. Will ruleset generate an alert if at same time or within " ignore" syntax time  the same attack is detected(i.e.same alert needs to trigger with matching same rule condition)  from different IP . 

3.  By using the above rule condition I created another rule . Which used the frequency of the above rule . Is there any impact on the 2nd rule?


Warm Regards,
Tukaram 

 

Julia Magan Rodriguez

unread,
Jun 28, 2021, 11:22:04 AM6/28/21
to Wazuh mailing list

Hello,

Let me help you with the doubts:

1. When an event occurs, it is analyzed in order to find a matching rule. Then depending on the rule, an alert could be triggered or not. When you use ignore, once the alert is triggered for the first time, it won’t be triggered again until the time set on ignore options pass, even if the event occurs again. However, if you have logall enabled in the ossec.conf file, you will be able to see the events in archives.log since the custom rule only affects the alert, not the event.

2. If you have the label srcip with a specific IP, for differents IPs the rule would work as usual instead of working with the custom rule. For example:

<rule id="100105" level="8">
 <if_sid>100100</if_sid>
 <srcip>10.25.23.12</srcip>
 <description>Forbidden srcip has been detected.</description>
</rule>

In the custom rule from above, only the IP 10.25.23.12 would generate an alert.

3. If you set the option ignore to a rule, the child rule could be affected depending on the conditions to be triggered. For example:

  <rule id="5710" level="5">
    <if_sid>5700</if_sid>
    <match>illegal user|invalid user</match>
    <description>sshd: Attempt to login using a non-existent user</description>
    <mitre>
      <id>T1110</id>
    </mitre>
      <group>invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>

  </rule>  <rule id="5712" level="10" frequency="8" timeframe="120" ignore="60">
    <if_matched_sid>5710</if_matched_sid>
    <description>sshd: brute force trying to get access to </description>
    <description>the system.</description>
    <mitre>
      <id>T1110</id>
    </mitre>
    <same_source_ip />
    <group>authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_SI.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>

For an ssh brute force attack, the rule 5712 will be triggered when the 5710 was triggered 8 times before, because of the labels if_matched_sid and frequency. If you set ignore on rule 5710, it won’t be triggered 8 times, and rule 5712 won’t be triggered.

TUKARAM GAONKAR

unread,
Jul 5, 2021, 4:04:55 AM7/5/21
to Julia Magan Rodriguez, Wazuh mailing list
Yes, I will do that. 

On Mon, 5 Jul 2021 at 13:11, Julia Magan Rodriguez <julia...@wazuh.com> wrote:
Hello, 

To give the answer more visibility, as it may be useful to more users, could you please always write publicly? To do this, when you go to reply to a message, you must click "reply to all".

Regards.

El vie, 2 jul 2021 a las 18:02, TUKARAM GAONKAR (<tukaramga...@gmail.com>) escribió:
Dear Julia,

Is it possible to trigger rule which use ignore syntax under rule severity 12 and those alert who trigger under that timeframe of ignore syntax in alert level 11. 

Warm regards,
Tukaram Gaonkar


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6bef76c4-dca9-4598-9118-b0549db34ce6n%40googlegroups.com.

Julia Magan Rodriguez

unread,
Jul 7, 2021, 5:12:17 AM7/7/21
to Wazuh mailing list

Hello,Yes, it is possible, but if you want that the alert of level 12, when is triggered a few times, triggers the rule of level 11, you need that the ignore option from the rule of level 12 to be lower than the timeframe of the option of level 11. Let me show you an example:

<rule id="100345" level="12" ignore="30">
  <if_group>syscheck</if_group>
  <match>/tmp/test.txt</match>
  <description>TESTING</description>
</rule>

<rule id="100346" level="11" frequency="3" timeframe="300" ignore="150">                                                                   
  <if_matched_sid>100345</if_matched_sid>
  <description>NEXT</description>
</rule>

Here, I want an alert of level 12 that triggers every time the file /tmp/test.txt is modified. Once the alert is triggered, for 30 seconds, the file can be modified and no alert will be triggered. Then for the rule of level 11, I have used the timeframe option, which is intended to use with the frequency option. Here, when the rule 100345 has been triggered 3 times in 300 seconds, the alert of level 11 will be triggered and ignored for 150 seconds. That’s why you need the ignore option lower than the timeframe, because if the alert is ignored, it won’t be triggered and the next rule won’t be triggered either. Here you can see more options for custom rules.

Reply all
Reply to author
Forward
0 new messages