CDB list rules

[Abhi S]

Hi,

can you provide customer rules associated to CDB list and how to configure. I have defined CDB list and defined custom rules which is not getting triggered. 

<group name=“MaliciousIP”>

<rule id=“100010” level=“11”>

<if_group>sshd</if_group>

<list field="srcip" lookup="address_match_key">etc/lists/blacklist-alienvault</list>

<description>Blacklisted IP attempted to login SSHD</description>

</rule>

</group>

[Henadence Anyam]

Hello Abhi,

Your rule definition is correct. Can you ascertain the following information:

1.) Is the IP address of the endpoint making performing SSH related activities found in the blacklist-alienvault?

2.) Did you add a reference specifying the path to the blacklist-alienvault list within the <ruleset> block in the Wazuh manager configuration file /var/ossec/etc/ossec.conf?

Verify the above and everything should work correctly as I have just tested this.

You can follow our use case on malware detection using file hashes in a CDB list to see the steps involved in configuring CDB lists.

Waiting for your feedback on this.