Wazuh rules fine tuning.

48 views
Skip to first unread message

hvn4k.

unread,
Feb 18, 2026, 11:26:45 PM (5 days ago) Feb 18
to Wazuh | Mailing List
Good day team,
Hope you guys are doing well.
 
I am looking forward to fine tune my wazuh alerts i.e it gives alert on every hit which it is supposed to do right now, but i want to fine tune it like

Lets assume a case of rule id 11201 ProFTPd Session opened.
What i want to achieve:
-One first hit it creates alert.
-One second hit [with same source ip and dest address]  it should not create another alert but should overwrite the previous one
-Creates a new alert if any of source ip or destination address or both is different.

This is one case, i would like to fine tune my other rules on this logic as well to reduce the noise, so can you give me any syntax or logic or whole rule ;P if possible.

Md. Nazmur Sakib

unread,
Feb 19, 2026, 12:54:20 AM (5 days ago) Feb 19
to Wazuh | Mailing List

Hello,


With the current rule engine of Wazuh and the architecture, there is no easy way to enrich an already created alert using the rule engine. You cannot make changes to the alerts from the manager once they are created.


You can do something like not trigger a new alert if the alert is from the same source ip and destination address for a specific time. But in that case, you will not have the new Session information from the same ip in your alerts.
Ref: same_srcip,  same_dstip



You can make use of the Wazuh indexer Update Document API to update or enrich a document's fields with new values
https://docs.opensearch.org/latest/api-reference/document-apis/update-document/

And delete the second alert with the same source ip and destination address with the Delete Document API



Let me know if you need any further information.

hvn4k.

unread,
Feb 20, 2026, 12:00:55 AM (4 days ago) Feb 20
to Wazuh | Mailing List
Regarding this, i am getting huge amount of duplicate alerts for id 11201 i have tried a logic in rules but somehow the <same_field>srcip<same_field> does not seem to work here.
Rule:
<group name="syslog,proftpd,">

  <rule id="100500" level="0" >
    <if_matched_sid>11201</if_matched_sid>
    <same_field>srcip</same_field>
    <description>
      Repeated FTP sessions from same IP to same server
    </description>
  </rule>

</group>
Logic: if any alert has same srcip it does not send alert.

Alert JSON:
  { "_index": "wazuh-alerts-4.x-2026.02.20", "_id": "UGn9eJwBTnBCDgLTe-lQ", "_score": null, "_source": { "predecoder": { "hostname": "********", "program_name": "proftpd", "timestamp": "Feb 20 02:59:56" }, "input": { "type": "log" }, "agent": { "ip": "***********", "name": "********", "id": "006" }, "data": { "srcip": "185.197.250.178" }, "manager": { "name": "**********" }, "rule": { "firedtimes": 335, "mail": false, "level": 3, "hipaa": [ "164.312.b" ], "pci_dss": [ "10.2.5" ], "tsc": [ "CC6.8", "CC7.2", "CC7.3" ], "description": "ProFTPD: FTP session opened.", "groups": [ "syslog", "proftpd", "connection_attempt" ], "id": "11201", "nist_800_53": [ "AC.7", "AU.14" ], "gdpr": [ "IV_32.2" ] }, "location": "journald", "decoder": { "name": "proftpd" }, "id": "1771556396.1903341", "GeoLocation": { "city_name": "Los Angeles", "country_name": "United States", "region_name": "California", "location": { "lon": -118.2578, "lat": 34.0549 } }, "full_log": "Feb 20 02:59:56 ******************* proftpd[826935]: session[826935] 0.0.0.0 (185.197.250.178[185.197.250.178]): SSH2 session opened.", "timestamp": "2026-02-20T07:59:56.242+0500" }, "fields": { "timestamp": [ "2026-02-20T02:59:56.242Z" ] }, "sort": [ 1771556396242 ] }  

Md. Nazmur Sakib

unread,
Feb 23, 2026, 1:13:14 AM (yesterday) Feb 23
to Wazuh | Mailing List

Hello
same_srcip is used in conjunction with frequency and timeframe.
Ref: same_srcip, 
I can see that you have not used  frequency and timeframe 
There is already a child rule for rule ID 11201. So rule 11201 will check that child rule first.
 <rule id="11252" level="10" frequency="12" timeframe="60">

    <if_matched_sid>11201</if_matched_sid>

    <same_source_ip />

    <description>ProFTPD: Multiple connection attempts from same source.</description>

    <mitre>

      <id>T1110</id>

    </mitre>

    <group>gdpr_IV_35.7.d,nist_800_53_SI.4,pci_dss_11.4,recon,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>

  </rule>

You can modify that child rule like this to trigger this custom modified rule.


<group name="syslog,proftpd,">
 <rule id="11252" level="0" frequency="2" timeframe="60" ignore="300" overwrite="yes">

    <if_matched_sid>11201</if_matched_sid>

    <same_source_ip />

    <description>ProFTPD: Multiple connection attempts from same source.</description>

    <mitre>

      <id>T1110</id>

    </mitre>

    <group>gdpr_IV_35.7.d,nist_800_53_SI.4,pci_dss_11.4,recon,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>

  </rule>
</group>


Check this document to learn more about overwriting custom rules:
Changing existing rules


The rule with ID 11252 triggers a level 0 alert if rule 11201 matches 2 times within 60 seconds. To prevent floods, it is ignored for 300 seconds after triggering.


Let me know if you need any further information.

hvn4k.

unread,
2:23 AM (2 hours ago) 2:23 AM
to Wazuh | Mailing List
i created a rule that is detecting duplicate and for testing i set its level to 4 to check and it was firing on every duplicate soruce ip but when i changed its level to 0 to supress the duplicate alert the base rule started firing for duplicate again instead of it now. 

    <rule id="100002"
        level="5"
        frequency="2"
        timeframe="86400">

      <if_matched_sid>11201</if_matched_sid>
      <match>session opened.$</match>
      <same_source_ip/>

      <description>
      Suppress duplicate ProFTPD session opened alerts (same srcip)
      </description>

    </rule>
Reply all
Reply to author
Forward
0 new messages