Tuning Wazuh Rules
594 views
Skip to first unread message
Ivan Rios
Feb 20, 2023, 9:46:30 AM2/20/23
to Wazuh mailing list
Hello Wazuh team!
I've been trying to find a good way to stop receiving level 10 alerts for activity deemed by our Sys Admin team as normal in order to avoid notification fatigue (our email alerts are set up for level 10 and above alerts).
We have a server that generates a lot of the same alerts, so I wanted to create a custom rule for this specific server only so that we don't get a bunch of false positives. I've set up my alerts following the Wazuh documents but we still seem to be getting these alerts. Below are my custom rules. What is wrong with them? Why are they not overwriting the original rule?
<group name="ServerNormalActivity">
<rule id="100010" level="4" overwrite="yes">
<if_sid>18154</if_sid>
<field name="data.system_name">servername.domain.com</field>
<field name="data.extra_data">mpio</field>
<description>Normal activity on server.</description>
</rule>
<rule id="100011" level="4" overwrite="yes">
<if_sid>18154</if_sid>
<field name="data.system_name">servername.domain.com</field>
<field name="data.extra_data">disk</field>
<description>Normal activity on server.</description>
</rule>
</group>
<rule id="100010" level="4" overwrite="yes">
<if_sid>18154</if_sid>
<field name="data.system_name">servername.domain.com</field>
<field name="data.extra_data">mpio</field>
<description>Normal activity on server.</description>
</rule>
<rule id="100011" level="4" overwrite="yes">
<if_sid>18154</if_sid>
<field name="data.system_name">servername.domain.com</field>
<field name="data.extra_data">disk</field>
<description>Normal activity on server.</description>
</rule>
</group>
My goal is to stop this specific noise from this server but not changing the default rule since I do want to get notified for other servers if triggered.
Please let me know how I can fix this issue! :)
Thank you,
Ivan
Openime Oniagbi
Feb 20, 2023, 10:03:23 AM2/20/23
to Wazuh mailing list
Hi Ivan,
Thank you for using Wazuh.
Please confirm the rule ID of the rule you are trying to overwrite. I can see two rule IDs in the rules you have posted.
Regards,
Openime
Thank you for using Wazuh.
Please confirm the rule ID of the rule you are trying to overwrite. I can see two rule IDs in the rules you have posted.
Regards,
Openime
Ivan Rios
Feb 20, 2023, 10:23:27 AM2/20/23
to Wazuh mailing list
Hello Openime,
The default rule I am trying to overwrite is
18154 by using the if_sid. I'm calling two custom rules for two different scenarios to overwrite the default rule 18154. Both of those custom rules are different, but my plan is that if each of those custom rules are met, it overwrites the default rule.
Looking forward to your help! I'm not sure why the default rule is still getting triggered.
Ivan
Openime Oniagbi
Feb 20, 2023, 11:27:52 AM2/20/23
to Wazuh mailing list
Hi Ivan,
If you are using custom rules, you don't need to use the overwrite option. The overwrite option is used when trying to overwrite a rule while still using its rule ID.
In your case, you can use the custom rules without the overwrite option. However, if your goal is to overwrite the out-of-the-box Wazuh rule, you must preserve the rule ID and structure of the original rule.
I hope this is clear to you. If it is not, please let me know, and I will explain better.
If you are using custom rules, you don't need to use the overwrite option. The overwrite option is used when trying to overwrite a rule while still using its rule ID.
In your case, you can use the custom rules without the overwrite option. However, if your goal is to overwrite the out-of-the-box Wazuh rule, you must preserve the rule ID and structure of the original rule.
I hope this is clear to you. If it is not, please let me know, and I will explain better.
Regards,
Openime
Ivan Rios
Feb 20, 2023, 2:14:26 PM2/20/23
to Wazuh mailing list
That makes sense. The problem is that I originally tried that and it didn't work. Before I put the overwrite option, I had it written like down below. Yet I still would get alerts for 18154 (a level 10 alert) which led me to put the overwrite option. What is wrong with the rules below?
<group name="ServerNormalActivity">
<rule id="100010" level="4">
<rule id="100010" level="4">
<if_sid>18154</if_sid>
<field name="data.system_name">servername.domain.com</field>
<field name="data.extra_data">mpio</field>
<description>Normal activity on server.</description>
</rule>
<rule id="100011" level="4">
<field name="data.system_name">servername.domain.com</field>
<field name="data.extra_data">mpio</field>
<description>Normal activity on server.</description>
</rule>
<rule id="100011" level="4">
<if_sid>18154</if_sid>
<field name="data.system_name">servername.domain.com</field>
<field name="data.extra_data">disk</field>
<description>Normal activity on server.</description>
</rule>
</group>
<field name="data.system_name">servername.domain.com</field>
<field name="data.extra_data">disk</field>
<description>Normal activity on server.</description>
</rule>
</group>
Openime Oniagbi
Feb 21, 2023, 3:12:19 AM2/21/23
to Wazuh mailing list
Hi Ivan,
The error could be in how the field options are specified.
The error could be in how the field options are specified.
I won't know for sure unless I see the rule and the logs you want to match them against.
Regards,
Openime
Openime
Reply all
Reply to author
Forward
0 new messages