rules level and frequency

[Somchai Thongchai]

Hello everyone.

I have various questions:
1- In the creation of rules when the level is specified, according to the specified number it reports a random number of events in wazuh alerts, for example with level = 3 I have three events, with lvl = 10 five events and with level = 15 all the events...Is there any way or documentation to know what it is based on to do it?

2- I am trying to make a rule frequently

  <rule id="100929" level="15" frequency="4" timeframe="15">
    <if_matched_sid>100927</if_matched_sid>
     <description>test</description>
     <group>ransom_notifications,</group>
   </rule>

The problem is that the rule it refers to if it has lvl = 0 no event appears, if I change it to lvl15 it does.

   <rule id="100927" level="0">
    <if_sid>61609</if_sid>
     <field name="win.system.eventID">7</field>
     <description> Software $(win.eventdata.image) loaded into $(win.eventdata.imageLoaded), possible ransomware.</description>
   </rule>

[Nicolas Curioni]

Hello Somchai,

Thanks for using Wazuh and sharing your doubts with the community.

Regarding question 1, the rules are classified in multiple levels, from the lowest (0) to the maximum (16). These levels are related to the severity of each triggered alert. You can find detailed information related to this topic in our following official documentation:

• https://documentation.wazuh.com/current/user-manual/ruleset/rules-classification.html

Regarding your second question, you can create your custom rule, providing a level 1 or 2 to the rule that is indicated in the <if_matched_sid> option. Please find an example of this below:

<group name="local,syslog,sshd,">
  <rule id="100002" level="1">
    <if_sid>5716</if_sid>
    <match type="pcre2">\b(?!(10)|192\.168|172\.(2[0-9]|1[6-9]|3[0-1])|(25[6-9]|2[6-9][0-9]|[3-9][0-9][0-9]|99[1-9]))[0-9]{1,3}\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)</match>
    <description>sshd: Authentication failed from a public IP address $(srcip).</description>
    <group>authentication_failed,authentication_success,pci_dss_10.2.4,pci_dss_10.2.5,</group>
  </rule>

  <rule id="100201" level="5" frequency="4" timeframe="15">
    <if_matched_sid>100002</if_matched_sid>
    <description>Frequency test</description>
    <group>authentication_failed,authentication_success,pci_dss_10.2.4,pci_dss_10.2.5,</group>
  </rule>

I used a custom rule with ID 100002 which is related to Authentication failed from a public IP, and created it with level 1. After this, I created rule 100201, and set some frequency parameters. Testing this in the Wazuh ruleset test -you can find this in Wazuh > Management > Rules > Ruleset test-, we can notice that the rule with level 1 is triggered 3 times, and in the 4th occurrence the rule 100201 is fired:

**Phase 1: Completed pre-decoding.
    full event: 'Dec 10 01:02:02 host sshd[1234]: Failed none for root from 165.132.65.87 port 1066 ssh2'
    timestamp: 'Dec 10 01:02:02'
    hostname: 'host'
    program_name: 'sshd'

**Phase 2: Completed decoding.
    name: 'sshd'
    parent: 'sshd'
    dstuser: 'root'
    srcip: '165.132.65.87'
    srcport: '1066'

**Phase 3: Completed filtering (rules).
    id: '100002'
    level: '1'
    description: 'sshd: Authentication failed from a public IP address 165.132.65.87.'
    groups: '["local","syslog","sshd","authentication_failed","authentication_success"]'
    firedtimes: '4'
    mail: 'false'
    pci_dss: '["10.2.4","10.2.5"]'

**Phase 1: Completed pre-decoding.
    full event: 'Dec 10 01:02:02 host sshd[1234]: Failed none for root from 165.132.65.87 port 1066 ssh2'
    timestamp: 'Dec 10 01:02:02'
    hostname: 'host'
    program_name: 'sshd'

**Phase 2: Completed decoding.
    name: 'sshd'
    parent: 'sshd'
    dstuser: 'root'
    srcip: '165.132.65.87'
    srcport: '1066'

**Phase 3: Completed filtering (rules).
    id: '100002'
    level: '1'
    description: 'sshd: Authentication failed from a public IP address 165.132.65.87.'
    groups: '["local","syslog","sshd","authentication_failed","authentication_success"]'
    firedtimes: '5'
    mail: 'false'
    pci_dss: '["10.2.4","10.2.5"]'

**Phase 1: Completed pre-decoding.
    full event: 'Dec 10 01:02:02 host sshd[1234]: Failed none for root from 165.132.65.87 port 1066 ssh2'
    timestamp: 'Dec 10 01:02:02'
    hostname: 'host'
    program_name: 'sshd'

**Phase 2: Completed decoding.
    name: 'sshd'
    parent: 'sshd'
    dstuser: 'root'
    srcip: '165.132.65.87'
    srcport: '1066'

**Phase 3: Completed filtering (rules).
    id: '100002'
    level: '1'
    description: 'sshd: Authentication failed from a public IP address 165.132.65.87.'
    groups: '["local","syslog","sshd","authentication_failed","authentication_success"]'
    firedtimes: '6'
    mail: 'false'
    pci_dss: '["10.2.4","10.2.5"]'

**Phase 1: Completed pre-decoding.
    full event: 'Dec 10 01:02:02 host sshd[1234]: Failed none for root from 165.132.65.87 port 1066 ssh2'
    timestamp: 'Dec 10 01:02:02'
    hostname: 'host'
    program_name: 'sshd'

**Phase 2: Completed decoding.
    name: 'sshd'
    parent: 'sshd'
    dstuser: 'root'
    srcip: '165.132.65.87'
    srcport: '1066'

**Phase 3: Completed filtering (rules).
    id: '100201'
    level: '5'
    description: 'Frequency test'
    groups: '["local","syslog","sshd","authentication_failed","authentication_success"]'
    firedtimes: '2'
    frequency: '4'
    mail: 'false'
    pci_dss: '["10.2.4","10.2.5"]'
**Alert to be generated.

You can find further information about this in our official documentation:

• Wazuh - Rules syntax
• Wazuh - Testing rules and decoders

I hope this helps.

Regards!

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/bda0f45f-76ca-4d6b-ac92-2e635e709b40n%40googlegroups.com.