Wazuh Rule Fine Tuning
653 views
Skip to first unread message
Steven Paugh
Feb 6, 2023, 10:34:49 AM2/6/23
to Wazuh mailing list
Hello team,
I am trying to figure out how to tune alerts in Wazuh. I am currently stuck on how to take a rule like the one below and tune it so that two hostnames, or agent names would not trigger the alert. The rule is as follows:
<rule id="2501" level="5">
<match>FAILED LOGIN |authentication failure|</match>
<match>Authentication failed for|invalid password for|</match>
<match>LOGIN FAILURE|auth failure: |authentication error|</match>
<match>authinternal failed|Failed to authorize|</match>
<match>Wrong password given for|login failed|Auth: Login incorrect|</match>
<match>Failed to authenticate user</match>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<description>syslog: User authentication failure.</description>
</rule>
<rule id="2501" level="5">
<match>FAILED LOGIN |authentication failure|</match>
<match>Authentication failed for|invalid password for|</match>
<match>LOGIN FAILURE|auth failure: |authentication error|</match>
<match>authinternal failed|Failed to authorize|</match>
<match>Wrong password given for|login failed|Auth: Login incorrect|</match>
<match>Failed to authenticate user</match>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<description>syslog: User authentication failure.</description>
</rule>
I have tried to use the local_rules.xml file to do this from some of the other posts here with no luck. Any help is appreciated!
Thank you,
-Steven
Henadence Anyam
Feb 6, 2023, 10:50:36 AM2/6/23
to Wazuh mailing list
Hello
Spaugh!
Thank you for using Wazuh.
To suppress the rule ID: 2501 for agent_name1 and agent_name2, you can add a child rule with level 0 using the <hostname> tag.
To do so, add the following block in the /var/ossec/etc/rules/local_rules.xml file of the Wazuh manager:
To do so, add the following block in the /var/ossec/etc/rules/local_rules.xml file of the Wazuh manager:
<group name="syslog,access_control,suppresion,">
<rule id="150000" level="0"> <if_sid>2501</if_sid>
<hostname>agent_name1|agent_name2</hostname>
<description>Suppress User authentication failure on selected hosts</description>
</rule>
</group>
Replace agent_name1 and agent_name2 with the correct name of your Wazuh agents.
You can get additional information of this option here
Let me know if you find this information helpful.
Best regards.
Steven Paugh
Feb 6, 2023, 7:10:33 PM2/6/23
to Wazuh mailing list
Thank you for the quick response! I will keep an eye out and make sure this resolved my issues, but so far so good.
Respectfully,
-Steven
Reply all
Reply to author
Forward
0 new messages