Wazuh rule not triggering correctly

[Mithun Haridas]

Hello team,

Wazuh is not triggering the custom rule as I need it to trigger.

The rule I created:

<group name="firewall,fortianalyzer,syslog,">
<rule id="111700" level="4">
<decoded_as>fortianalyzer</decoded_as>
<description>Fortianalyzer: Messages grouped.</description>
</rule>

  <rule id="111710" level="3">
<if_sid>111700</if_sid>
<field name="event_category">^traffic$</field>
<description>Fortianalyzer: Traffic logs.</description>
</rule>

<rule id="111742" level="4">
<if_sid>111710</if_sid>
<list field="srcip" lookup="address_match_key">etc/lists/private-ip</list>
<list field="dstip" lookup="address_match_key">etc/lists/private-ip</list>
<description>Fortianalyzer: Internal traffic.</description>
</rule>

<rule id="111745" level="14" frequency="5" timeframe="300">                  
<if_matched_sid>111742</if_matched_sid>
<same_srcip/>
<same_dstport/>
<different_dstip/>
<dstport negate="yes">^53$|^123$</dstport>
<description>Fortianalyzer: LAN2LAN horizontal scanning detected from a single host to multiple destinations.</description>
</rule>

In order to activate this rule, I need my wazuh to examine five internal traffic logs with the same srcip, dstport, and distinct dstip over a period of five minutes. 

However, Wazuh is not checking as I need it to when I write this rule. 

Was the rule written incorrectly? Currently Wazuh is only comparing the fourth and fifth logs with the conditions I specified in rule ID 111745; they do not check this condition for all of the prior logs as all 4 previous logs have same dstip.

I have already raised this issue before, but didn't get a solution for this. 

Old conversation: https://groups.google.com/g/wazuh/c/ZKqJSIRr5oc/m/pD3ALilzAQAJ

Please provide a solution for this ASAP

Regards

[Bony V John]

Hi,

Based on your requirement, I have made a small update to your rule 111745, and I have tested it from my end. It is working fine for me. I have attached a screenshot of my testing for your reference.  

<group name="firewall,fortianalyzer,syslog,">
    <rule id="111700" level="4">
        <decoded_as>fortianalyzer</decoded_as>
        <description>Fortianalyzer: Messages grouped.</description>
    </rule>
   
    <rule id="111710" level="3">
        <if_sid>111700</if_sid>
        <field name="event_category">^traffic$</field>
        <description>Fortianalyzer: Traffic logs.</description>
    </rule>
   
    <rule id="111742" level="4">
        <if_sid>111710</if_sid>
        <list field="srcip" lookup="address_match_key">etc/lists/private-ip</list>
        <list field="dstip" lookup="address_match_key">etc/lists/private-ip</list>
        <description>Fortianalyzer: Internal traffic.</description>
    </rule>
   
    <rule id="111745" level="14" frequency="5" timeframe="300">                  
        <if_matched_sid>111742</if_matched_sid>
        <same_srcip/>
        <same_dstport/>
        <different_dstip/>

        <dstport negate="yes" type="osregex">^53$|^123$</dstport>

        <description>Fortianalyzer: LAN2LAN horizontal scanning detected from a single host to multiple destinations.</description>
    </rule>

</group>

Changes I made:

  In your custom rule 111745, you had used regex in the <dstport> tag but did not add the option type="osregex". When using regex in the <dstport> tag, you need to specify the type in that tag. You can refer to the Wazuh rule syntax documentation for this.  

The sample log I used for testing:

Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.101 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.102 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.103 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.104 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.105 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"

Each log has a different dstIP such as: 10.6.1.101, 10.6.1.102, 10.6.1.103, 10.6.1.104, 10.6.1.105

I have created a CDB list called private-ip and added the above IPs along with the srcip from the logs to trigger rule ID 111742.  

Here is the screenshot of my testing:

You can refer to the Wazuh rule syntax documentation and CDB list documentation for more details.

[Mithun Haridas]

Hi,

I have updated the rule as per you shared me,

The result when I tested the logs you shared me:

Now I tested the same logs by entering the same dstIP in first 3 logs and different dstIP in 4th and 5th log

Logs:

Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.101 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.101 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.101 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"

Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.104 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"
Jan 09 10:09:43 AA-FIU1-FGTFW CEF:0|Fortinet|FortiGate-60F|7.4.4,build2662 (GA)|0000000013|forward traffic server-rst|5|start=Jan 09 2025 10:09:43 logver=704042662 deviceExternalId=FGT60FAJZ dvchost=AA-FIU1-FGTFW vd=root eventtime=1736402984774088220 tz=+0400 logid=0000000013 cat=traffic subtype=forward deviceSeverity=notice src=10.6.128.117 spt=433 deviceInboundInterface=HHHH srcintfrole=undefined dst=10.6.1.105 dpt=389 deviceOutboundInterface=KKK dstintfrole=undefined replysrcintf=MMMMMM srccountry=Reserved dstcountry=Reserved externalID=14115 proto=6 act=server-rst policyid=1 policytype=policy poluuid=92017e-51ef-8b1e-1fae8e136399 policyname=KKK to JDDJ duser=AAAAA.BBBB authserver=ASASASA app=LDAP trandisp=noop duration=5 out=2545 in=677 sentpkt=7 rcvdpkt=5 vpntype=ipsecvpn vwlid=1 vwlquality=ASASHBDN alive selected vwlname=DDDDDDD appcat=unscanned tz="+0400"

Here you can see I have entered the dstIP constant for first three logs and different for 4th and 5th log, so as per the created custom rule, the rule 111745 should not be triggered right?

But again the rule 111745 is getting triggered when I tested with above logs.

Because of this I am getting many false positives, how to resolve this?

Regards,

[Mithun Haridas]

Hi Bony, 

Is there any updates on this?

Regards,

[Bony V John]

Hi,

I apologize for the delayed response. I tested the issue you mentioned and encountered the same problem. The correlation is not working properly.

Currently, this type of correlation is not possible with the existing rule engine in Wazuh. However, in Wazuh 5.0, the rule engine will be updated, and the new engine will offer improved correlation capabilities, which will resolve these kinds of issues.

For now, this correlation cannot be achieved.

[Mithun Haridas]

Thank you for the updates.