Duplicate Rules Match

[John Carry]

Hello Wazuh Team,

I have created a custom rule for my Firewall because I need to trigger level 12 alert if my condition is met, let me mention both the rules below.

How-ever the problem I am facing is when a rule is  Tested, it says that it had find duplicate rule and priority will given to first rule (Default one), I am pasting the error below, you are requested to assist on making changes as I want to trigger custom rule when ever my condition mentioned there is met:

**Messages:    WARNING: (7003): 'da8101f3' token expires    WARNING: (7612): Rule ID '222032' is duplicated. Only the first occurrence will be considered.    INFO: (7202): Session initialized with token '32b7d590' 

**Phase 1: Completed pre-decoding.    full event: 'date=2023-02-15 time=21:11:24 devname="Arpatech_HO" devid="FG6H1ETB21907474" eventtime=1676477485124165451 tz="+0500" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=12 sessionid=167293945 srcip=192.168.18.78 srcport=56529 srcintf="port2" srcintfrole="lan" dstip=104.21.35.30 dstport=443 dstintf="port5" dstintfrole="wan" proto=6 service="HTTPS" hostname="cdn.shopproxy.live" profile="Custom_Policy" action="blocked" reqtype="direct" url="https://cdn.shopproxy.live/" sentbyte=426 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=26 catdesc="Malicious Websites" crscore=30 craction=4194304 crlevel="high"' 

 **Phase 2: Completed decoding.    name: 'fortigate-firewall-v5'    action: 'blocked'    catdesc: 'Malicious Websites'    craction: '4194304'    crlevel: 'high'    crscore: '30'    devid: 'FG6H1ETB21907474'    devname: 'Arpatech_HO'    direction: 'outgoing'    dstintf: 'port5'    dstintfrole: 'wan'    dstip: '104.21.35.30'    dstport: '443'    eventtime: '1676477485124165451'    eventtype: 'ftgd_blk'    hostname: 'cdn.shopproxy.live'    level: 'warning'    logid: '0316013056'    msg: 'URL belongs to a denied category in policy'    policyid: '12'    profile: 'Custom_Policy'    proto: '6'    rcvdbyte: '0'    reqtype: 'direct'    sentbyte: '426'    service: 'HTTPS'    sessionid: '167293945'    srcintf: 'port2'    srcintfrole: 'lan'    srcip: '192.168.18.78'    srcport: '56529'    subtype: 'webfilter'    time: '21:11:24'    type: 'utm'    url: 'https://cdn.shopproxy.live/'    vd: 'root' 

 **Phase 3: Completed filtering (rules).    id: '81644'    level: '6'    description: 'Fortigate: Blocked URL belongs to a denied category in policy.'    groups: '["fortigate","syslog"]'    firedtimes: '1'    mail: 'false' 

**Alert to be generated.

 

By-Default Rule:

  <rule id="81644" level="6">

     <if_sid>81603</if_sid>
     <match>type="utm" subtype="webfilter"|type=utm subtype=webfilter</match>
     <action>blocked</action>
     <description>Fortigate: Blocked URL belongs to a denied category in policy.     </description>
 </rule>

Custom Rule:

    <rule id="222032" level="12">
        <if_sid>81644</if_sid>
        <field name="data.catdesc">Malicious Websites|"Malicious Websites"</field>
        <description>User accessing Malicious Website</description>
     </rule>

The Actual Payload:

date=2023-02-15 time=21:11:24 devname="xxx" devid="xxxH1ETB21907474" eventtime=1676477485124165451 tz="+0500" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=12 sessionid=167293945 srcip=192.168.x.x srcport=56529 srcintf="port2" srcintfrole="lan" dstip=104.21.35.30 dstport=443 dstintf="port5" dstintfrole="wan" proto=6 service="HTTPS" hostname="cdn.shopproxy.live" profile="Custom_Policy" action="blocked" reqtype="direct" url="https://cdn.shopproxy.live/" sentbyte=426 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=26 catdesc="Malicious Websites" crscore=30 craction=4194304 crlevel="high"

[Julian Bustamante Narvaez]

Hi, I am going to be solving your request, as soon as I have an answer I will let you know.

Regards

[Julian Bustamante Narvaez]

Hi, the error is in the rule, it should be catdesc instead of data.catdesc.

<field name="catdesc">Malicious Websites|"Malicious Websites"</field> or  <field name="catdesc" type="pcre2">(?i)Malicious Websites</field>

    <rule id="222032" level="12">
        <if_sid>81644</if_sid>

         <field name="catdesc">Malicious Websites|"Malicious Websites"</field>

        <description>User accessing Malicious Website</description>
     </rule>

Logtest Output.

**Phase 2: Completed decoding.
    name: 'fortigate-firewall-v6'
    action: 'blocked'
    cat: '26'

    catdesc: 'Malicious Websites'
    craction: '4194304'
    crlevel: 'high'
    crscore: '30'

    direction: 'outgoing'
    dstintf: 'port5'
    dstintfrole: 'wan'
    dstip: '104.21.35.30'
    dstport: '443'
    eventtime: '1676477485124165451'
    eventtype: 'ftgd_blk'
    hostname: 'cdn.shopproxy.live'

    ip: '192.168.x.x'
    level: 'warning'
    logid: '0316013056'
    method: 'domain'

    msg: 'URL belongs to a denied category in policy'
    policyid: '12'
    profile: 'Custom_Policy'
    proto: '6'

    qtype: 'direct'

    rcvdbyte: '0'
    reqtype: 'direct'
    sentbyte: '426'
    service: 'HTTPS'
    sessionid: '167293945'
    srcintf: 'port2'
    srcintfrole: 'lan'

    srcip: '192.168.x.x'

    srcport: '56529'
    subtype: 'webfilter'
    time: '21:11:24'
    type: 'utm'
    url: 'https://cdn.shopproxy.live/'
    vd: 'root'

**Phase 3: Completed filtering (rules).

    id: '222032'
    level: '12'
    description: 'User accessing Malicious Website'
    groups: '['local', 'syslog', 'sshd']'
    firedtimes: '1'
    mail: 'True'
**Alert to be generated.

Regards

[John Carry]

Still the issue persist even after making your recommended changes, further please be noted that I have tried both the changes that you suggested but no success.

FYI!

[John Carry]

Same issue even reported when I made changes to the rule as below:

Rule:

    <rule id="222032" level="12">
        <if_sid>81644</if_sid>

        <match>Malicious Websites</match>

        <description>User accessing Malicious Website</description>
     </rule>

Error:

[John Carry]

Hello Wazuh Team,

Waiting for the response.

[John Carry]

Hello Team,

Can we have the response please ?

[Mauricio Ruben Santillan]

Hello John,

The problem here is the duplicate rule ID message you're getting. If you don't fix that first, no rule with such rule ID would work.

You could just set a different rule ID to this new rule of yours or try searching for other rules with that ID by running next command:

   grep 222032 /var/ossec/etc/rules/*

And just in case (although it is not a rule ID part of the default rule ID range):

   grep 222032 /var/ossec/ruleset/rules/*

Those commands should show all files containing such rule ID. If there's any file shown there, you should remove the rule from the other files or just set a different rule ID to it.

Let me know how it goes.

[John Carry]

Thanks Men, you solved the case.