Supress rules
16 views
Skip to first unread message
Brenno Garcia
Dec 18, 2025, 2:05:13 PM (2 days ago) Dec 18
to Wazuh | Mailing List
Hello,
I have some pfSense logs when a client tries to connect to our network but is not registered on the DHCP server.
When this happens, several IPv4 lease logs start to be triggered, so I created a suppression rule for this.
Whenever the DHCP problem occurs, it triggers rule 883044 with the unregistered MAC address.
If that MAC address continues trying to connect, to avoid flooding, if rule 883044 reappears with the same MAC address within 120 seconds, it triggers suppression rule 883045.
I didn't want to increase the suppression time of rule 883045, but I would like to create a second, stronger suppression of the type:
1. Rule 883044 is dropped
2. It is dropped again, but the MAC address repeats and then rule 883045 is triggered
3. After 120 seconds, rule 883044 is dropped again for that MAC address
I would like that when this process is repeated 3 times, for example, it triggers rule 883046 which will suppress alerts for that same MAC address for a longer time, for example 30 minutes.
Is this possible?
Another question is related to the alert levels. I set them to levels 1 and 2 so they don't appear in alerts.log/dashboard. Does level 0 disable them? I tried using level 0, but then it doesn't even trigger in logtest.
When this happens, several IPv4 lease logs start to be triggered, so I created a suppression rule for this.
Whenever the DHCP problem occurs, it triggers rule 883044 with the unregistered MAC address.
If that MAC address continues trying to connect, to avoid flooding, if rule 883044 reappears with the same MAC address within 120 seconds, it triggers suppression rule 883045.
I didn't want to increase the suppression time of rule 883045, but I would like to create a second, stronger suppression of the type:
1. Rule 883044 is dropped
2. It is dropped again, but the MAC address repeats and then rule 883045 is triggered
3. After 120 seconds, rule 883044 is dropped again for that MAC address
I would like that when this process is repeated 3 times, for example, it triggers rule 883046 which will suppress alerts for that same MAC address for a longer time, for example 30 minutes.
Is this possible?
Another question is related to the alert levels. I set them to levels 1 and 2 so they don't appear in alerts.log/dashboard. Does level 0 disable them? I tried using level 0, but then it doesn't even trigger in logtest.
Log:
Dec 18 11:01:12 pfsense.domain kea-dhcp4[20709] WARN [kea-dhcp4.alloc-engine.0x31be91e17400] ALLOC_ENGINE_V4_ALLOC_FAIL_SUBNET [hwtype=1 36:24:66:d7:cc:91], cid=[01:36:24:66:d7:cc:91], tid=0x2996da14: failed to allocate an IPv4 lease in the subnet 192.168.16.0/24, subnet-id 1, shared network (none) pfsense.domain
Rules:
<rule id="883044" level="3">
<decoded_as>dhcp-pfsense</decoded_as>
<field name="mac" negate="yes">00:0c:29:d0:f8:2c</field>
<field name="mac" negate="yes">b2:1c:ad:42:72:82</field>
<field name="mac" negate="yes">b6:1f:d1:1d:b4:b1</field>
<field name="mac" negate="yes">96:4e:e7:2d:be:78</field>
<field name="mac" negate="yes">94:89:78:0e:f8:44</field>
<description>A conexao com a rede falhou. Verifique se o mac $(mac) esta no DHCP Server</description>
</rule>
<rule id="883045" level="2" timeframe="120" frequency="2">
<if_matched_sid>883044</if_matched_sid>
<same_field>mac</same_field>
<description>Supressao do alerta do DHCP</description>
</rule>
<decoded_as>dhcp-pfsense</decoded_as>
<field name="mac" negate="yes">00:0c:29:d0:f8:2c</field>
<field name="mac" negate="yes">b2:1c:ad:42:72:82</field>
<field name="mac" negate="yes">b6:1f:d1:1d:b4:b1</field>
<field name="mac" negate="yes">96:4e:e7:2d:be:78</field>
<field name="mac" negate="yes">94:89:78:0e:f8:44</field>
<description>A conexao com a rede falhou. Verifique se o mac $(mac) esta no DHCP Server</description>
</rule>
<rule id="883045" level="2" timeframe="120" frequency="2">
<if_matched_sid>883044</if_matched_sid>
<same_field>mac</same_field>
<description>Supressao do alerta do DHCP</description>
</rule>
carlos...@wazuh.com
Dec 18, 2025, 3:50:18 PM (2 days ago) Dec 18
to Wazuh | Mailing List
Hello Brenno,
<if_matched_sid>883044</if_matched_sid>
<same_field>mac</same_field>
If I understand correctly, you want to build a third rule that after matching rule 883044 a certain amount of times because of "cycling" through the flow you created, it matches the new rule, is that correct?
If so, I think that a good approach to this can be creating a rule 883046 that would look similar to this:
<rule id="883046" level="2" timeframe="1800" frequency="6">
<if_matched_sid>883044</if_matched_sid>
<same_field>mac</same_field>
<description>MAC $(mac) suppression on third cycle</description>
</rule>
</rule>
The logic that I'm following on that rule is pretty similar to the logic that can be found at same_field Wazuh Rules Syntax to trigger a rule if matching another one a certain amount of times, with the same attributes.
Now, regarding the Level 0n alerting, level 0 does not disable the rule itself, but it would not generate any logging, which might affect your ability to properly analyze the results from your testing. More information on rule levels can be found at Wazuh Rules classification.
Hope you find this information useful and if you have further questions or need more details on what I shared, feel free to let me know.
Best regards,
Carlos
Reply all
Reply to author
Forward
0 new messages