Wazuh: data.dstip vs dstip mismatch (pfSense DNS exclusion)

7 views
Skip to first unread message

Sandy

unread,
8:23 AM (12 hours ago) 8:23 AM
to wa...@googlegroups.com
Subject

Hi all,

I am working with pfSense firewall logs in Wazuh (syslog → manager), and I am trying to refine a rule to detect new outbound destinations while excluding internal DNS traffic.

Objective

Detect new outbound destination IPs from LAN hosts, excluding:

  • known destinations (via CDB list)
  • pfSense DNS (10.9.9.48)

Current working rule

<rule id="100550" level="10">
  <if_sid>100540</if_sid>
  <list field="data.dstip" lookup="not_match_key">etc/lists/expected-dst</list>
  <description>New external destination detected</description>
</rule>

This works correctly using data.dstip.

Problem

I want to exclude DNS traffic (dstip = 10.9.9.48).

Attempt 1 (invalid syntax)

<not_field name="data.dstip">10.9.9.48</not_field>

→ Wazuh fails to start (Invalid option 'not_field')

Attempt 2 (valid syntax, but no matches)

<rule id="100650" level="10">
  <if_sid>100540</if_sid>
  <dstip negate="yes">10.9.9.48</dstip>
  <list field="data.dstip" lookup="not_match_key">etc/lists/expected-dst</list>
</rule>

→ Wazuh starts, but the rule produces no alerts.

Observations

  • data.dstip is clearly populated and works in the list lookup.
  • <dstip> does not appear to match the same events.
  • This suggests a mismatch between dynamic field data.dstip and canonical dstip.

Example alert (sanitised):

{
  "rule": { "id": "100550" },
  "data": {
    "srcip": "10.9.9.25",
    "dstip": "8.8.8.8"
  }
}

Questions

  1. Should <dstip> match when data.dstip is present, or are these independent?
  2. What is the correct way to exclude a specific destination IP when using data.dstip?
  3. Is there a supported way to apply negation to dynamic fields (e.g. data.dstip)?
  4. Is the recommended approach:
    • parent rule filtering,
    • list-based exclusion,
    • or another mechanism?

Summary

  • Detection works using data.dstip
  • Negation using <dstip> causes rule to stop matching
  • Looking for the correct pattern to exclude specific destination IPs without breaking detection

Any guidance would be much appreciated.

Thanks in advance.  


Christian Borla

unread,
9:55 AM (10 hours ago) 9:55 AM
to Wazuh | Mailing List
Hi Sandy

In your case, if the event is decoded with data.dstip, this could be the correct pattern:

<rule id="100650" level="10">
  <if_sid>100540</if_sid>
  <field name="data.dstip" negate="yes" type="pcre2">^10\.9\.9\.48$</field>
  <list field="data.dstip" lookup="not_address_match_key">etc/lists/expected-dst</list>
  <description>New external destination detected (excluding pfSense DNS)
</description> </rule>
  • <not_field> is not the supported syntax; negation is done with negate="yes" on <field>.
  • For IPs in CDB lists, prefer not_address_match_key instead of not_match_key.
  • If you expect more exclusions over time, the most maintainable option is to put 10.9.9.48: into the CDB list and keep the rule list-driven.

So the likely reason your <dstip negate="yes">10.9.9.48</dstip> version stopped matching is that the event is carrying data.dstip, not the static dstip field.

Reply all
Reply to author
Forward
0 new messages