Whitelist using CDB lists
Mgc Labs
Nicolas Oscar Lastra
Hi @Mgc Labs
Thank you for trusting and choosing Wazuh!
“...however I want to be able to constantly update our Staff CDB list…”
I take it you were able to solve this? this file requires these constantly updated.
“...It would be nice to also be able to whitelist that list from rules in general…”
For this you must analyze in which specific rules you want to search in the CDB list.
And apply modifications to each of those rules, using overwrite.
To read more about how to modify rules (overwrite). You can expand in the next section of the documentation.
https://documentation.wazuh.com/current/learning-wazuh/replace-stock-rule.html
To get an idea of the rules and see which ones to modify. This is the link of the ruleset of the latest version of Wazuh.
https://github.com/wazuh/wazuh/tree/4.3/ruleset/rules
“...enrich the rules with the description from the IP cdb list.”
The description can be enriched but only with the IP that matches in the CDB list. Because that IP comes as information within the event data.
But it is not possible to add an IP to the description that comes from the CDB list, but has not fallen into the event.
For example, you could do something similar to the following:
<rule ...>
<list field="srcip" lookup="not_address_match_key">etc/lists/list-IP</list>
<description>$(srcip) was not found in the CDB list</description>
</rule>
Best regards,
Nikos.
Mgc Labs
I was able to constantly update the CDB list correct.