<if_sid> with 2 rules at the same Time
945 views
Skip to first unread message
Federico Santilli
Jul 28, 2023, 1:45:42 PM7/28/23
to Wazuh mailing list
Hi everyone, I should activate rule 100007, when BOTH rule 100005 and 100006 are activated, and not just one of them.
If I'm not mistaken, with the syntax
<rule id="100007" level="15">
<if_sid>100005, 100006</if_sid>
etc...
The rule 100007 is also triggered if only one of the two is triggered. How can I do? Thanks everyone in advance!
If I'm not mistaken, with the syntax
<rule id="100007" level="15">
<if_sid>100005, 100006</if_sid>
etc...
The rule 100007 is also triggered if only one of the two is triggered. How can I do? Thanks everyone in advance!
Lucio Donda
Jul 28, 2023, 2:48:10 PM7/28/23
to Wazuh mailing list
Hi Federico:
Let's clear the scenario:
100007 will be triggered if 100005 AND 100006 were already triggered. right?
Then what you're looking for is if_matched_sid -> https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-matched-sid
Define a frequency (times triggered) and a Timeframe (In which this alerts where triggered) and I'm thinking that you could create
And, here you'll have to check because I'm having some doubts,
...
Do check if its possible to use both of them.
Let me know any doubt!
Let's clear the scenario:
100007 will be triggered if 100005 AND 100006 were already triggered. right?
Then what you're looking for is if_matched_sid -> https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-matched-sid
Define a frequency (times triggered) and a Timeframe (In which this alerts where triggered) and I'm thinking that you could create
And, here you'll have to check because I'm having some doubts,
<rule id="100007" level="15">
<if_matched_sid>100005, 100006</if_sid>...
Do check if its possible to use both of them.
Let me know any doubt!
Federico Santilli
Jul 30, 2023, 12:55:34 PM7/30/23
to Wazuh mailing list
Hi Lucio, yes i need to trigger 100007 if 100005 AND 100006 were already triggered.
unfortunately the method you described didin't work. I'm trying using <if_matched_group>, after inserting the rules 100006 and 100007 in the same group. I don't have other ideas ath the moment
unfortunately the method you described didin't work. I'm trying using <if_matched_group>, after inserting the rules 100006 and 100007 in the same group. I don't have other ideas ath the moment
Lucio Donda
Jul 31, 2023, 12:05:27 PM7/31/23
to Wazuh mailing list
Ok I see,
if_matched_group won't work because it will triggered if one of that group triggered before.
let's try something different. you could use if_sid ( https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-sid ) alongside with if_matched_sid (https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-matched-sid) right?
Rule_A -> inherits from Rule_B and Rule_C:
<rule id="Rule_A" level="XX">
<if_sid>Rule_B, Rule_C</if_sid>
Rule_B -> Will be triggered only if previously 100005 was fired
Rule_C -> Will be triggered only if previously 100006 was fired
I think that this could be a feasible approach, but again I haven't test it. If you share with us some logs we could check it alongside you personal tests.
if_matched_group won't work because it will triggered if one of that group triggered before.
let's try something different. you could use if_sid ( https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-sid ) alongside with if_matched_sid (https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-matched-sid) right?
Rule_A -> inherits from Rule_B and Rule_C:
<rule id="Rule_A" level="XX">
<if_sid>Rule_B, Rule_C</if_sid>
Rule_B -> Will be triggered only if previously 100005 was fired
<rule id="Rule_B" level="XX">
<if_matched_sid>100005</if_sid>Rule_C -> Will be triggered only if previously 100006 was fired
<rule id="Rule_C" level="XX">
<if_matched_sid>100006</if_sid>I think that this could be a feasible approach, but again I haven't test it. If you share with us some logs we could check it alongside you personal tests.
Roma Ramas
Nov 27, 2023, 1:29:01 PM11/27/23
to Wazuh | Mailing List
Hi
Work for me
Work for me
<rule id="170022" level="12" timeframe="360" ignore="60">
<if_matched_sid>60122</if_matched_sid>
<if_sid>92657</if_sid>
<same_field>win.eventdata.ipAddress</same_field>
<description>RDP ATTACK from $(win.eventdata.ipAddress) to [ PC - $(win.system.computer) ] [ user - $(win.eventdata.targetUserName) ]</description>
</rule>
<if_matched_sid>60122</if_matched_sid>
<if_sid>92657</if_sid>
<same_field>win.eventdata.ipAddress</same_field>
<description>RDP ATTACK from $(win.eventdata.ipAddress) to [ PC - $(win.system.computer) ] [ user - $(win.eventdata.targetUserName) ]</description>
</rule>
if 60122 and 92657 ->
170022 
Roma Ramas
Nov 27, 2023, 1:32:56 PM11/27/23
to Wazuh | Mailing List
for you
<rule id="100007" level="15" timeframe="360" ignore="60">
<if_matched_sid>100005</if_matched_sid>
<if_sid>100006</if_sid>
<description>test rule 100007</description>
</rule>
<if_matched_sid>100005</if_matched_sid>
<if_sid>100006</if_sid>
<description>test rule 100007</description>
</rule>
Brummbär
Jun 20, 2024, 4:40:39 AM6/20/24
to Wazuh | Mailing List
Hi Federico,
I have the same problem - did you ever fixed this and could you post your solution ?
Roma Ramas
Jun 20, 2024, 9:57:35 AM6/20/24
to Wazuh | Mailing List
<rule id="170022" level="12" timeframe="360" ignore="60">
<if_matched_sid>60122</if_matched_sid>
<if_sid>92657</if_sid>
<same_field>win.eventdata.ipAddress</same_field>
<description>RDP ATTACK from $(win.eventdata.ipAddress) to [ PC - $(win.system.computer) ] [ user - $(win.eventdata.targetUserName) ]</description>
</rule>
<if_matched_sid>60122</if_matched_sid>
<if_sid>92657</if_sid>
<same_field>win.eventdata.ipAddress</same_field>
<description>RDP ATTACK from $(win.eventdata.ipAddress) to [ PC - $(win.system.computer) ] [ user - $(win.eventdata.targetUserName) ]</description>
</rule>
if 60122 and 92657 -> 170022
Reply all
Reply to author
Forward
0 new messages