rules

[stetnt4]

Hello!error when adding rules
wazuh-analysisd: WARNING: (7600): Invalid value 'pcre' for attribute 'type' in rule 180002.
  wazuh-analysisd: ERROR: (1226): Error reading XML file 'etc/rules/local_rules.xml': XMLERR: Element 'USER_NAME' not closed. (line 105).
wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'etc/rules/local_rules.xml'.   https://documentation.wazuh.com/current/proof-of-concept-guide/detect-malware-yara-integration.html  Add the following rules to the Wazuh server /var/ossec/etc/rules/local_rules.xml file. The rules detect FIM events in the monitored directory. They also alert when malware is found by the YARA integration:

<group name="syscheck,">
  <rule id="100303" level="7">
    <if_sid>550</if_sid>
    <field name="file">C:\\Users\\<USER_NAME>\\Downloads</field>
    <description>File modified in C:\Users\<USER_NAME>\Downloads directory.</description>
  </rule>
  <rule id="100304" level="7">
    <if_sid>554</if_sid>
    <field name="file">C:\\Users\\<USER_NAME>\\Downloads</field>
    <description>File added to C:\Users\<USER_NAME>\Downloads  directory.</description>
  </rule>
</group>

<group name="yara,">
  <rule id="108000" level="0">
    <decoded_as>yara_decoder</decoded_as>
    <description>Yara grouping rule</description>
  </rule>

  <rule id="108001" level="12">
    <if_sid>108000</if_sid>
    <match>wazuh-yara: INFO - Scan result: </match>
    <description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>
  </rule>
</group>

[Javier Medeot]

Hello stetnt4.

I don't quite understand the question nor the details of what you're facing. Could you explain better your question please?

I can see you have a reported warning concerning rule id 180002. Is this a custom rule of yours? Could you please share the definition for it. You'll find it in the Wazuh server in /var/ossec/etc/rules/local_rules.xml. Please take a look at our documentation for Custom rules and decoders. You'll see there a recommendation of ID numbers between 100000 and 120000 for custom rules, too.

I can also see an error about "Element 'USER_NAME' not closed". I think you haven't replaced every <USER_NAME> placeholder from the PoC guide with the user name yet. For example where it says "<field name="file">C:\\Users\\<USER_NAME>\\Downloads</field> you must replace <USER_NAME> with a user name such as stetnt4 if it were the case.

Looking forward to your news. Thank you.

[stetnt4]

Hello!All rules are taken from the wazuh website.I didn't find rule 180002

четверг, 14 сентября 2023 г. в 01:21:31 UTC+3, Javier Medeot:

[stetnt4]

четверг, 14 сентября 2023 г. в 09:24:39 UTC+3, stetnt4:

[stetnt4]

when adding rules an error occurs, as in the post above

четверг, 14 сентября 2023 г. в 10:53:43 UTC+3, stetnt4:

[stetnt4]

I replaced username with username and everything worked! Thanks!

четверг, 14 сентября 2023 г. в 11:05:52 UTC+3, stetnt4: