Rule does not show when filtering.

[Nauris Metlans]

Made some rules:

<group name="mikrotik">
<rule id="200010" level="3">
  <match>logged in</match>
  <description>User logged in.</description>
  <group> ,syslog, access_control, authentication_success</group>
</rule>
<rule id="200020" level="3">
  <match>logged out</match>
  <description>User logged out.</description>
  <group> ,syslog, access_control</group>
</rule>
<rule id="200030" level="12">
  <match>login failure</match>
  <description>User failed to login.</description>
  <group> ,syslog, access_control, authentication_failed</group>
</rule>
</group>

Everything is ok these events are in discover.

But when I try to filter out by rule.groups: authentication_success or rule.groups: authentication_failed, then these events are not showed in filter view. Do I need anything eles to add to these rules?

[Jesus Linares]

Hi,

Please, review the "group" section of every rule. You have an extra "," at the beginning and a missing one at the end.

Change from:

> <group> ,syslog, access_control, authentication_success</group>

to

> <group>syslog, access_control, authentication_success,</group>

Then, this filter in Discover should work:

> rule.groups:"authentication_success"

I hope it helps.

[Nauris Metlans]

This extra "," is for when viewing in wazuh UI rule.groups it shows:  mikrotik, syslog, access_control, authentication_success

If I change 

<group> ,syslog, access_control, authentication_success</group>

to
 <group>syslog, access_control, authentication_success,</group>

the in UI rule.groups it shows: mikrotiksyslog, access_control, authentication_success,

and it also does not show in filter: rule.groups: authentication_success

[Nauris Metlans]

Ok, i found the problem, it was not with  <group> ,syslog, access_control, authentication_success</group>, but when the ruleset is started with <group name="mikrotik"> changing to <group name="syslog"> everything works, I thought that this <group name="mikrotik"> links also to decoder mikrotik, but looks like there is no linkage necessary, is it so? Or I am wrong about this?

[Jesus Linares]

Hi,

I don't understand that behavior. I would like to test it.

Could you share the following items?

• Your custom decoders/rules
• A log sample
• A screenshot with your filter

Thank you.

[Nauris Metlans]

Decoder:

<decoder name="mikrotik_winbox_generic">
    <prematch>\.*from \.*</prematch>
    <regex>user (\S+) \.*from (\d+.\d+.\d+.\d+)</regex>
    <order>srcuser, srcip</order>
</decoder>

Rules:

<group name="syslog,mikrotik,">

<rule id="200010" level="3">
  <match>logged in</match>
  <description>User logged in.</description>

  <group>access_control,authentication_success</group>

</rule>
<rule id="200020" level="3">
  <match>logged out</match>
  <description>User logged out.</description>

  <group>access_control</group>

</rule>
<rule id="200030" level="12">
  <match>login failure</match>
  <description>User failed to login.</description>

  <group>access_control,authentication_failed</group>
</rule>
<rule id="200040" level="10" timeframe="120">
  <if_matched_sid>5710</if_matched_sid>
  <if_sid>200030</if_sid>
  <same_srcuser />
  <description>Multiple login failures was triggered by same user.</description>
  <group>access_control,authentication_failed</group>
</rule>
</group>

Log samples:

Jun 10 14:51:14 NoName user nauris logged out from 192.168.0.204 via winbox

Jun 10 14:51:45 NoName user nauris logged in from 192.168.0.204 via winbox
Jun 10 15:51:05 NoName login failure for user admin from 192.168.0.204 via winbox 

Now decoder and rules are working, except for rule 200040, it was supposed to show if a user has failed login on ssh on other host and to be fired when the same user is trying to login to this mikrotik host within 120 seconds. But this does not work, I already created other post for this.

Here my question was, how does wazuh link decoders to rules and if it is necessary? If not, how wazuh understands how to use these custom rules after decoding my log.

[Jesus Linares]

Hi,

> how does wazuh link decoders to rules and if it is necessary? If not, how wazuh understands how to use these custom rules after decoding my log.

The Wazuh engine has the following phases:

• Pre-decoding: The engine tries to extract some standard fields like "program name" or "timestamp". This is mainly for Syslog events.
• Decoding: Using the decoders, the engine extracts fields to use them in the rules or as a search field.
• Rule matching: The engine checks if the event matches a defined rule using the rules. If it matches and the level is higher than 3, the alert is sent to the alerts.json file and the indexer.

Your rule 200010 will match any event with the string: "logged in", regardless of the decoder. Although this is allowed, it is not recommended. The ideal scenario is that a rule only matches with specific events and "logged in" could be too generic.

In your case, you should create a "parent rule" to catch any event from mikrotik, then child rules for the events that you want to alert. Here is a simple example for Arbor: https://github.com/wazuh/wazuh/blob/dacf07da9930c4445ea55b1e5cdf6c7baea9a8d6/ruleset/rules/0775-arbor_rules.xml.

Your rules should be similar to:

<group name="syslog,mikrotik,">

<rule id="200009" level="0">

  <decoded_as>mikrotik_winbox_generic</decoded_as>

  <description>Mikrotik: Generic rule</description>

</rule>

<rule id="200010" level="3">

  <if_sid>200009</if_sid>

  <match>logged in</match>

  <description>Mikrotik: User logged in.</description>

  <group>access_control,authentication_success</group>

</rule>

</group>

Pay attention to rule 200009. It is going to catch any event that matches your decoder, but the level is 0, so it will not generate any alert. It is just the "entry point" for the next rules.

That said, your decoder is also too generic. It can match more events that the mikrotik events. If possible, try to be more specific.

Please, let us know if you need more help.