Standard of Wazuh Rules
144 views
Skip to first unread message
Miran Ul Haq
Oct 1, 2024, 9:06:43 AM10/1/24
to Wazuh | Mailing List
Hi All,
Could anyone please share/guide what is the standard of Wazuh Pre-defined rules?
I mean after which considerations or based on which standard the frequence/time of certain rules were decided?
I mean after which considerations or based on which standard the frequence/time of certain rules were decided?
Thanks.
Eric Franco Fahnle
Oct 1, 2024, 9:20:41 AM10/1/24
to Wazuh | Mailing List
Hi Miran! Hope you're doing great.
Most rules will trigger alerts instantly as soon as they are processed. Some specific rules, however, may use the options "frequency" and "timeframe" to not trigger an alert immediately but rather wait until the rule has been matched N times (defined in frequency) in M seconds (defined in timeframe). From the docs: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rule
frequency
- Definition: Number of times the rule must match before generating an alert.
- Allowed values: Any number from 2 to 9999
frequency
- Definition: Number of times the rule must match before generating an alert.
- Allowed values: Any number from 2 to 9999
timeframe
- Definition: The timeframe in seconds. This option is intended to be used with the frequency option.
- Allowed values: Any number from 1 to 99999
- Definition: The timeframe in seconds. This option is intended to be used with the frequency option.
- Allowed values: Any number from 1 to 99999
In the default ruleset you will find some ocurrences of this criteria being used. For example, in the Web App security rules: https://github.com/wazuh/wazuh/blob/cede9224dda880221d488e64b4201242152be991/ruleset/rules/0270-web_appsec_rules.xml#L128-L137
There's a comment saying "If we see frequent wp-login POST's, it is likely a bot."
That specific rule will only trigger an alert if it gets matched 8 times within a 30 second window between the 1st and the 8th match.
Hope this helps!
Miran Ul Haq
Oct 1, 2024, 9:32:59 AM10/1/24
to Wazuh | Mailing List
Hi Eric,
Thanks for responding.
I totally understand the concept of frequency and timeframe.
My question is what standard has been used to create such rules. For example, Rule 31151 (Multiple web server 400 error codes from same source ip). This rule would trigger if parent rule has triggered 14 times in 90 seconds.
So based on which practice or standard this frequence and timeframe was decided?
Thanks.
I totally understand the concept of frequency and timeframe.
My question is what standard has been used to create such rules. For example, Rule 31151 (Multiple web server 400 error codes from same source ip). This rule would trigger if parent rule has triggered 14 times in 90 seconds.
So based on which practice or standard this frequence and timeframe was decided?
Thanks.
Eric Franco Fahnle
Oct 1, 2024, 9:44:53 AM10/1/24
to Wazuh | Mailing List
Well, as you may know Wazuh is a for of the OSSEC project.
Many rules (the one you mentioned included) dates back from the original OSSEC ruleset. Here it is: https://github.com/ossec/ossec-hids/blob/master/etc/rules/web_rules.xml
<rule id="31151" level="10" frequency="12" timeframe="90">
<if_matched_sid>31101</if_matched_sid>
<same_source_ip />
<description>Multiple web server 400 error codes </description>
<description>from same source ip.</description>
<group>web_scan,recon,</group>
</rule>
<if_matched_sid>31101</if_matched_sid>
<same_source_ip />
<description>Multiple web server 400 error codes </description>
<description>from same source ip.</description>
<group>web_scan,recon,</group>
</rule>
Honestly I don't think I can answer your question, as we use the ruleset based on the original OSSEC ruleset.
If any other rule/decoder has been written entirely by Wazuh, you'll most likely find a discussion in a Github Issue where that task is addressed, like this one: https://github.com/wazuh/wazuh/issues/15567
Hope this helps!
Reply all
Reply to author
Forward
0 new messages