Custom Rules

[jayaraman M]

Hi Team,

Hope you are all doing great.

I am currently trying to setup a custom rule to alert if there is a failed login attempt occured in the log, where it is from the same user and same ip / different ip.

i have drafted the below ruleset

<rule id="100871" level="10" frequency="10" timeframe="120">

    <if_matched_sid>100870</if_matched_sid>

    <same_source_ip /> 

    <same_user />

    <!--<same_field>username</same_field> -->

    <description>Multiple Invalid authentication attempt from same user.</description>

</rule>

when i use the above ruleset, wazuh doesnt trigger a alert. When i use the <same_field> option and check for the username which i decoded the username using custom decoder, it is triggering an alert.

 

but my doubt is , when i use the same_source_ip and Same_user options, how wazuh will check if the request or made by same user and with same ip address. 

Regards,

jai.

[Christian Borla]

Hi  jayaraman M

I hope you are doing fine.
I would like to know what version of wazuh you are using.
Deprecated label same_source_ip works like an alias for same_srcip, link, and here is the documentation for same_user..

Regarding your question, when an alert is generated, an aggregation is made in which the number of times it happens is counted.
For example, when using the wazuh-logtest tool, it is possible to identify this field. (the following block is an example of a pfsense event, which triggers a custom rule, in which you can see how it counts the number of times that rule is executed.)

**Phase 3: Completed filtering (rules).
id: '100111'
level: '5'
description: 'pfSense log arrived'
groups: '['test']'
firedtimes: '2'              <--------
mail: 'False'
**Alert to be generated.

If possible, share an example log that triggers your 100871 rule, and if it depends on a custom decoder, it would also be necessary for you to share it, so I can do the complete simulation and we can analyze the results.
I hope it helps.
Regards.