Wazuh + pfsense
9 views
Skip to first unread message
Brenno Garcia
May 8, 2026, 2:28:58 PM (2 days ago) May 8
to Wazuh | Mailing List
Hello,
I would like to create a suppression rule even if pfSense sends many enabled IPSec tunnels.
I would like to create a suppression rule even if pfSense sends many enabled IPSec tunnels.
My actual rules:
<rule id="100030" level="3">
<decoded_as>openvpn-pfsense-ipsec</decoded_as>
<status>^installing</status>
<description>IPSec Tunel $(tunel) enabled on PfSense $(hostname)</description>
</rule>
<rule id="100031" level="3">
<decoded_as>openvpn-pfsense-ipsec</decoded_as>
<status>uninstalling</status>
<description>IPSec Tunel $(tunel) disabled on PfSense $(hostname)</description>
</rule>
<rule id="100032" level="3" timeframe="1">
<if_matched_sid>100030</if_matched_sid>
<same_field>tunel</same_field>
<description>multiplos logs do tunel $(tunel) IPSec habilitado</description>
</rule>
<rule id="100033" level="3" timeframe="1">
<if_matched_sid>100031</if_matched_sid>
<same_field>tunel</same_field>
<description>multiplos logs do tunel $(tunel) IPSec desabilitado</description>
</rule>
<rule id="100034" level="0" frequency="5" timeframe="1">
<if_matched_sid>100030</if_matched_sid>
<same_field>host</same_field>
<description>5 ou mais Túneis IPSec habilitados em 1 segundo no PfSense $(host) — possível restart do serviço IPsec</description>
</rule>
<decoded_as>openvpn-pfsense-ipsec</decoded_as>
<status>^installing</status>
<description>IPSec Tunel $(tunel) enabled on PfSense $(hostname)</description>
</rule>
<rule id="100031" level="3">
<decoded_as>openvpn-pfsense-ipsec</decoded_as>
<status>uninstalling</status>
<description>IPSec Tunel $(tunel) disabled on PfSense $(hostname)</description>
</rule>
<rule id="100032" level="3" timeframe="1">
<if_matched_sid>100030</if_matched_sid>
<same_field>tunel</same_field>
<description>multiplos logs do tunel $(tunel) IPSec habilitado</description>
</rule>
<rule id="100033" level="3" timeframe="1">
<if_matched_sid>100031</if_matched_sid>
<same_field>tunel</same_field>
<description>multiplos logs do tunel $(tunel) IPSec desabilitado</description>
</rule>
<rule id="100034" level="0" frequency="5" timeframe="1">
<if_matched_sid>100030</if_matched_sid>
<same_field>host</same_field>
<description>5 ou mais Túneis IPSec habilitados em 1 segundo no PfSense $(host) — possível restart do serviço IPsec</description>
</rule>
Everything works perfectly, except for rule '100034'.
When rule 100030 is triggered 5 times, rule 100034, which should suppress the alerts, is activated. However, this rule does not maintain suppression for subsequent alerts. Therefore, if 20 IPsec tunnel alerts are dropped, the suppression rule will only be triggered 4 times and rule 100030 will be triggered 16 times.
I would like to suppress the alerts after 5 drops on the same host in 1 second (which likely means an IPsec restart).
When rule 100030 is triggered 5 times, rule 100034, which should suppress the alerts, is activated. However, this rule does not maintain suppression for subsequent alerts. Therefore, if 20 IPsec tunnel alerts are dropped, the suppression rule will only be triggered 4 times and rule 100030 will be triggered 16 times.
I would like to suppress the alerts after 5 drops on the same host in 1 second (which likely means an IPsec restart).
Olamilekan Abdullateef Ajani
May 8, 2026, 3:17:05 PM (2 days ago) May 8
to Wazuh | Mailing List
Hello,
That rule, 100034, will trigger when it sees 5 events in 1 second as it should per what you configured, but it does not actually stop or suppress rule 100030. Wazuh keeps processing incoming logs normally, so it just keeps counting again and firing more alerts just as you have seen.
If your goal is to reduce the noise during those bursts (like when IPsec restarts), what you can do is to use the ignore option on your base rule.
For example:
<rule id="100034" level="1" frequency="5" timeframe="3" ignore="20">
If your goal is to reduce the noise during those bursts (like when IPsec restarts), what you can do is to use the ignore option on your base rule.
For example:
<rule id="100034" level="1" frequency="5" timeframe="3" ignore="20">
<if_matched_sid>100030</if_matched_sid>
<same_field>host</same_field>
<description>5 ou mais Túneis IPSec habilitados em 1 segundo no PfSense $(host) — possível restart do serviço IPsec</description>
</rule>
This means the rule with ID 100034 triggers a level 1 alert if rule 100030 matches 5 times within 3 seconds. To prevent floods, it is ignored for 20 seconds after triggering.
Please let me know if this works for you.
Ref:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rule:~:text=the%20rule%20matches.-,Example%3A,-%3Crule%20id%3D
Please let me know if this works for you.
Ref:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rule:~:text=the%20rule%20matches.-,Example%3A,-%3Crule%20id%3D
Reply all
Reply to author
Forward
0 new messages