wazuh-analysisd: WARNING: (7600): Invalid value 'pcre' for attribute 'type' in rule 180002.
stetnt4
wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'etc/rules/local_rules.xml'.
Md. Nazmur Sakib
Hi stetnt4
Hope you are doing well. Thank you for using Wazuh.
It seems like there are some errors with the rule ID 180002. Can you share the rule 180002 that you have saved in your local rule XML file? So that I can have a look and guide you further.
Regards
Md. Nazmur Sakib
Md. Nazmur Sakib
Md. Nazmur Sakib
stetnt4
I save the code in the file /var/ossec/etc/rules/local_rules.xml
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->
<!-- Example -->
<group name="local,syslog,sshd,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<group name="Windows,attack,">
<!-- Detecting an LSASS memory dumping attack using Rundll32.exe Minidump Function or Comsvcs.dll Exploitation -->
<rule id="100010" level="10">
<if_sid>61609</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)\\\\rundll32.exe</field>
<field name="win.eventdata.imageLoaded" type="pcre2">(?i)[c-z]:\\\\Windows\\\\System32\\\\comsvcs\.dll</field>
<description>Possible adversary activity - LSASS memory dump: $(win.eventdata.imageLoaded) loaded by using $(win.eventData.image) on $(win.system.computer).</description>
<mitre>
<id>T1003.001</id>
</mitre>
</rule>
<!-- Detecting an LSASS memory dumping attack using specialized tools -->
<rule id="100011" level="10">
<if_sid>61613</if_sid>
<field name="win.eventData.targetFilename" type="pcre2">(?i)\\\\[^\\]*\.dmp$</field>
<field name="win.eventData.image" negate="yes" type="pcre2">(?i)\\\\lsass.*</field>
<description>Possible adversary activity - LSASS memory dump: $(win.eventdata.image) created a new file on $(win.system.computer) endpoint.</description>
<mitre>
<id>T1003.001</id>
</mitre>
</rule>
<!-- Detecting a Windows Credential Manager exploitation attack -->
<rule id="100012" level="10">
<if_sid>61603</if_sid>
<field name="win.eventData.Image" type="pcre2">(?i)\\\\rundll32.exe</field>
<field name="win.eventData.commandLine" type="pcre2">keymgr.dll,KRShowKeyMgr</field>
<description>Possible adversary activity - Credential Manager Access via $(win.eventData.Image) on $(win.system.computer) endpoint.</description>
<mitre>
<id>T1003</id>
</mitre>
</rule>
<!-- Detecting a Windows Credential Manager exploitation attack by VaultCmd process enumeration -->
<rule id="100013" level="10">
<if_sid>92052</if_sid>
<field name="win.eventData.image" type="pcre2">(?i)\\\\vaultcmd.exe</field>
<field name="win.eventData.commandLine" type="pcre2">list</field>
<description>Possible adversary activity - Attempt to list credentials via $(win.eventData.Image) on $(win.system.computer) endpoint.</description>
<mitre>
<id>T1003</id>
</mitre>
</rule>
</group>
Md. Nazmur Sakib
Hi stetnt4,
I think you made a typo in the local_rule xml file.
I have you accidentally removed the closing group tag for
<group name="local,syslog,sshd,">
--------------
</group>
Add the </group> tag and you are good to go.
<group name="local,syslog,sshd,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
</group>
Check this document if you want to learn more about ruleset syntax:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
I hope you find this helpful.
Regards