Problem with rules, again

80 views
Skip to first unread message

Vuk Kadija

unread,
Feb 27, 2025, 4:21:03 AM2/27/25
to Wazuh | Mailing List
Hello dear community,

I tried for some time to make a specific rule works that would lower down the level of alert to 0. The thing is, I have a network scanner in my environment and I want to exclude specific IP from generating alerts. 

Original rule looks like this

<rule id="60122" level="5">
    <if_sid>60105</if_sid>
    <field name="win.system.eventID">^529$|^4625$</field>
    <description>Logon Failure - Unknown user or bad password</description>
    <options>no_full_log</options>
 <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
    <mitre>
      <id>T1531</id>
    </mitre>
  </rule>

<rule id="60204" level="10" frequency="$MS_FREQ" timeframe="240">
    <if_matched_group>authentication_failed</if_matched_group>
    <same_field>win.eventdata.ipAddress</same_field>
    <description>Multiple Windows Logon Failures</description>
    <options>no_full_log</options>
 <group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_5_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
    <mitre>
      <id>T1110</id>
    </mitre>
  </rule>

This rule is part of 0580-win-security_rules.xml (default rule)

I have written my own rules to customize the default ones

<rule id="160117" level="0">
    <if_sid>60105</if_sid>
    <field name="win.system.eventID">^529$|^4625$</field>
    <field name="win.eventdata.ipAddress">x:x:x:0010::f173</field>
    <match>This event is generated when a logon request fails</match>
    <description>Logon Failure - Unknown user or bad password</description>
    <options>no_full_log</options>
  </rule>

<rule id="160118" level="0" frequency="$MS_FREQ" timeframe="240">
    <if_matched_group>authentication_failed</if_matched_group>
    <same_field>win.eventdata.ipAddress</same_field>
    <field name="win.eventdata.ipAddress">x:x:x:0010::f173</field>
    <match>This event is generated when a logon request fails</match>
    <description>Multiple Windows Logon Failures</description>
    <options>no_full_log</options>
  </rule>

This rule is part of  0581-win-security_rules_xxx.xml

One thing I need to point out, I am using <match> and I guess and based on documentation, I am matching something from the full_log field (maybe I am totally wrong) and I have  This event is generated when a logon request fails in the log (picture below). So I am really not sure what is wrong here. 

match.PNG

Tnx in advance for help

hasitha.u...@wazuh.com

unread,
Feb 27, 2025, 4:48:48 AM2/27/25
to Wazuh | Mailing List

Hi Vuk,

To prevent a rule from triggering when a specific IP (x:x:x:0010::f173) is detected, you can overwrite the existing rule using Wazuh’s custom rule configuration.

Ref: How to Overwrite an Existing Rule in Wazuh

Wazuh allows you to modify existing rules by copying them into a custom rule file and adjusting them to your needs.

Steps to Modify and Overwrite a Rule

  1. Create or Edit a Custom Rules File
    If you want to modify a single rule, update the local_rules.xml file:
    nano /var/ossec/etc/rules/local_rules.xml

    If you plan to modify multiple rules, it's better to create a new custom rule file:

    nano /var/ossec/etc/rules/custom_windows_rules.xml

  2. Modify the Rule to Exclude a Specific IP
    Use the negate="yes" attribute to prevent the rule from triggering when the win.eventdata.ipAddress matches x:x:x:0010::f173.

    Example Updated Rules:

    1. <group name="windows,windows_security,">
    2.  
    3.  <rule id="60122" level="5" overwrite="yes">
    1.     <if_sid>60105</if_sid>
    2.     <field name="win.system.eventID">^529$|^4625$</field>
    1.     <field name="win.eventdata.ipAddress" negate="yes">x:x:x:0010::f173</field>
    1.     <description>Logon Failure - Unknown user or bad password</description>
    2.     <options>no_full_log</options>
    1.     <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
    1.     <mitre>
    2.       <id>T1531</id>
    3.     </mitre>
    4.   </rule>
    5.  
    1.   <rule id="60204" level="10" frequency="$MS_FREQ" timeframe="240" overwrite="yes">
    2.     <if_matched_group>authentication_failed</if_matched_group>
    3.    <field name="win.eventdata.ipAddress" negate="yes">x:x:x:0010::f173</field>
    1.     <same_field>win.eventdata.ipAddress</same_field>
    2.     <description>Multiple Windows Logon Failures</description>
    3.     <options>no_full_log</options>
    1.     <group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
    1.     <mitre>
    2.       <id>T1110</id>
    3.     </mitre>
    4.   </rule>
    5.  
    1. </group>

  2. Restart Wazuh Manager
    After applying the changes, restart the Wazuh manager for them to take effect:
    systemctl restart wazuh-manager

This will prevent alerts from being triggered when the IP x:x:x:0010::f173 appears in logs.

Let me know if you need further clarification! 

Vuk Kadija

unread,
Feb 27, 2025, 5:39:13 AM2/27/25
to Wazuh | Mailing List
Tnx Hasitha, I will try it out and let you know

hasitha.u...@wazuh.com

unread,
Mar 3, 2025, 1:57:55 AM3/3/25
to Wazuh | Mailing List
Hi Vuk,

I believe your issue has been resolved. If not, please provide an update so I can assist you further.

Regards,
Hasitha Upekshitha

Reply all
Reply to author
Forward
0 new messages