help with my rule
29 views
Skip to first unread message
brandon echenique garcia
Jun 7, 2023, 12:18:08 PM6/7/23
to Wazuh mailing list
Hi everyone
Can anyone help me with my problem?
I have been trying to get my own custom rule to work it, but I have no positive results.
log :
please , help me , what is my error?
Can anyone help me with my problem?
I have been trying to get my own custom rule to work it, but I have no positive results.
log :
date=2016-06-16 time=08:47:00 devname=Device_Name devid=FGTXXXX9999999999 logid=0101039947 type=event subtype=vpn level=information vd="root" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=1050355638 remip=9.8.7.7 tunnelip=1.2.4.6 user="my_user_name" group="SSL_VPN" dst_host="N/A" reason="N/A" msg="SSL tunnel established"
my rule created:
<rule id="100003" level="11">
<if_sid>81603</if_sid>
<match>level=information|level="information"</match>
<action>tunnel-up</action>
<field name=time type="pcre2">\b(?!(20|21|22|23|24|25|26|27|28|29)[012][0-9]:[0-9]{2}:[0-9]{2})</field>
<if_sid>81603</if_sid>
<match>level=information|level="information"</match>
<action>tunnel-up</action>
<field name=time type="pcre2">\b(?!(20|21|22|23|24|25|26|27|28|29)[012][0-9]:[0-9]{2}:[0-9]{2})</field>
<description>Conection vpn fuera de horario del usuario : $(dstuser), TAKE ACTION SOC!!</description>
<mitre>
<id>T1078</id>
</mitre>
<group>authentication_success,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.5,</group>
</rule>
when i changue the time , for example : time=21:47:00
date=2016-06-16 time=21:47:00 devname=Device_Name devid=FGTXXXX9999999999 logid=0101039947 type=event subtype=vpn level=information vd="root" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=1050355638 remip=9.8.7.7 tunnelip=1.2.4.6 user="my_user_name" group="SSL_VPN" dst_host="N/A" reason="N/A" msg="SSL tunnel established"
the rule should not activate, but it still does.!!!
As follows:
<mitre>
<id>T1078</id>
</mitre>
<group>authentication_success,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.5,</group>
</rule>
when i changue the time , for example : time=21:47:00
date=2016-06-16 time=21:47:00 devname=Device_Name devid=FGTXXXX9999999999 logid=0101039947 type=event subtype=vpn level=information vd="root" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=1050355638 remip=9.8.7.7 tunnelip=1.2.4.6 user="my_user_name" group="SSL_VPN" dst_host="N/A" reason="N/A" msg="SSL tunnel established"
the rule should not activate, but it still does.!!!
As follows:
please , help me , what is my error?
brandon echenique garcia
Jun 8, 2023, 10:02:41 AM6/8/23
to Wazuh mailing list
Hi everyone!!
for your knowledge, since I was able to solve my doubt, the solution is as follows :suppose that the after hours is before 08:30:00 am , then our regex would be like this;
.
.
.
.
<if_sid>81603</if_sid>
<match>level=information|level="information"</match>
<action>tunnel-up</action>
<match>level=information|level="information"</match>
<action>tunnel-up</action>
<field name=time type="pcre2">(0[0-7]:[0-5][0-9]:[0-5][0-9]|08:[0-2][0-9]:[0-5][0-9])</field>
<description>Conection vpn fuera de horario del usuario : $(dstuser), TAKE ACTION SOC!!</description>
<mitre>
<id>T1078</id>
</mitre>
<mitre>
<id>T1078</id>
</mitre>
.
.
I hope this is helpful for you!
Reply all
Reply to author
Forward
0 new messages