CDB rule matches with everything

52 views
Skip to first unread message

Joaquim António

unread,
Oct 15, 2025, 12:38:50 PM (4 days ago) Oct 15
to Wazuh | Mailing List
Hello,

I'm importing a list of IPs, example below:

123.123.123.123:abuseipdb-s100-1d
1.0.1.0:threatfox-ioc
[etc:etc]

And have the following rule for now:

<group name="abuseipdb,>
<rule id="100013" level="3">
    <if_group>authentication_success</if_group>
    <list field="srcip" lookup="address_match_key_value" check_value="^abuseipdb-s100-1d$">etc/lists/badnets</list>
    <description>Authentication success from a malicious IP</description>
  </rule>
</group>

However, this rule is matching with everything!! Including with IPs that are not in the list!

What am I missing here?

Thank you in advance.

Joaquim António

unread,
Oct 15, 2025, 12:45:52 PM (4 days ago) Oct 15
to Wazuh | Mailing List
Aditionally, if i just use <list field="srcip" lookup="address_match_key">etc/lists/badnets</list> instead, the rule works. I would still need to check the value, so I can index each threat feed as the group field. Can anyone help me figure out why the search with the value returns everything?

Joaquim António

unread,
Oct 15, 2025, 12:57:28 PM (4 days ago) Oct 15
to Wazuh | Mailing List
I just found out, the rule seems to alert for when the IP is not in the list, and does not alert when the IP is on the list! Can anyone reproduce the issue in case it's a bug?

jesusd...@wazuh.com

unread,
Oct 15, 2025, 4:39:14 PM (4 days ago) Oct 15
to Wazuh | Mailing List

By your configuration it seems that the CBD integration is already working but not as expected.

To help us analyze this issue further, please provide the following details:

  • Wazuh version you are using
  • Your Wazuh manager /var/ossec/etc/ossec.conf file. Specifically your CBD list configuration
  • Your rule or group rule authentication_success configuration
  • Any other remediation or customization steps you have taken

Also please verify the configuration <group name="abuseipdb"> as it is missing a closing quotation mark in the name field.

These details will help us replicate and/or provide more accurate support.

Joaquim António

unread,
Oct 16, 2025, 5:36:09 AM (3 days ago) Oct 16
to Wazuh | Mailing List
Hello,

Thank you for your answer. Regarding the details:

1) Version 4.12.0-1

2)  <ruleset>
   <!-- Default ruleset -->
   <decoder_dir>ruleset/decoders</decoder_dir>
   <rule_dir>ruleset/rules</rule_dir>
   <rule_exclude>0215-policy_rules.xml</rule_exclude>
   <list>etc/lists/audit-keys</list>
   <list>etc/lists/amazon/aws-eventnames</list>
   <list>etc/lists/security-eventchannel</list>
   <list>etc/lists/badnets</list>

   <!-- User-defined ruleset -->
   <decoder_dir>etc/decoders</decoder_dir>
   <rule_dir>etc/rules</rule_dir>
   <decoder_exclude>ruleset/decoders/0085-dovecot_decoders.xml</decoder_exclude>
   <!--<decoder_exclude>ruleset/decoders/0140-kernel_decoders.xml</decoder_exclude>-->
 </ruleset>

3) It's not a rule or group I made, there are a lot of predefined rules within that group, such as the dovecot rules for instance

4) Within the check_value= , I tried matching in different ways, like just "abuseipdb-s100-1d" or with an anchor at the beggining like "^abuseipdb-s100-1d", but to no avail.

Yes, I closed the quotation marks, but missed them when pasting the rule here and editing out an extra group that could be sensitive.

Joaquim António

unread,
Oct 16, 2025, 5:57:04 AM (3 days ago) Oct 16
to Wazuh | Mailing List
Hello,

To give an update, using lookup="match_key_value" works. Here is the working rule:

<rule id="100013" level="3">
   <if_group>authentication_success</if_group>
   <list field="srcip" lookup="match_key_value" check_value="^abuseipdb-s100-1d">etc/lists/badnets</list>
   <description>Authentication success from a malicious IP</description>
 </rule>

The documentation does say "In case the field is an IP address, you must use address_match_key_value", but in this specific scenario maybe it's best to use match_key_value.
Reply all
Reply to author
Forward
0 new messages